I would never use online banking, and I advise all my friends and colleagues (particularly those who _aren't_ computer-security-geeks) to avoid it.
On Sun, Dec 04, 2005 at 05:51:11PM -0500, [EMAIL PROTECTED] wrote: I've been using online banking for many years, both US and Germany. The German PIN/TAN system is reasonably secure, being an effective one-time pad distributed through out of band channel
Ahh, but how do you know that the transaction actually sent to the bank is the same as the one you thought you authorized with that OTP? If your computer (or web browser) has been cracked, you can't trust _anything_ it displays. There are already viruses "in the wild" attacking German online banking this way: http://www.bsi.bund.de/av/vb/pwsteal_e.htm I also don't trust RSAsafe or other such "2-factor authentication" gadgets, for the same reason. [I don't particularly trust buying things online with a credit card, either, but there my liability is limited to 50 Euros or so, and the credit card companies actually put a modicum of effort into watching for suspicious transactions, so I'm willing to buy (a few) things online.] ciao, -- -- Jonathan Thornburg <[EMAIL PROTECTED]> Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut), Golm, Germany, "Old Europe" http://www.aei.mpg.de/~jthorn/home.html "Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral." -- quote by Freire / poster by Oxfam --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]