Interesting People mailing list archives
IP: German home banking (fromn RISKS)
From: Dave Farber <farber () central cis upenn edu>
Date: Wed, 24 Jan 1996 08:53:01 -0500
Date: Tue, 23 Jan 1996 17:32:56 +0100 From: Klaus Brunnstein <brunnstein () rz informatik uni-hamburg d400 de> Subject: Homebanking NonSecurity demo A German private TV channel (SAT 1) displayed, Monday Jan.22 night (10 pm), a demonstration of how easily homebanking may be attacked in Germany. In this demo, a person used T-Online (a navigation tool similar to CompuServe) to send his ID, PIN, the amount to be transferred (500 DM) and the account to which to transfer, plus a transaction number (TAN) via telephone line. All these data were intercepted on a portable connected to the user's phone line in the basement of the building (indeed, most telephone boxes are rarely locked). Actions of the customer and the "hacker" were shown in parallel, so one could see all data (including PIN which was not displayed on the Customers' screen) on the hackers' display. Before the customer could start the booking process on the bank computer by sending the requestor, the hacker interrupted the telephone connection. As he now possessed all relevant "secret" information of the user, he now started an order to transmit 5,000 DM from his victim's account to another one, successfully (as the customers' vouchers proved. After the demo (about 10 minutes), a short interview (with the author of this report) discussed evident risks; it was made clear that software solutions are available since some time, to replace the old PIN/TAN structure with digital signatures and to encrypt sensitive data using asymmetric encryption. Risks? Presently, there are several risks in telephone-based homebanking. First, ALL sensitive information is transmitted in cleartext. Secondly, interception of line-based communications of German Telekom is easily possible at several sites, from the basement of a customers' house where lines from different customers are collected in a unit, to units collecting lines from several blocks, streets etc. Thirdly, in contracts between banks and customers, the latter will often have difficulties to prove that an order carrying their personal ID, TAN etc was NOT issued from them, esp. when there is evidence that the order came from the customers' telephone line (though not from his telephone :-). Customer protection (both technically and legally) therefore requires immediate action, as Chaos Computer Club commented in press. Interestingly, German banks offer enterprises a secure solution based on RSA-licensed encryption software. So far, this is NOT offered to private customers as it canNOT interoperate with T-Online. Financial institutions are discussing presently a solution (either with a chipcard including sort of DES or a solution using an RSA-implementation with 784 bit key, which may be distributed via diskettes) but it is unclear when this solution will be available. As long as such solution is not available, "every day may become payment day even for the most lousy hackers" as one German newspaper (TAZ) wrote. Klaus Brunnstein (Jan.23,1996)
Current thread:
- IP: German home banking (fromn RISKS) Dave Farber (Jan 24)