Re: [spam]::Re: [Clips] Banks Seek Better Online-Security Tools
In an earlier message, I wrote I would never use online banking, and I advise all my friends and colleagues (particularly those who _aren't_ computer-security-geeks) to avoid it. Jason Axley asked Why do you not use OLB? Basically, so far as I know the fine print in online bank service agreements basically says you (the customer) are responsible for any transactions we receive with your username and pin, and our electronic records are the final word on this. Thus if there is an a false transaction on my account, i.e. one which I did not intend to authorize (whether this happened due to insider fraud in the bank, MITM phishing, virus in my computer, or whatever other cause), the basic legal presumption is that it's my loss, not the bank's. I consider the risks of this too high. What would need to be fixed for you to use OLB in the future? I would want the same ability to refuse an unauthorized transaction that I have now with credit cards, where basically any losses over 50 Euros/dollars are the bank's problem, not mine. What is your threat model (WIYTM)? For online banking, any/all of (a) insider fraud at the bank and/or anyone else to whom they've outsourced relevant processing (b) computer breakin/theft at the bank and/or anyone else to whom they've outsourced relevant processing (c) MITM phishing or DNS hijacking (d) viruses/worms in my computer What risks are present in OLB that are not present in the offline world? (c) and (d) above. Also liability for problems is mine, not the bank's (see above). Also there are few paper records that I can use to help document problems. In the offline world, (a) and (b) are mitigated by paper records (and forms with my written signature) which crooks usually don't bother forging. What about the risks of the offline financial world? If I wire-transfer money from my bank in Germany to my credit union in Canada, my written signature is (supposed to be) required to verify that I did in fact authorize the transaction. If the bank sends my money off to a crook's account (whether by mistake or due to deliberate fraud), the next time I get a statement I'll notice, and I'll ask them what happened. If the bank can't show me a piece of paper with my signature on it, my understanding is that (if I complain enough) I can force them to refund the money to me (so it's then their problem to try to recover it from wherever it went). For example, all of the information that someone needs to put money in, or take it out, of your checking account via ACH is nicely printed in magnetic ink on your checks in the US. And you give it out to anyone when you write them a check. Where I live now (Germany) people don't use cheques, they do bank transfers which the *payer* gives direct to her bank. These (are supposed to) have the written signature of the payer (the account-holder). If someone forges one of these and takes money out of my account, I can refuse the transaction and (I understand) the bank is legally required to refund the money to me (and it's their problem to recover it from whoever got it). When I lived in Canada (where people use cheques in the same way as in the US), my understanding is that (a) Even with the transit/routing numbers, noone is supposed to be able to take money out of an account without prior written permission. A cheque constitutes such permission _for_a_specific_transaction_, but not for any other transaction(s). (b) If someone forges another cheque (eg scans my signature etc), and my bank honors it and takes the money out of my account. then since I didn't actually sign that cheque, legally it's the bank's fault for honoring it, and (if I complain enough) I can force the bank to refund the money to me (so it's then the bank's problem to try to recover it from the crook). This reminded me of how I laughed when I saw an interview with a local security person where he said that he didn't even connect a computer to the Internet at home due to the risk. To me, this seems akin to deciding to not leave your house because you can't be sure someone won't shoot you dead. Well, in certain places that's basically what people do. For example, many foreign people in Bhagdad don't venture out of the green zone. My point is that when substantial amounts of money are involved, IMHO the internet is basically a red zone where I don't feel safe venturing. ciao, -- -- Jonathan Thornburg [EMAIL PROTECTED] Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut), Golm, Germany, Old Europe http://www.aei.mpg.de/~jthorn/home.html Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral. -- quote by Freire / poster by Oxfam - The Cryptography Mailing List Unsubscribe by sending
Re: [Clips] Banks Seek Better Online-Security Tools
On Mon, Dec 05, 2005 at 07:29:11PM +0100, Florian Weimer wrote: For those of you who haven't rolled out a national ID scheme in time, there's still the general identity theft problem, but this affects you even if you don't use online banking. Hmm. What's the evidence that national ID schemes reduce credit fraud (what people normally mean when they say ID theft)? How does it vary with the different types of scheme? I've been opposing the UK scheme recently on the grounds of unreliable biometrics and the bad idea of putting everyone's information in a basket from which it can be stolen (in addition to the civil liberties reasons). My solution to the credit fraud problem is simple: raise the burden of proof for negative credit reports and pursuing people for money. Pete -- Peter Clay | Campaign for _ _| .__ | Digital / / | | | Rights! \_ \_| | | http://www.ukcdr.org - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
