On Fri, Dec 02, 2005 at 11:05:29PM -0500, [EMAIL PROTECTED] wrote: > > You know, I'd wonder how many people on this > list use or have used online banking. > > To start the ball rolling, I have not and won't.
This is from European perspective: I do and couldn't do without it now. Most of my obligations, from rent though auctions, to lending a friend a local equivalent of 20 bucks are paid with bank transfers. But I believe online banking works in a slightly different way than in US. Of online banking systems I've seen, almost all banks use two-factor auth in some way (except Polish branch of Citibank and a bank that uses very broken and complicated scheme where stored client RSA keypair is sent to his browser ActiveX when client logs in with user/pass). Most common are lists of one-time passwords delivered securely, or hardware tokens, RSA SecurID or Vasco Digipass DP100 wih challenge-response mode used to verify transactions. In those banks, if you have login name and pass, you can only do non-balance changing operations on a account without the something you have part; and you cannot change personal info wihout some form of out-of band authentication (to change registered address user needs to send a form with attached copy of national ID card, to confirm that or to reset lost password bank calls user's preregistered phone number). I can say I HAVE a secure link to one of the nations's traffic exchange points (unintended job benefit), and I run my own DNS servers, so MITM probability is reduced. I do not log in from machines I don't trust and own (with one exception on own) and using networks I don't trust. Bank statements come on paper or in S/MIME signed emails. I do not log in using links provided in HTML emails. Am I secure? I consider the risk of fraud using online banking to be less than the one of paying with a VISA in a restaurant or a taxi. Alex -- mors ab alto 0x46399138 --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]