On Wed, Dec 07, 2005 at 10:31:52AM -0500, Steven M. Bellovin wrote:
> In message <[EMAIL PROTECTED]>, "Janusz A. Urbanowicz
> " writes:
> >
> >Bank statements come on paper or in S/MIME signed emails. 
> This is interesting -- the bank is using S/MIME?  What mail readers are 
> common among its clientele?  How is the bank's certificate checked?

From my observation, the most popular standalone MUA here is Outlook
Express, with Mozilla/Thunderbird being a distant second place. Those do
support S/MIME, and the signature is verified properly.

Average internet/internet banking user  is more likely to use some web-based
MUA on a commercial portal, which in general do not support cryptographic
signatures of any kind.

The signature is issued using key Certified by Verisign Class 1 cacert, co
it verifies on Windows machines and in Mozilla-based software with recent CA
certs bundle.

I have attached signature binary stripped from one statement to this
message, in case someone wants to analyze it.

I do not have any hard data on MUA usage among bank clientele; my wild guess
is that it is 1/3 of the users use one of the above programs, 2/3 use
portal services. The signatures were introduced some time after the bank
went into service, so there was some problem to be solved with it.

This is internet-only bank with no physical branches around the country, all
communication with the bank is done via internet, phone and messenger

What I do not understand, is that the bank in question started
turing-encoding requested code number when asking for one time code to
authenticate the transaction.


Attachment: smime.p7s
Description: Binary data

Reply via email to