Peter Clay wrote: Hmm. What's the evidence that national ID schemes reduce credit fraud (what people normally mean when they say ID theft)? How does it vary with the different types of scheme? I've been opposing the UK scheme recently on the grounds of unreliable biometrics and the bad idea of putting everyone's information in a basket from which it can be stolen (in addition to the civil liberties reasons). My solution to the credit fraud problem is simple: raise the burden of proof for negative credit reports and pursuing people for money. some number of organizations have come up with the term account fraud ... where fraudulent transactions are done against existing accounts ... to differentiate from other forms of identity theft which involves things like using a stolen identity to establish new accounts. account fraud just requires strong authentication applied consistently ... doesn't require identification ... although there are cases where identification is confused and is used as a supstitute for authentication. part of the issue of confusing identification for authentication ... is that it is typically quite a bit more privacy evasive than pure authentication. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
At 08:05 PM 12/2/2005, [EMAIL PROTECTED] wrote: You know, I'd wonder how many people on this list use or have used online banking. I've used it for about a decade at my credit union, and I've had my paychecks deposited directly for decades. There are things I absolutely won't do, like have a debit card attached to the account, or have companies authorized to take money out directly, or have electronic checks of various sorts taken out of the account. Normally I don't do email with them (though nobody appears to have noticed them as a phishing target), but I did have one time I had to ask about a transaction, and they do that by email, so I was able to trust the responses. But for basic services where I tell them what to send to whom, it's reliable, appears to be at least as secure as the other risks to the account, and it means that the basic payments I need to make every month happen automatically, so I only have to pay attention to the occasional variable transaction. I've also used account-based electronic gold services, but only transactionally, so at most they end up with a couple dollars worth of exchange-rate breakage in them, and there are some non-account-based services that I've also used. I won't use e-gold - not that their website is obviously insecure, but for a while there was so much e-gold phishing that I set my filters to automatically discard anything purporting to be from them, which might interfere with doing real business. On the other hand, they don't appear to state a policy of always digitally signing all transactions, so I'm a bit concerned beyond the more blatant phishing risks. Thanks; Bill Stewart - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
On Fri, Dec 02, 2005 at 11:05:29PM -0500, [EMAIL PROTECTED] wrote: You know, I'd wonder how many people on this list use or have used online banking. To start the ball rolling, I have not and won't. This is from European perspective: I do and couldn't do without it now. Most of my obligations, from rent though auctions, to lending a friend a local equivalent of 20 bucks are paid with bank transfers. But I believe online banking works in a slightly different way than in US. Of online banking systems I've seen, almost all banks use two-factor auth in some way (except Polish branch of Citibank and a bank that uses very broken and complicated scheme where stored client RSA keypair is sent to his browser ActiveX when client logs in with user/pass). Most common are lists of one-time passwords delivered securely, or hardware tokens, RSA SecurID or Vasco Digipass DP100 wih challenge-response mode used to verify transactions. In those banks, if you have login name and pass, you can only do non-balance changing operations on a account without the something you have part; and you cannot change personal info wihout some form of out-of band authentication (to change registered address user needs to send a form with attached copy of national ID card, to confirm that or to reset lost password bank calls user's preregistered phone number). I can say I HAVE a secure link to one of the nations's traffic exchange points (unintended job benefit), and I run my own DNS servers, so MITM probability is reduced. I do not log in from machines I don't trust and own (with one exception on own) and using networks I don't trust. Bank statements come on paper or in S/MIME signed emails. I do not log in using links provided in HTML emails. Am I secure? I consider the risk of fraud using online banking to be less than the one of paying with a VISA in a restaurant or a taxi. Alex -- mors ab alto 0x46399138 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
AW: [Clips] Banks Seek Better Online-Security Tools
-Ursprüngliche Nachricht- Von: Nicholas Bohm [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 6. Dezember 2005 12:03 An: Florian Weimer Cc: cryptography@metzdowd.com Betreff: Re: [Clips] Banks Seek Better Online-Security Tools Florian Weimer wrote: * Nicholas Bohm: [...] I hope, not too confidently, that before the attackers adjust enough, banks will start giving their customers FINREAD type secure-signature-creation devices of decent provenance whose security does not rely on non-compromise of my PC or network. In 2000 someone here in Germany already demonstrated how to attack smart card based HBCI transactions. Those transactions are authorized by an RSA signature done by the card. The attack demonstration used a trojan (I think it was something like back orifice) to remote control the victim's PC with the attached smart card reader, so that the PIN entered on the PC key board(!) could be sniffed and subsequently the PC including reader and smart card be used as a sort of remote signature generation device, authorizing any transaction of the attacker's choice. So under some circumstances even signature-based authorization does not work as advertised. The attack relyed on the card reader not having a separate keyboard for PIN entry. Interestingly, I wonder what would happen if a reader with display and keyboard is used in an online attack, i.e. the adversary sneaks in a fraudulent transaction when the hash for the signature is computed. I do not know from the top of my head what is supposed to be displayed in the reader's display, so I do not know what impact such an attempt would have. Any suggestions? Ulrich - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: AW: [Clips] Banks Seek Better Online-Security Tools
