[plug] Banks Online

navarre at plug.linux.org.au navarre at plug.linux.org.au
Mon Jul 3 07:09:55 WST 2000


Hello Pluggers

If no one has tried it, I could not make Netbank function under 
staroffice 5.2.
The last time I used Netbank I ran the downloaded windows program which 
works fine for all the transactions that I would want to perform.

As far as general electronic banking information, when I was doing the 
Quallity Control at Intelect (the pin pad makers) I was using the 
Australian Standards 2805 documentation that told me how the encryption 
was to be done. In testing the pin pad applications there were many 
different mechanisums be used that all adhered to the standard. A user 
PIN as used with the swipe card could be from 4 to 12 digits long, this 
data was packed into a pin block and encrypted under the session pin key, 
generally a derived key from a 128 bit non exposed master key, and 
transmitted to the acquirer for verification. My memory fails me as to 
what happens to the card data, I was doing this over ten years ago. The 
PIN encryption key can be derived from data supplied by the acquirer at 
the end of each transaction thus may be unique for each transaction, 
successful or not. This would vary from each implementation of the 
clients pin pad application.



>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<

On 6/29/00, 4:53:12 AM, Christian <christian at amnet.net.au> wrote regarding 
Re: [plug] Banks Online:


> On Thu, Jun 29, 2000 at 12:35:36PM +0800, skribe wrote:
> > At 12:19 29/06/00, Christian wrote:
> > >Worst-case scenario is
> > >that someone guesses my 4 digit PIN (~10 bits of entropy: 40-bit keys
> > >are suddenly looking a lot better!) and has complete access to my bank
> > >account.
> >
> > Possible point of clarification:
> > Banks usually use an 8 character password system for internet banking.

> Is eight a required length or just the maximum?  If everyone chose
> passwords of exactly 8 characters (unrealistic, ideal case) then the
> average entropy would be around 10.4 bits, i.e., only marginally better
> than a 4 digit PIN.  If 4 character passwords were a restricted minimum
> then the entropy would be somewhere between 5 and 10 bits on average.
> The 40-bit RC4 key is still at least a thousand million times more 
secure.

> Regards,

> Christian.



More information about the plug mailing list