<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/platform.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d7134549\x26blogName\x3dJonathan\x27s+Liverstone\x26publishMode\x3dPUBLISH_MODE_BLOGSPOT\x26navbarType\x3dBLUE\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttps://liverstone.blogspot.com/search\x26blogLocale\x3den_GB\x26v\x3d2\x26homepageUrl\x3dhttp://liverstone.blogspot.com/\x26vt\x3d-3181951560992862409', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe", messageHandlersFilter: gapi.iframes.CROSS_ORIGIN_IFRAMES_FILTER, messageHandlers: { 'blogger-ping': function() {} } }); } }); </script>
Jonathan's Liverstone

A place of Bile & other Humours.

BlogRoll


Internet Banking Security  

The recent flurry of publicity about the low level of security used by banks for their internet banking seems to have been triggered by the police apparently discovering keyloggers and making a fuss about them.
Goodo! I say. The push for increasing the security is a good thing, but the banks are the ones that have to take responsibility for ensuring it happens. Calls for the government to legislate or somehow force it to happen are misguided. (I find it amusing that it seems to be the market-economy accolites who are making these calls for regulation: surely the market should drive the need.)
Two-factor authentication is a splendid move, but the focus seems to be on the use of cellphone texting for transmitting a transaction pin. I hope the banks are not so *stupid* as to use only this as a means for implimenting stronger systems. The European banks have been using TANs (Transaction Authentication Numbers) for some time with considerable acceptance.
A simple system of allowing the client to *choose* the second authentication vector (cellphone, or the list of one-time numbers in their wallet) for each transaction would be sufficient.
I find internet banking sites can be slow enough, without adding in the need to wait (what?) up to 3 minutes for a text message to come through so you an complete a transaction.

3 Comments:

And... who will pay? None of this stuff comes cheaply...


It doesn't have to be expensive. I would also say that using SMS messaging is extremely insecure. We have developed a strong authentication system that uses an asymmetric cryptographic client running on either a wireless device or on a PC that is fast, secure and inexpensive. If you're interested in learning more you can visit our website http://www.wikdisystems.com. I too have blogged about internet banking security on my blog. Glad to see more posts in this area.


Your system is seems to be vulnerable to man-in-the-middle attacks.
I'm not implying that many other two-factor authentication systems are immune to this sort of attack, most are.


Disclaimer: (I stole this from Internal Affairs.)
All links and references to other websites, organisations or people not within my control are provided for the user's convenience only, and should not be taken as endorsement of those websites, or of the information contained in those websites, nor of organisations or people referred to. I also do not implicitly or impliedly endorse any website, organisation or people who have off-site links to this website.
... But then again; I only link to sites 'cos I see something there that's worth linking to.