* Ulrich Kuehn: In 2000 someone here in Germany already demonstrated how to attack smart card based HBCI transactions. Those transactions are authorized by an RSA signature done by the card. Here's a link: http://www.heise.de/newsticker/meldung/9349 The attack relyed on the card reader not having a separate keyboard for PIN entry. In this particular implementation, yes. There are other attacks if you control the end user system: You can display a dialog box requesting that the user enters the PIN on the host, and not on the PIN pad. Typical smartcard work in various card readers (with and without PIN pads), so you can later use the PIN to create additional transactions. It turns out that you need not do this, though: once the end user has entered the PIN, you can create as many signatures as you like. In this sense, the PIN/TAN approach is more secure than smartcards. Interestingly, I wonder what would happen if a reader with display and keyboard is used in an online attack, i.e. the adversary sneaks in a fraudulent transaction when the hash for the signature is computed. I do not know from the top of my head what is supposed to be displayed in the reader's display, so I do not know what impact such an attempt would have. The display contents is supplied by the end user computer, not the smartcard, so it's still possible to break this scheme just by attacking the computer. Any suggestions? Postbank's mTAN is promising because uses a separate channel which is currently not very easy to attack, but the activation procedure is fundamentally flawed. Costs are probably too high to introduce this as a general countermeasure, though. In the long term, we need a standardized device which generates TANs which depend on the transaction contents (target account and amount). Standardization is important because you don't want to carry around such a device for each plastic card you own. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
In message [EMAIL PROTECTED], Janusz A. Urbanowicz writes: Bank statements come on paper or in S/MIME signed emails. This is interesting -- the bank is using S/MIME? What mail readers are common among its clientele? How is the bank's certificate checked? --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
On Wed, Dec 07, 2005 at 10:31:52AM -0500, Steven M. Bellovin wrote: In message [EMAIL PROTECTED], Janusz A. Urbanowicz writes: Bank statements come on paper or in S/MIME signed emails. This is interesting -- the bank is using S/MIME? What mail readers are common among its clientele? How is the bank's certificate checked? From my observation, the most popular standalone MUA here is Outlook Express, with Mozilla/Thunderbird being a distant second place. Those do support S/MIME, and the signature is verified properly. Average internet/internet banking user is more likely to use some web-based MUA on a commercial portal, which in general do not support cryptographic signatures of any kind. The signature is issued using key Certified by Verisign Class 1 cacert, co it verifies on Windows machines and in Mozilla-based software with recent CA certs bundle. I have attached signature binary stripped from one statement to this message, in case someone wants to analyze it. I do not have any hard data on MUA usage among bank clientele; my wild guess is that it is 1/3 of the users use one of the above programs, 2/3 use portal services. The signatures were introduced some time after the bank went into service, so there was some problem to be solved with it. This is internet-only bank with no physical branches around the country, all communication with the bank is done via internet, phone and messenger services. What I do not understand, is that the bank in question started turing-encoding requested code number when asking for one time code to authenticate the transaction. Alex -- 0x46399138 smime.p7s Description: Binary data
Re: [Clips] Banks Seek Better Online-Security Tools
In message [EMAIL PROTECTED], Jonathan Thor nburg writes: I would never use online banking, and I advise all my friends and colleagues (particularly those who _aren't_ computer-security-geeks) to avoid it. I do use it -- but never from a Windows machine. The OS I use is probably better, but it's *definitely* a much less attractive target for malware writers. Problems? I did have my credit card number stolen, but almost certainly not that way. The bank believes it was a random card number generator. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
* Nicholas Bohm: [EMAIL PROTECTED] wrote: You know, I'd wonder how many people on this list use or have used online banking. To start the ball rolling, I have not and won't. --dan I do. My bank provides an RSA SecureId, so I feel reasonably safe against anyone other than the bank. But it's just a token measure. You should be afraid of your own computer, your own network. SecureID does not authenticate the server you're going to send your data to. It does not detect if your computer is compromised. Sure, right now, it might help you personally, but once these simple tokens gain market share, attackers will adjust. It's not a general solution. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
