lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <49400BC4.7080509@soif.de>
Date: Wed, 10 Dec 2008 19:34:44 +0100
From: Martin Salfer <mars@...f.de>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: 21 Million German bank accounts stolen - but
 accounts are still more secure than many other ones

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Hello,

English readers might wonder why Germans usually don't use cheques:
because they're too expensive and insecure.

Everybody prefers electronic money transfers ("Überweisung") as those
are for free and well protected. And direct debits or PADs
("Lastschrift") even can be rolled back up to 6 weeks after withdrawal.

So usually, people simply exchange account numbers and directly transfer
money.

Even if someone successfully sniffs German account credentials, e.g. ID
+ passwords, someone would still be unable to steal any money as every
single transfer must be confirmed with an one time password!

Those are mostly handed out to the account holder in person. This of
course varies from bank to bank. But I don't know any German bank that
doesn't demand at least one time password confirmation. Major banks
already offer RSA smart cards, which can be used with the nation wide
online banking standard HBCI or FinTS:

http://en.wikipedia.org/wiki/FinTS

I'm still shocked about the poor security of North American banks, where
one successful phishing email is enough to control and empty entire bank
accounts.

Greetings from good old Germany,
	Martin Salfer


Jost Krieger wrote:
>> http://it.slashdot.org/it/08/12/09/0125201.shtml
-----BEGIN PGP SIGNATURE-----

iD8DBQFJQAvEy4+E3T5McJsRAwlgAKCZ13lqR2mSW5Mb9naEhlRi4dm6FQCgpp7r
3z+O7fR7Wz4mBpI/AUHHvVI=
=Gpxg
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