Credit Card Contracts & banking liability

[David Hansen]

On 17 Aug 99, at 2:07, S S wrote:

> When pressed as to how they had obtained the 128 bit SSL version for their
> customes,

As has been said, if the punter is using a recent browser they could 
use Server Gated Crypto.

> Or are the banks really deluding themselves- surely it's a matter for the
> Bank of England to take away their banking licence if they are being so
> naive with their customer's money?

Banks give the impression of working using the wrong sort of security 
model, one that leads to "security" through obscurity. The model they 
use may or may not work with their own staff in thier own buildings, 
but it fails badly with an open system. This has been a growing 
problem since the introduction of telecommunications 100 years ago, 
it is now becoming a major problem.

I did once ask the technical queries help line of a Building Society 
how communications with the customer were protected over the open 
link of their new Internet based banking system. I explained that I 
might use it if they could convince me it was safe. To start off with I 
got no answer to my technical query. Eventually I was called back by 
an "expert" who told me that they couldn't say because that would 
compromise the security of the transactions. Either it was an 
exceptionally unexpert "expert", or the Society believes this nonsense. 
I did feel like beating my head against a wall.




 David Hansen | davidh@spidacom.co.uk  | PGP email preferred
 Edinburgh    | CI$ number 100024,3247 | key number F566DA0E