please, can people tell us about what their country's liability framework is, as they understand it, and where the onus of proof is for what sorts of transactions? this is one of the few areas where consumers have some actual protection in the us. due to ross anderson, i have heard about the uk. has this been harmonized in the eu? many other countries are a mystery to me. it would seem to me even in countries with pro-bank/anti-consumer stances the risk could be limited by putting few eggs in that basket, rather than giving up on using baskets entirely. as an offering from left field, here's an pretty good paper about fraud and identity in .au and .nz http://www.aic.gov.au/conferences/other/smith_russell/2003-09-identity.html On Mon, Dec 05, 2005 at 07:09:33PM +0100, Jonathan Thornburg wrote: I would never use online banking, and I advise all my friends and colleagues (particularly those who _aren't_ computer-security-geeks) to avoid it. On Sun, Dec 04, 2005 at 05:51:11PM -0500, [EMAIL PROTECTED] wrote: I've been using online banking for many years, both US and Germany. The German PIN/TAN system is reasonably secure, being an effective one-time pad distributed through out of band channel Ahh, but how do you know that the transaction actually sent to the bank is the same as the one you thought you authorized with that OTP? If your computer (or web browser) has been cracked, you can't trust _anything_ it displays. There are already viruses in the wild attacking German online banking this way: http://www.bsi.bund.de/av/vb/pwsteal_e.htm I also don't trust RSAsafe or other such 2-factor authentication gadgets, for the same reason. [I don't particularly trust buying things online with a credit card, either, but there my liability is limited to 50 Euros or so, and the credit card companies actually put a modicum of effort into watching for suspicious transactions, so I'm willing to buy (a few) things online.] ciao, -- -- Jonathan Thornburg [EMAIL PROTECTED] Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut), Golm, Germany, Old Europe http://www.aei.mpg.de/~jthorn/home.html Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral. -- quote by Freire / poster by Oxfam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
You know, I'd wonder how many people on this list use or have used online banking. To start the ball rolling, I have not and won't. Why? Repudiating transactions is easier than ever. As a consumer, I fear technology which is completely secure according to experts, but which can be broken nevertheless. The current situation is very different. Everybody agrees that online banking is insecure, and in most markets, it's the banks who swallow the losses, not the consumer (even those who were very stupid). For those of you who haven't rolled out a national ID scheme in time, there's still the general identity theft problem, but this affects you even if you don't use online banking. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
* Eugen Leitl: The German PIN/TAN system is reasonably secure, being an effective one-time pad distributed through out of band channel (mailed dead tree in a tamperproof envelope). Some banks have optimized away the special envelope. 8-( It is of course not immune to phishing (PIN/TAN harvesting), which has become quite rampant recently. And we face quite advanced attack technology, mainly compromised end systems. We are well beyond the point where simple tokens (like RSA SecureID) would help. I do have a HBCI smartcard setup with my private account but don't use it since it's locked in a proprietary software jail. The way the current attacks are carried out, smartcard-based HBCI is less secure than the PIN/TAN model because with HBCI, you don't need to authorize each transaction separately. At this stage, few people recognize this problem, and German banks put high hopes on smartcard-based online banking, despite its high costs in terms of consumer devices and support calls. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
* Jonathan Thornburg: Ahh, but how do you know that the transaction actually sent to the bank is the same as the one you thought you authorized with that OTP? If your computer (or web browser) has been cracked, you can't trust _anything_ it displays. There are already viruses in the wild attacking German online banking this way: http://www.bsi.bund.de/av/vb/pwsteal_e.htm Of course you don't. In some sense, the next-generation security technology which U.S. banks plan to roll out (either voluntarily, or due to regulation) has already been broken in Germany. If you bring the topic up in discussions, the usual answer is don't MITM me! (meaning: Don't mention man-in-the-middle attacks, including compromised customer systems, because you know we can't defend against them! This is not fair!). But this is not a valid response when experience shows that the relevant attacks *are* MITM attacks. I also don't trust RSAsafe or other such 2-factor authentication gadgets, for the same reason. I'm always glad to read someone who agrees with me on this matter. 8-) I don't understand why almost everyone is in a frenzy to deploy them. If you can somehow weasel through the next 6 months or so, it will be completely non-repudiatable that transactions covered by two-factor authentication are fully repudiatable. You can save a lot of money (including your customers' money) if you manage to skip this technology cycle. The only problem could be that the media and security experts smack you if you don't deploy the same, broken countermeasures everyone else does. By the way, one interesting aspect of the online banking problem is its implications for threat modelling, attack trees, and similar approaches. It would be interesting to compare a few models and why they fail to adequately describe the situation. My hunch is that these models do not take two factors into account: Attacks aren't targeted by the cost/revenue alone, tradition plays a major role, too, as does sheer luck. And you are caught in a feedback loop; the attacks change as you deploy new countermeasures, and the changes are mostly unpredictable. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
