Text 30801, 68 rader
Skriven 2009-04-04 18:21:34 av Robert Bashe (2:2448/44)
  Kommentar till text 30757 av Dale Shipp (1:261/1466.0)
Ärende: Bank Security
=====================
Dale Shipp wrote to Robert Bashe on Friday April 03 2009 at 23:29:

RB>> I have personal experience with BOTH banks. And consider neither
RB>> really  secure as to internet banking. My bias for the EU system is
RB>> well known, and remains.

DS> What do they do for security?

In Germany, there are several methods for making secure account-to-account
transfers.

In the original method, you used a browser to log into your account with the
account number and a self-assigned PIN (alphanumeric - case sensitive - was
recommended, generally up to around 8 digits including special characters such
as !, $, ?, * or #). That only allowed you to see the balances, not to do
anything with them. If you wanted to actually _do_ anything, you had to provide
a one-time "transaction ID" (TAN or transaction identifier) for _each_
transaction. This proved to be too vulnerable to misuse (man in the middle
attack, attack by imitating the bank website, attack by requesting you to
"confirm" your bank data by email, providing several TANs in the process), so
now banks give you so-called "indexed" TANS (iTANs), where you are asked for a
_specific_ TAN from a list of 100 sent you by separate mail (for example TAN
number 56), OR you have to calculate the TAN yourself using a little electronic
device (free from the bank) with a _specific_ bank card to activate it and data
from the bank website to do the calculation, OR the bank server sends your cell
phone (which you have registered at the bank) the TAN for the transaction by
SMS (short mail service). The TAN is than good for around 1-2 minutes and then
expires forever. Once used, a TAN expires permanently and can never be used
again. The TANs, incidently, are generally six-digit numbers.

A totally different and much more secure method is HBCI (home banking
connection interface), an English name for a German invention. This uses either
a key card and reader, or a key disk to transfer RSA (public key) encrypted
data to and from the bank server, and to authenticate both you and the bank
server (the connection is directly to the bank server, NOT "through" the
Internet - i.e., no middlemen). Unfortunately, this involves extra cost and
requires a bit of technical knowledge, so it is not used at many banks. I use
it at one that does offer it, and you simply can't beat it for security.

What I miss in American internet banking is the second tier of security _after_
you have logged into your account and _before_ you can do anything except look
at the balances. Maybe they simply assume you'll notice if someone hacked into
your account and sent himself a check for the balance, but I find that a very
questionable assumption, if true. The idea of using your SSN as a PIN is also a
VERY! bad idea, since it not only makes it easier for some hacker to get into
your account, but is an invitation for identity theft. I can't understand the
kind of thinking that would allow that, but it's done and even suggested in
some cases.

DS> It is well known that passwords by themselves have all sorts of
DS> problems.  If they have enough entropy to not be easily guessed, then
DS> they are hard to remember.

I create my PINs completely randomly, by just running my fingers over the
keyboard. Then I cut them down to the maximum permitted by the bank software
and store them on a USB stick. When I need to access an account that doesn't
offer HBCI, I insert the USB stick and use cut-and-paste to insert the
necessary PIN. They are never stored on my computer, which is accessible to the
Internet. I hope this is safe enough, and have never had any problems with
identity theft to date.

If you asked me at this minute what my PIN for a specific bank is, I couldn't
tell you because I simply don't know. That's that the USB stick is for.

Cheers, Bob

--- GoldED+/W32 1.1.5-0613
 * Origin: Jabberwocky System - 02363-56073 ISDN/V34 (2:2448/44)