Internet Banking and Cryptography

Main Page | Report this Page

Science Forum Index » Cryptography Forum » Internet Banking and Cryptography

Page 1 of 1

Author

Message

CipherGuy

Posted: Sun Jan 04, 2004 12:59 am

Guest

I want to know about the effectiveness of Cryptography in NetBanking.
Now-a-days almost all banks offer NetBanking feature and the sites
are VeriSign secured with 128-bit encryption.

Though I only once used NetBanking to send small amount of money,
however I still hesitate to carry on big transactions on the internet.

Please let me know whether Banking on the Internet with a 128-bit
SSL secured website safe or not.

I upgraded my Internet Explorer 6 with SP1, but still the patches keep
on coming. So now I am using Netscape 7 or Mozilla.

Secondly, I store my critical data on the net as a PGP Self-Decrypting
file so that I can decrypt the file in any other city. I therefore
want to store my bank account numbers and other bank information too
as a PGP SDA. Is this method secure or should not be carried out?

Bill Unruh

Posted: Sun Jan 04, 2004 11:08 am

Guest

cipherguy@37.com (CipherGuy) writes:

]I want to know about the effectiveness of Cryptography in NetBanking.
]Now-a-days almost all banks offer NetBanking feature and the sites
]are VeriSign secured with 128-bit encryption.

]Though I only once used NetBanking to send small amount of money,
]however I still hesitate to carry on big transactions on the internet.
The problem with security is in general not its transmission over the
net. It is what happens at the two ends. Banks are notorious for their
ignorance of and bad use of security. In the US, the onus of
responsibility for bad ATM transactions is on the banks making them
slightly less insecure than in Britain where the onus is on the
customer, making the banks notoriously careless (see the Ross Anderson
files). Since the internet banking transactions have the onus on the
customer (ie the customer has to prove that it was not his fault if a
transaction is made, rather than the assumption that it was not his/her
transaction) the banks have no stake whatsoever in the security of the
transfers. "It was your passowrd, so you are responsible"

As an example in the UK, a customer disputed an ATM transaction. The
bank said-- "Your pin was used, therefor it must have been you. since you
are disputing the transaction, you are obviously trying to defraud us,"
--and he was arrested, tried and convicted of criminal fraud.

That is what happens when the security onus is transfered to the
customer.

]Please let me know whether Banking on the Internet with a 128-bit
]SSL secured website safe or not.

It is probably safe from someone sniffing the transaction as it is
transported over the net. Its safety from impersonation, from fraud,
from bank malfeasance, etc is probably minimal.

]I upgraded my Internet Explorer 6 with SP1, but still the patches keep
]on coming. So now I am using Netscape 7 or Mozilla.

You had better patch them as well.

]Secondly, I store my critical data on the net as a PGP Self-Decrypting
]file so that I can decrypt the file in any other city. I therefore
]want to store my bank account numbers and other bank information too
]as a PGP SDA. Is this method secure or should not be carried out?

Well, how far do you trust the machines on which you do the decryption,
since anyone could install a worm to read off your password as you enter
it, and then they can attack your banking from anywhere in the world.
Ie, you have a single line of defense, the encryption, and if that is
broken by any means, you are completely open. Furthermore anyone in the
world can know that is your only line of defense and can target it.

Nicol So

Posted: Sun Jan 04, 2004 3:57 pm

Guest

CipherGuy wrote:

Quote:

There's more to security than just cryptography. "128-bit encryption"
does not tell you a whole lot about how secure the system is. It
represents *an* upperbound on the security of encryption. However, there
could be undiscovered/unpublished weaknesses in the encryption
algorithms or the SSL protocol. There could also be implementation
errors that make otherwise secure algorithms exploitable.

That said, security of the SSL connection is not likely to be your
biggest problem. You have more to worry about with host security, for
example. How do you know that your host has not been compromised by a
key-logging trojan that steals your password and sends it out to the
Internet? When you visit your bank's website, how do you know you're
getting the real website? How do you know that your DNS server has not
been compromised? If your bank's website points you to another server
for an SSL session, how do you know the URL has not been changed to
redirect you to another site?

Quote:

Secondly, I store my critical data on the net as a PGP Self-Decrypting
file so that I can decrypt the file in any other city. I therefore
want to store my bank account numbers and other bank information too
as a PGP SDA. Is this method secure or should not be carried out?

I'm not familiar with self-decrypting archives. From your description,
it seems that you don't have a program that you can bring with you when
you travel (otherwise the archives don't have to be self-decrypting). If
the server that holds your SDAs is compromised, it's possible that
someone may compromise the SDAs by putting a wrapper around them. The
wrapper can do all sorts of bad things, including stealing your
passphrases. Once the attacker gets hold of your passphrases, he can use
it to open the SDAs.

--
Nicol So
Disclaimer: Views expressed here are casual comments and should
not be relied upon as the basis for decisions of consequence.

Page 1 of 1 All times are GMT - 5 Hours The time now is Sun Nov 23, 2008 3:54 am Science Forum Index