[EMAIL PROTECTED] wrote: okay, i read this story from 7/2005 reporting an incident in 5/2005. the short form of it is: Not a bad summary. I'd say that when one is dealing with any such crime, there are always unanswered questions, and issues of confusion (probably as much for the attacker as the victim). even more off-topic: i'm surprised that the people on this list don't feel as if they have enough personal connections that at least they could figure out what happened to them as *some* financial institution. doesn't anyone else ask, as a basis for imputing trust exactly who did that {protocol, architecture, code} review as a basis for imputing trust? maybe i'm delusional, but i give fidelity some residual credit for having adam shostack there, even some years ago, and there are some firms i'd use because i've been there enough to see their level of care. Well, even though phishing has been discussed on this list for about 2 years, it is only in the last 6 months or so that there has been a wider acceptance in the subject. I think your specific question has been asked so many times that people's eyes glaze over. Only in the last few *weeks* did two of the browser manufacturers acknowledge it publically. So I wouldn't expect too much from the banks, who have to receive authoritive press, institution regulatory input before they will shift on matters of security. iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
Florian Weimer wrote: * Nicholas Bohm: [EMAIL PROTECTED] wrote: You know, I'd wonder how many people on this list use or have used online banking. To start the ball rolling, I have not and won't. --dan I do. My bank provides an RSA SecureId, so I feel reasonably safe against anyone other than the bank. But it's just a token measure. You should be afraid of your own computer, your own network. SecureID does not authenticate the server you're going to send your data to. It does not detect if your computer is compromised. Sure, right now, it might help you personally, but once these simple tokens gain market share, attackers will adjust. It's not a general solution. I accept all that. I hope, not too confidently, that before the attackers adjust enough, banks will start giving their customers FINREAD type secure-signature-creation devices of decent provenance whose security does not rely on non-compromise of my PC or network. Nicholas Bohm -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272(+44 1279 871272) Fax 020 7788 2198 (+44 20 7788 2198) Mobile 07715 419728(+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
[EMAIL PROTECTED] said: You know, I'd wonder how many people on this list use or have used online banking. To start the ball rolling, I have not and won't. I do. Although, only from PCs that I trust such as my linux box at home. And I keep a close watch on my bank statements. All things considered, its safer than posting cheques or distributing your credit card number around. -- Kerry Thompson http://www.crypt.gen.nz - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
[EMAIL PROTECTED] wrote: dan, maybe you should just keep less money in the bank. i use online banking and financial services of almost every kind (except bill presentment, because i like paper bills). i ccannot do without it. it seems to me the question is how much liability do i expose myself to by doing this, in return for what savings and convenience. That part I agree with, but this part: i don't keep a lot of money in banks (why would anyone?) -- most of the assets are in (e.g.) brokerage accounts. at most i'm exposing a month of payroll check to an attacker briefly until it pays some bill or is transferred to another asset account. George's story - watching my Ameritrade account get phished out in 3 minutes https://www.financialcryptography.com/mt/archives/000515.html Seems like a hopeful categorisation! iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
Kerry Thompson wrote: [EMAIL PROTECTED] said: You know, I'd wonder how many people on this list use or have used online banking. To start the ball rolling, I have not and won't. I do. Although, only from PCs that I trust such as my linux box at home. And I keep a close watch on my bank statements. All things considered, its safer than posting cheques or distributing your credit card number around. That depends on how the risk of loss is allocated. This can vary between different legal systems, and may depend on the terms in force between bank and customer. For an exploration of this in the context of English law, see http://elj.warwick.ac.uk/jilt/00-3/bohm.html Nicholas Bohm -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272(+44 1279 871272) Fax 020 7788 2198 (+44 20 7788 2198) Mobile 07715 419728(+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
On Mon, Dec 05, 2005 at 09:24:04AM +, Ian G wrote: [EMAIL PROTECTED] wrote: it seems to me the question is how much liability do i expose myself to by doing this, in return for what savings and convenience. That part I agree with, but this part: i don't keep a lot of money in banks (why would anyone?) -- most of the assets are in (e.g.) brokerage accounts. at most i'm exposing a month of payroll check to an attacker briefly until it pays some bill or is transferred to another asset account. George's story - watching my Ameritrade account get phished out in 3 minutes https://www.financialcryptography.com/mt/archives/000515.html Seems like a hopeful categorisation! iang okay, i read this story from 7/2005 reporting an incident in 5/2005. the short form of it is: the bad guys changed the associated bank account, then they placed orders to sell everything at market prices. at some point they changed the email address to a hotmail account (if they'd done this first he would have gotten less notice) for some unexplained reason he received confirmations of the trades at the old email address. actual cash didn't get transfered at least because of the 3 day settlement time for the trades. the rest was dealing with law enforcement and customer service punes who wouldn't tell him anything for privacy reasons. well, i have lots of nit-picking questions, about the actual incident and about the general point. about the actual incident: maybe his password was phished, maybe it was malware, maybe it was password reuse and some other account was phished. how was the bofa account set up? (the fraudster's destination account) in these days of patriot act know your customer? (or was it someone's phished account also used just for transit?) why didn't they just do the wire transfer early, and leave him with a giant margin balance to be paid from the proceeds at settlement? about the general point: the main thing online access