[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bank transactions on Internet
From: IN%"[email protected]" "Charles Watt" 16-APR-1996 13:06:06.52
>First, the U.S. banking system is very nice to account holders. The banks,
>rather than the customers, assume all risk associated with security problems
>in telephone banking, ATMs, etc... Internet banking is no different, which
>explains why so few banks have jumped onto the net with real transactions.
>If an SFNB customer should lose any funds due to a security problem, SFNB
>pays, not the customer.
That would depend on whether the customer can prove a security problem,
because otherwise you're going to get a lot of con artists making a lot of
money off of you.
>Second, in order to break the SSL-protected password of an SFNB account
>holder, you need access to the encrypted data. This is not easy to obtain
>over the Internet, and would generally require illegal activity in order
>to gain control of a host within the Internet infrastructure or collusion
>with the account holder. Should an attacker crack the key and obtain
>the account number and password of an SFNB account holder, they are clearly
>warned upon login that they are engaging in illegal activity. Once they
One, ever heard of a packet sniffer? If the account holder is on an
Intranet, then someone within it could easily get such information. Two,
somehow I suspect that the penalties for computer breakins are significantly
less than those for bank fraud/grand theft; they aren't going to matter if
you're willing to take the risk.
>have logged in, there is no way to transfer money out of the account
>without leaving a target address and phone number for the recipient.
>Furthermore, any payment to an individual or unknown entity would be
>made in the form of a physical check that would have to be cashed at
>a physical bank. The whole process is heavily audited with real-time
>audit filtering and pattern matching capabilities -- SFNB is, afterall,
>running on a military grade secure operating system (see SWP at
>www.secureware.com). Any security system that is deployed should be
>compared against the value you are trying to protect. It seems like a
>pretty big risk to an attacker -- and I assure you SFNB will prosecute.
Target address and phone number? Make fake ID, get yourself a PO box
and a telephone forwarding/answering service (giving the PO box as the
address), then target it there. Use the fake ID at a check-cashing place. You
can make the fake ID in whatever name you want, which makes it easier.
>Finally, I whole-heartedly agree that 40-bit encryption is far too weak
>for many applications, and that the current export limitations are absurd.
I'm glad you realize that. I've edited out what look to be
improvements, which I hope for your stockholders' sake you've implemented.
-Allen