On Wed, Dec 07, 2005 at 10:31:52AM -0500, Steven M. Bellovin wrote: > In message <[EMAIL PROTECTED]>, "Janusz A. Urbanowicz > " writes: > > > >Bank statements come on paper or in S/MIME signed emails. > > This is interesting -- the bank is using S/MIME? What mail readers are > common among its clientele? How is the bank's certificate checked?
From my observation, the most popular standalone MUA here is Outlook Express, with Mozilla/Thunderbird being a distant second place. Those do support S/MIME, and the signature is verified properly. Average internet/internet banking user is more likely to use some web-based MUA on a commercial portal, which in general do not support cryptographic signatures of any kind. The signature is issued using key Certified by Verisign Class 1 cacert, co it verifies on Windows machines and in Mozilla-based software with recent CA certs bundle. I have attached signature binary stripped from one statement to this message, in case someone wants to analyze it. I do not have any hard data on MUA usage among bank clientele; my wild guess is that it is 1/3 of the users use one of the above programs, 2/3 use portal services. The signatures were introduced some time after the bank went into service, so there was some problem to be solved with it. This is internet-only bank with no physical branches around the country, all communication with the bank is done via internet, phone and messenger services. What I do not understand, is that the bank in question started turing-encoding requested code number when asking for one time code to authenticate the transaction. Alex -- 0x46399138
Description: Binary data