changes (compared with phone access, or written instructions) is the velocity. most sensible institutions provide change of account status notifications by both email and postal mail (to both the old and the new addresses). some sensible institutions put brakes on removing money from the system, certainly for new accounts and (as i recommend to my clients) after an account change reflecting identity or control. aside from the time and energy drain of identity theft, what is the financial liability for consumers if your us-based brokerage account is phished resulting in a fraudulent funds transfer? does anyone know if there is any uniform protection (such as reg e would cover for interbank funds transfers?) i insert the weasel-words consumers and us-based because of bofa's behavior in the joe lopez malware case, where they are trying to claim he is a business not a consumer, and that they are without fault in wire transfering his funds to latvia. slightly off-topic: remember abraham abdallah, the brooklyn busboy who assumed the identity of a large number of the fortune 200 richest? made goldman sachs signature guaranteed stamps and opened accounts in their number? had 800 fraudulent credit cards and 2 blank cards when he was arrested? (hey kids! collect 'em all!). my point is only that this is possible without my participating. as jerry leichter reminded me, the fact there there are these facilities available means a bad guy can use them even if i do not, unless i can not only opt out but forbid anyone else from subsequently opting in, the moral equivalent of cutting your debit card in half and returning it to the bank (rather than just destroying the PIN). even more off-topic: i'm surprised that the people on this list don't feel as if they have enough personal connections that at least they could figure out what happened to them as *some* financial institution. doesn't anyone else ask, as a basis for imputing trust exactly who did that {protocol, architecture, code} review as a basis for imputing trust? maybe i'm delusional, but i give fidelity some residual credit for having adam shostack there, even some years ago, and there are some firms i'd use because i've been there enough to see their level of care. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
I would never use online banking, and I advise all my friends and colleagues (particularly those who _aren't_ computer-security-geeks) to avoid it. On Sun, Dec 04, 2005 at 05:51:11PM -0500, [EMAIL PROTECTED] wrote: I've been using online banking for many years, both US and Germany. The German PIN/TAN system is reasonably secure, being an effective one-time pad distributed through out of band channel Ahh, but how do you know that the transaction actually sent to the bank is the same as the one you thought you authorized with that OTP? If your computer (or web browser) has been cracked, you can't trust _anything_ it displays. There are already viruses in the wild attacking German online banking this way: http://www.bsi.bund.de/av/vb/pwsteal_e.htm I also don't trust RSAsafe or other such 2-factor authentication gadgets, for the same reason. [I don't particularly trust buying things online with a credit card, either, but there my liability is limited to 50 Euros or so, and the credit card companies actually put a modicum of effort into watching for suspicious transactions, so I'm willing to buy (a few) things online.] ciao, -- -- Jonathan Thornburg [EMAIL PROTECTED] Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut), Golm, Germany, Old Europe http://www.aei.mpg.de/~jthorn/home.html Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral. -- quote by Freire / poster by Oxfam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
At 2:29 PM -0800 12/3/05, John Gilmore wrote: ...how many people on this list use or have used online banking? To start the ball rolling, I have not and won't. Dan, that makes two of us. The only thing I ever use it for is to make sure the wires are in before I spend money. :-) Cheers, RAH Still living at the bottom of the bathtub curve... -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
dan, maybe you should just keep less money in the bank. i use online banking and financial services of almost every kind (except bill presentment, because i like paper bills). i ccannot do without it. it seems to me the question is how much liability do i expose myself to by doing this, in return for what savings and convenience. i don't keep a lot of money in banks (why would anyone?) -- most of the assets are in (e.g.) brokerage accounts. at most i'm exposing a month of payroll check to an attacker briefly until it pays some bill or is transferred to another asset account. (the lack of payment planning tools is my biggest beef with bill paying systems... it's so stupid that they don't show you the future running balances based on already arranged scheduled payments and regular withdrawals). i have an slightly too elaborate drip-feed system set up, with direct deposit of the paycheck into an account which pays (as scheduled payments) my fixed bills automatically every month and makes minimum credit card payments too, so i don't often pay nuisance fees. (my utilities have been switched to average payment plans, or more recently to bill to credit cards so they fit into this plan). i haven't written more than a few paper checks in years. i just add the payee to the online system and have the bank do it. the online system has paid around 200 bills so far this year. so i save on time, on postage, on the float (since the banks do ach transfers to the larger payees which often post in 2-3 days), on nuisance and finance charges, and on the phone, complaining about problems posting paper checks. i would notice a fraudulent transfer on my online backing long before i would notice a fraudulent paper check written against the same account. not only do i use online banking, i use aggregation systems which scrape screens for most of my accounts and display recent transactions, current balances, etc. i think i've tried almost all of these. fidelity's full