[plug] Banks Online

Christian christian at amnet.net.au
Thu Jun 29 14:01:47 WST 2000 

On Thu, Jun 29, 2000 at 01:02:38PM +0800, Bret Busby wrote:
> Christian wrote:
 
> Account ID is not Bank/BSB/Account# format.

How are they generated?  Are they random?  How long are they? (these are
rhetorical questions but do relate to my previous comments)

> > Worst-case scenario is
> > that someone guesses my 4 digit PIN (~10 bits of entropy: 40-bit keys
> > are suddenly looking a lot better!) and has complete access to my bank
> > account. 
> 
> Account password is account-holder selected password, recommended to be
> mixed case alpha, and numeric combination, of 8 charaters (and maybe
> more?). Sound familiar? It is like a typical UNIX password, so you would
> be at the same level of risk, I believe.

The value is different.  Breaking into my computer yields relatively
little.  Breaking into my bank account is significantly more valuable.
Besides, I have access to logging information concerning attempts to
access my computer to which I can react.  I don't have access to any
such information concerning attempts to access my bank account over the
Internet.  If you think about it a little more you'll see the risk
levels are very different.

> 
> Remember the fundamental principle; that credit fraud is more likely to
> occur in the restaurant, or shop, in which a person physically buys
> goods with a credit card, than using a credit card on the Internet.
> Likewise, using EFTPOS in a shop or petrol station, is apparently more
> likely to result in fraud, than Internet banking.

We're not talking about credit card fraud here where the maximum
liability is generally severely limited.  But, you make a good point --
the same point I'm trying to make really.  People fret over the
cryptography (key lengths generally because people see them as simple
numbers, easy to understand and compare when in fact they are not like
this at all) when the real dangers are elsewhere.

> There are no doubt people on the mailing list, who regard me as being
> too paranoid, when it comes to privacy, etc, on the Internet, but, I am
> confident of the relative security of Internet banking. Note, I said,
> relative security.

Too paranoid?  Is that possible? ;-)  Seriously though, you are
confident in the security of Internet banking because you use it.  You
tried it, it seemed to work nicely and was convenient and so you
continue.  Now you don't want to hear that there might be problems with
its security, especially since any problems with security make you
nervous to begin with.  You are confident in its security because you
use it when it should really be the other way around.  Still, I don't
blame you.  I use ATMs and I'm not at all convinced that they are
secure but they're too convenient for me to give up now...  Still, I do
think Internet Banking is significantly less secure than ATMs so I aim
to hold out for as long as possible. :-)  As I've said before, I
wouldn't necessarily advise anyone not to use Internet banking but I do
think there are risks involved that people should be aware of and the
more significant of those risks do not really relate to 40-vs-128 bit
key lengths.

Regards,

Christian.

More information about the plug mailing list