[plug] Banks Online

Bret Busby bret at clearsol.iinet.net.au
Thu Jun 29 13:02:38 WST 2000


Christian wrote:
> 

<snip>

> 
> Security systems and infrastructure need to mature a lot before I trust
> them enough to do my banking over the Internet.  Currently best-case
> scenario is that my account can be disabled by anyone who guesses/knows
> my account ID (*wonders if this is the same as the BSB number that is
> given to every employer I have or have had*). 

Account ID is not Bank/BSB/Account# format.

> Worst-case scenario is
> that someone guesses my 4 digit PIN (~10 bits of entropy: 40-bit keys
> are suddenly looking a lot better!) and has complete access to my bank
> account. 

Account password is account-holder selected password, recommended to be
mixed case alpha, and numeric combination, of 8 charaters (and maybe
more?). Sound familiar? It is like a typical UNIX password, so you would
be at the same level of risk, I believe.

> It's taken security systems used by banking and financial
> institutions a long time to mature (see Ross Anderson's paper, "Why
> cryptosystems fail" for details of some of the lessons learnt) and
> Internet security systems are currently nowhere near that level of
> maturity.  I wouldn't necessarily advise someone not to use Internet
> banking but I think they should be aware of the potential risks.
> Anyway, back to my original point which is that most of the time it's
> not the cryptography you have to worry about -- most systems are badly
> insecure to begin with.
> 
> Regards,
> 
> Christian.

Remember the fundamental principle; that credit fraud is more likely to
occur in the restaurant, or shop, in which a person physically buys
goods with a credit card, than using a credit card on the Internet.
Likewise, using EFTPOS in a shop or petrol station, is apparently more
likely to result in fraud, than Internet banking.

There are no doubt people on the mailing list, who regard me as being
too paranoid, when it comes to privacy, etc, on the Internet, but, I am
confident of the relative security of Internet banking. Note, I said,
relative security.

If you are uncertain of the security, I suggest that you set up a small
savings account with your bank, with about $10 credit balance, get
Internet banking access, and try it. That way, you can find how your
bank operates Internet banking, and, the level of security involved.
That way, if it all goes wrong, the loss is not too great, and, it could
be a worthwhile learning experience. Just be wary, depending on which
bank you use, of the charges for Internet banking.

At present, the discussion appears more based on speculation, rather
than facts.
-- 

Bret Busby

......................................



More information about the plug mailing list