view seems among the best of the group (they use yodlee for the scraping but manage their own password store). (while dan is surveying, i'll ask if anyone is using gnucash for this). i find this extremely helpful in managing diversification across several accounts, and in noticing such details such as both sides of payments or transfers between institutions or charges on infrequently used credit card accounts. an interesting question regarding aggregation was whether i should let them use the information they scraped to decide what to offer me. (so far they haven't offered me a free toaster to entice me to move assets to them. according to an informant, they don't use the information for poaching.) On Fri, Dec 02, 2005 at 11:05:29PM -0500, [EMAIL PROTECTED] wrote: You know, I'd wonder how many people on this list use or have used online banking. To start the ball rolling, I have not and won't. --dan Cryptography is nothing more than a mathematical framework for discussing the implications of various paranoid delusions. -- Don Alvarez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
[EMAIL PROTECTED] wrote: You know, I'd wonder how many people on this list use or have used online banking. To start the ball rolling, I have not and won't. --dan I do. My bank provides an RSA SecureId, so I feel reasonably safe against anyone other than the bank. I have no basis for knowing how good the bank's precautions against insider fraud are, but they phone back to confirm unusual instructions, and they ask for only fragments of passwords when they do, so there is evidence that they make sensible efforts to do the right thing. I have been a good customer for more than 30 years, it's a highly respectable specialist bank, I am a lawyer, and if I find a fake transaction on my account I believe I stand a good chance of fighting it. I know who to hire as an expert to investigate the bank's system when I have put it in issue in litigation. The aggregate of my balance and my credit limit is an amount I can afford to lose. In this context the convenience of online banking is enough to justify the risk. Nicholas Bohm -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272(+44 1279 871272) Fax 020 7788 2198 (+44 20 7788 2198) Mobile 07715 419728(+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
[EMAIL PROTECTED] wrote: You know, I'd wonder how many people on this list use or have used online banking. To start the ball rolling, I have not and won't. I have not! I declined the chance when my bank told me that I had to download their special client that only runs on windows... However, I have used and/or written many online DGC tools (which is for the sake of this discussion, gold-denominated online payments) which are honed through experience, incentive and willingness to deal with the issues. ( As an aside, e-gold was generally the first to be hit by these problems as well as all the other problems that have only effected banks in passing. Generally the DGC sector is much more savvy about threats, through repetitive losses, at least. ) iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
| You know, I'd wonder how many people on this | list use or have used online banking. | | To start the ball rolling, I have not and won't. Until a couple of months ago, I avoided doing anything of this sort at all. Simple reasoning: If I know I never do any financial stuff on-line, I can safely delete any message from a bank or other financial institution. Now, I pay some large bills - mortgage, credit cards - on line. I just got tired of the ever-increasing penalties for being even a day late in paying - coupled with ever-more-unpredictable post office delivery times. (Then again, who can really say when the letter arrived at the credit card company? You have to accept their word for it, and they have every incentive to err in their own favor.) I have consistently refused on-line delivery of statements, automated paying, or anything of that sort. I cannot at this point forsee a world in which I would trust these systems enough to willingly move in that direction. (It doesn't help that, for example, one credit-card site I use - ATT Universal - sends an invalid certificate. ATT Universal has its own URL, but they are owned by Citibank, so use the citibank.com certificate) Of course, increasingly one has little choice. My employer doesn't provide an option: Pay stubs are on-line only. Reimbursment reports likewise. There are increasing hints of various benefits if you use the on-line systems for banking and credit cards and such. The next step - it won't be long - will be charges for using the old paper systems. How many people here still ask for paper airline tickets? (I gave up on this one) -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
You know, I'd wonder how many people on this list use or have used online banking. To start the ball rolling, I have not and won't. --dan Cryptography is nothing more than a mathematical framework for discussing the implications of various paranoid delusions. -- Don Alvarez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
On 2005-12-02, [EMAIL PROTECTED] wrote: You know, I'd wonder how many people on this list use or have used online banking. To start the ball rolling, I have not and won't. I've been using it for me and my wife with 3 banks since they first offered it; I use it every week to pay all our bills and would not be without it. The benefits I have gained from not having to waste time doing things the old way have proved to be substantial and I get to notice and resolve the occasional error (always in the form of fraudulent debits to credit cards) much faster than in the old days when I had to wait for the monthly statements. It's probably not related to my use of online banking, but it has also been noticeable that fraudulent debits to our credit cards have dropped from about 5 per card per year five years ago to one such debit to the 6 cards we use in the past two years. I detest banks and have had many battles with them over various issues over the years, but I remain confident that my careful practices, meticulous record keeping and careful management of passwords will continue to give me the edge in any dispute with them. And the cost to me of any such disputes seems unlikely to be anything like the benefits I have gained from online banking. Greg - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
