In an earlier message, I wrote
I would never use online banking, and I advise all my friends and colleagues (particularly those who _aren't_ computer-security-geeks) to avoid it.
Jason Axley asked
Why do you not use OLB?
Basically, so far as I know the fine print in online bank service agreements basically says "you (the customer) are responsible for any transactions we receive with your username and pin, and our electronic records are the final word on this". Thus if there is an a false transaction on my account, i.e. one which I did not intend to authorize (whether this happened due to insider fraud in the bank, MITM phishing, virus in my computer, or whatever other cause), the basic legal presumption is that it's my loss, not the bank's. I consider the risks of this too high.
What would need to be fixed for you to use OLB in the future?
I would want the same ability to refuse an unauthorized transaction that I have now with credit cards, where basically any losses over 50 Euros/dollars are the bank's problem, not mine.
What is your threat model (WIYTM)?
For online banking, any/all of (a) insider fraud at the bank and/or anyone else to whom they've outsourced relevant processing (b) computer breakin/theft at the bank and/or anyone else to whom they've outsourced relevant processing (c) MITM phishing or DNS hijacking (d) viruses/worms in my computer
What risks are present in OLB that are not present in the offline world?
(c) and (d) above. Also liability for problems is mine, not the bank's (see above). Also there are few paper records that I can use to help document problems. In the offline world, (a) and (b) are mitigated by paper records (and forms with my written signature) which crooks usually don't bother forging.
What about the risks of the offline financial world?
If I wire-transfer money from my bank in Germany to my credit union in Canada, my written signature is (supposed to be) required to verify that I did in fact authorize the transaction. If the bank sends my money off to a crook's account (whether by mistake or due to deliberate fraud), the next time I get a statement I'll notice, and I'll ask them what happened. If the bank can't show me a piece of paper with my signature on it, my understanding is that (if I complain enough) I can force them to refund the money to me (so it's then their problem to try to recover it from wherever it went).
For example, all of the information that someone needs to put money in, or take it out, of your checking account via ACH is nicely printed in magnetic ink on your checks in the US. And you give it out to anyone when you write them a check.
Where I live now (Germany) people don't use cheques, they do bank transfers which the *payer* gives direct to her bank. These (are supposed to) have the written signature of the payer (the account-holder). If someone forges one of these and takes money out of my account, I can refuse the transaction and (I understand) the bank is legally required to refund the money to me (and it's their problem to recover it from whoever got it). When I lived in Canada (where people use cheques in the same way as in the US), my understanding is that (a) Even with the transit/routing numbers, noone is supposed to be able to take money out of an account without prior written permission. A cheque constitutes such permission _for_a_specific_transaction_, but not for any other transaction(s). (b) If someone forges another cheque (eg scans my signature etc), and my bank honors it and takes the money out of my account. then since I didn't actually sign that cheque, legally it's the bank's fault for honoring it, and (if I complain enough) I can force the bank to refund the money to me (so it's then the bank's problem to try to recover it from the crook).
This reminded me of how I laughed when I saw an interview with a local security person where he said that he didn't even connect a computer to the Internet at home due to the risk. To me, this seems akin to deciding to not leave your house because you "can't be sure" someone won't shoot you dead.
Well, in certain places that's basically what people do. For example, many foreign people in Bhagdad don't venture out of the "green zone". My point is that when substantial amounts of money are involved, IMHO the internet is basically a "red zone" where I don't feel safe venturing. ciao, -- -- Jonathan Thornburg <[EMAIL PROTECTED]> Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut), Golm, Germany, "Old Europe" http://www.aei.mpg.de/~jthorn/home.html "Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral." -- quote by Freire / poster by Oxfam --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]