Email Scams and Authentication

You are dead right, indeed I think I read recently of a scam whereby someone pretending to be the bank / cc company phones up, says that the card has been cloned,gets some personal details, tells the person that they will cancel it, and then of course goes ahead and starts using it fraudulently.

I'm glad you agree!

The issue of authentication and telling the real from the fake has historically been a big problem (not just on the Internet) so most people seem to accept it as being a fact of life - and in many spheres of life it is I suppose. But we're so bloody accepting of the problem. I'm always amazed at how often we see reports of Internet scams involving passing off, fakery etc. but there never seems to be any discussion about how comparatively easy it would be on the Internet to actually *prevent* the problem in the first place.

I'm not saying that online fakery would disappear, but the use of digital certificates in a simple PKI framework would make it far harder to forge an email from a bank.

For another example, take paedophiles in kids chat rooms. MSN recently closed all their chatrooms down because of issues to do with "grooming" and the like (well, that was the reason anyway). But how difficult would it have been to demand a digital certificate from people before they could participate in online chats? Something along the lines of Thawte's "Web of trust" system, for instance?

Of course, it would take a degree of education about how the system of trust works (and proper support by software like Outlook etc.), but compared to the alternatives - e.g. my bank balance suddenly ending up in China or my daughter being abducted by nutter, I think that's a very small price to pay.

Jonathan

fraudulently.

UK banks also seem to allow access to transfer money using only a user name and password. This is unbelievable. People are using this in public internet cafes often small businesses. Have they never heard of keyloggers. I.e. record every key pressed. Extremely low tech way to get something as simple as a user ID and password.

I don't use them (UK banks - anyway they are more expensive) but instead use current accounts I have in Holland. One bank gives me a tiny machine which uses my card (must be present) and PIN code (I type the code to the machine). When I log in the server supplies a code which I put in the machine, the machine gives a code which I type into IE and the transaction is authenticated.

Another dutch bank uses something similar but much more basic. They supply me with a list of numbers. After logging in with user-password, I can get info but if I want to transfer I need one of the numbers from the sheet.

Both these are much more secure than the UK offerrings because they require multiple things all together before you can transfer. Obviously if I lose any of these physical things, it's unlikely whoever finds them will know the password and also I will hopefully notice - report the loss. And all this stuff is not exactly rocket-science. David.

Software author. (please edit my email addr. to prove you're not a dumb 'bot) Web Log Analyzer by Search Term

Kybie GetEmAll - Make IE an offline browser

I bumped into this just now - pretty typical:

Not a single mention of digital certificates, authentication systems or anything similar at all. Plenty of fear, confusion and doubt though.

Why?? It's not as if digital signatures and public key encryption are new technologies - they're decades old fer gawd's sake!

Jonathan

"david" wrote in message news: snipped-for-privacy@news.teranews.com...

Arent some of the credit card companies coming out with a similar gizmo? Sure I read about that just this past week. main trouble is critical mass of users, and getting merchants to use it.

Fortis Bank in Belgium do the same, given that you can transfer money to any account with this that is all well and good.

All this talk of UK banks surprises me though, I admit to only using the Bank of Scotland but I have to set up a mandate (print it out, sign it and post it back) before I can pay money out to any other account.

With Natwest and the like can you just transfer money out to anyone you want ? Seems crazy to me.

Andy

Is that a one-time deal for each new person you'd pay?

With both systems you can just transfer money out to anyone you want. It's only the type of authentication that differs. It would be a lot easier to copy my signature than to access my account online.

Efforts to make online accounts harder for unauthorised access obviously have a down side of inconvenience, and in a crowded online banking marketplace, having a flexible, easy-to-use system is a good selling point.

For my part, I am perfectly happy that NatWest allows me to transfer money to anyone I want immediately. That's what I was looking for when I chose their system in fact. I am also confident that I can keep my passwords safe. I used to use a system of numbers with a bank as well, but they were time-limited, and applying for a new set was a big hassle.

My point was a wider one though: why is it that the issue of proving online identity isn't discussed more? More importantly, why aren't digital certificates and public key infrastructures used more widely given the concern about identity theft, passing off and other issues of fakery on the net?