...how many people on this list use or have used online banking? To start the ball rolling, I have not and won't. Dan, that makes two of us. John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Clips] Banks Seek Better Online-Security Tools
At 11:05 PM -0500 12/2/05, [EMAIL PROTECTED] wrote: You know, I'd wonder how many people on this list use or have used online banking. To start the ball rolling, I have not and won't. I have, and it's nice for making Quicken data entry faster, but that's about all. The rest gives me the willies when I see the security clue of the folks running the site. FWIW, I have never had a problem changing my password to something very long and all-alphabetic, even if I don't include at least one capital letter and one digit or whatever the CYA rules for passwords are these days. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Clips] Banks Seek Better Online-Security Tools
--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Thu, 1 Dec 2005 16:54:00 -0500 To: Philodox Clips List [EMAIL PROTECTED] From: R. A. Hettinga [EMAIL PROTECTED] Subject: [Clips] Banks Seek Better Online-Security Tools Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://online.wsj.com/article_print/SB113339543967610740.html The Wall Street Journal December 1, 2005 Banks Seek Better Online-Security Tools New Software Adds Layers To Verify Users' Identities; Ease of Use Remains Worry By RIVA RICHMOND DOW JONES NEWSWIRES December 1, 2005; Page B4 More banks, driven by rising online identity theft and regulators' concerns, are shopping for security technology to help ensure those logging into accounts are the customers they claim to be. But while banks want security that is stronger than standard user names and passwords, they also don't want the technology to turn off customers by diminishing the convenience of online banking. Software makers are aiming to help banks strike a tricky balance between security and convenience, with several, including Corillian Corp. and Entrust Inc., recently introducing systems that raise the bar for risky or suspect transactions. The software works behind the scenes to apply extra security measures when there is unusual or questionable activity -- say, account access from a cybercafe in Prague or a large money transfer that isn't a normal bill-payment routine. The emergence of these products reflects the industry's concerns that email identity-theft scams, called phishing, and hacker programs that steal consumers' account information could hurt online banking, which is valued by banks as a low-cost way of doing business. In the U.S., the Federal Financial Institutions Examination Council, a group that sets standards for banks, credit unions and thrifts, in October urged that online-banking security move beyond simple passwords by the end of next year. Its recommendation carries the force of regulation because banks' failure to comply would earn them black marks from bank examiners. Many of the new products would help banks respond to the FFIEC, which didn't endorse specific security technologies but encouraged banks to choose measures appropriate to the risk. Other suppliers of software for tightening security include closely held firms Cyota Inc., New York, and PassMark Security Inc., Menlo Park, Calif. The banks are being pushed to bring in stronger authentication, but match it to the risk of the transaction and to the user experience and their desires, said Chris Voice, a vice president at Entrust, of Addison, Texas. Authentication is a security measure for verifying a customer or transaction. Industry analysts think banks will employ several techniques to weigh risk and verify identities. One way is to halt any transactions from certain computers or countries with a high fraud risk. In addition to a user name and password, some of these new security systems add a fairly obscure personal question, such as What was your high-school mascot? Some also allow banks facing a suspicious transaction to send an extra four-digit security code for use online to a customer's cellphone. The idea is similar to credit-card-fraud systems that trigger phone calls to cardholders when they detect unusual activity, while letting the vast majority of transactions through without incident. Corillian, of Hillsboro, Ore., already provides the technology behind the online-banking operations of many banks and credit unions. Woodforest National Bank, which has 190 branches in Texas and North Carolina, is rolling out Corillian's security technology during the first half of 2006. Corillian also has sold the technology to three credit unions and says it is in talks with three of the top-10 U.S. banks. The key to keeping this channel open is keeping it secure, said Charles Manning, president and chief information officer of Woodforest, which operates most of its branches inside Wal-Mart stores. Corillian's Intelligent Authentication package, launched Oct. 25, tracks the behavior of online-banking customers and builds histories of their habits to create access signatures. Its files don't include personal information. But they do track the characteristics of the computers and Internet-service providers that a customer typically uses. It also records the normal geographic locations and the times of day a customer prefers to bank online, flagging exceptions for scrutiny. Meanwhile, security-software maker Entrust unveiled a major new version of its IdentityGuard product on Nov. 8 that offers a menu of user-verification methods banks can choose from to beef up security on transactions they deem risky. It has sold IdentityGuard to Miami-based Commercebank NA, a unit of Mercantil Servicios Financieros of Venezuela, and a number of European banks. European customers of Entrust's software