Corporate public key?

Neil Williams
Tue Jul 8 23:43:02 2003

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Tuesday 08 Jul 2003 9:35 pm, Johan Wevers wrote:
> I don't know how internet banking is done where you live. I have seen
> banking systems for 3 banks here.

The UK online banks are nothing like as thorough. I use Halifax and Egg.=20
Halifax relies on a rotation of questions - so you enter the username,=20
password and the answer to one of so many questions as setup when the onlin=
access was started. You can change those at any time but unless you get the=
login wrong and your account becomes suspended, you are not forced to chang=
them at all.
Egg adds three select boxes to enter your date of birth and similar rotatio=
questions from a fixed list.

If you fail the initial login on either site, there is a reserve question t=
you design and set the answer.

It seems that both sites are primarily designed to hinder automated attacks=
using rotational questions. I don't see the date of birth at Egg as much us=
=2D OK, it's an extra fact that someone has to know but the extra hassle of=
selecting the day from a list of 1-31 and then the month 1-12 and then the=
year (goes back all the way to 1930-something I think) is quite tedious and=
doesn't prevent spoofed HTML form attacks.

Hence the interest in ING / GnuPG. It would be far better than the existing=
systems. My first username with one bank was too similar to someone else an=
for a while, each time I went to login, MY account had been suspended becau=
the other user had got their details wrong! I had to change my username to=
make it more distinct. Some sites don't allow changes of username, only the=
password and questions.

The Inland Revenue must be the worst. They assign the username and password=
and then entirely rely on those two strings. You can apply for them to be=20
changed but you don't get any say in what you end up using.


Neil Williams

Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.1 (GNU/Linux)