Jonathan

"david" wrote in message news: snipped-for-privacy@news.teranews.com...

> Kybie GetEmAll - Make IE an offline browser >

I can transfer to anyone immediately too, from RBS. Authentication involves logging in with an easy-to-remember 8-digit user id, together with a random-order selection of 3 digits from a 4-digit PIN. That lets you view the account, but to make extrernal transfers you need a 2nd step authorisation by giving 3 characters from a separate password.

They are in the process of merging the passwords and so there will be no need for 2nd level authorisation.

Good question. It seems PIN technology has been deemed good enough.

I suspect the government(s) are unkeen on strong encryption technology being widely used in civilian life. They doon't want snooping on us to become too difficult. We're all potential terrorists, drug dealers, and child molestors, after all.

Yes, not very convenient but combined with the passwords pretty secure.

Andy

You are safer when you always use the system from home or on your own PC. Still not safe though.

If someone

1. hacks into your ISP (difficult and illegal)
2. and diverts requests for URL for natwests login page to their server (very easy)
3. copies natwest login page but modifies copy so it saves your user-password (easy)
4. after you hit login it sends you to usual natwest login URL (easy)

Then that someone

- will have your user-password

- probably will have prevented you noticing

- will have committed a serious offence but since when did that stop crims stealing money

- can steal all the money in your account and as much as you're allowed to go overdrawn

- will cause you major hassle even if the bank covers the cost (which mostly they don't have to according to their TOS)

- will cost you if the bank doesn't want to cover the cost. If someone doing this ripped off a few hundred thousand accounts overnight having spent months collecting user-passwords, would the bank cover the potentially huge loss purely for goodwill or dump it's online banking and require customers to take the hit? Your guess is as good as mine.

It's a disaster waiting to happen and I hope some banks are reading this and taking note (AND ACTION). They can do much stronger things to protect their customers. The methods I described don't involve major hassle for me. I can and do transfer immediately. I just have to have my little pin machine with me and type a few numbers. I would be prepared to do this from an email cafe if I had to. It's still safer from my own notebook. David.

Software author. (please edit my email addr. to prove you're not a dumb 'bot) Web Log Analyzer by Search Term

Kybie GetEmAll - Make IE an offline browser

That's not as secure as it might sound. It is probably pretty easy to reverse-engineer the machine, especially as you have physical access to it. Once that is done, it would appear that this system offers no security whatsoever.

In message , david writes

Perhaps thats why all three of my online banks ask different questions each time you log on, asking for, say, the third and fifth digit of the password and the first and second of the PIN one time and different digits for each of them the next. One has just introduced a second level password (using digit selection) for certain transactions. So a 'key logger' would get nowhere.

Ahhh! That'll be why you dont know how they work then!

The Dutch guy doesnt now how they work in UK, its better than he makes out.

In message , david writes

As already said, this is the reason they dont ask for your full password.

In message , Jonathan Bryce writes

If we could find a German U Boat and nick their decoding machine and book we'd have cracked it !!!!!!!!!!!!!!!!!!!!!!

I'm not saying you've missed the point, because the "strength of the lock" is related to this discussion - but only maginally.

My original point, which most respondents on this thread don't seem to be addressing at all, is that it's not about how difficult it is to access the account online, it's about how users know they are accessing the right site in the first place!

Does your pin machine validate the site's certificate for instance, so that even if you weren't logged in to the account, you would be protected from a confidence trick asking you to send in your pin machine and card to an address for "re-registration" or something?

That's what I'm getting at, not boring old discussions about the strength of locks on doors.

Jonathan

"david" wrote in message news: snipped-for-privacy@news.teranews.com...

> Kybie GetEmAll - Make IE an offline browser >

But encryption isn't the same as authentication. You can sign a document (or other thing) digitally, you don't have to encrypt it.

Given the current gung-ho about ID cards, I would have thought the goverment would be talking up personal certificates like crazy. They accept them on the "government gateway" site as part of their single sign-in system, but they don't do much more than that.

Jonathan