From: stevenw@best.com (Steven Weller)
Date: Thu, 25 Jan 1996 00:23:10 +0800
To: cypherpunks@toad.com
Subject: German home banking (fromn RISKS)
Message-ID: <v01530500ad2bfe6d4743@[206.86.1.35]>
MIME-Version: 1.0
Content-Type: text/plain


----------------------------------------------------------------------

Date: Tue, 23 Jan 1996 17:32:56 +0100
From: Klaus Brunnstein <brunnstein@rz.informatik.uni-hamburg.d400.de>
Subject: Homebanking NonSecurity demo

A German private TV channel (SAT 1) displayed, Monday Jan.22 night (10 pm),
a demonstration of how easily homebanking may be attacked in Germany. In
this demo, a person used T-Online (a navigation tool similar to CompuServe)
to send his ID, PIN, the amount to be transferred (500 DM) and the account
to which to transfer, plus a transaction number (TAN) via telephone line.
All these data were intercepted on a portable connected to the user's phone
line in the basement of the building (indeed, most telephone boxes are
rarely locked). Actions of the customer and the "hacker" were shown in
parallel, so one could see all data (including PIN which was not displayed
on the Customers' screen) on the hackers' display. Before the customer could
start the booking process on the bank computer by sending the requestor, the
hacker interrupted the telephone connection. As he now possessed all
relevant "secret" information of the user, he now started an order to
transmit 5,000 DM from his victim's account to another one, successfully (as
the customers' vouchers proved. After the demo (about 10 minutes), a short
interview (with the author of this report) discussed evident risks; it was
made clear that software solutions are available since some time, to replace
the old PIN/TAN structure with digital signatures and to encrypt sensitive
data using asymmetric encryption.

Risks? Presently, there are several risks in telephone-based homebanking.
First, ALL sensitive information is transmitted in cleartext. Secondly,
interception of line-based communications of German Telekom is easily
possible at several sites, from the basement of a customers' house where
lines from different customers are collected in a unit, to units
collecting lines from several blocks, streets etc. Thirdly, in contracts
between banks and customers, the latter will often have difficulties to
prove that an order carrying their personal ID, TAN etc was NOT issued
from them, esp. when there is evidence that the order came from the
customers' telephone line (though not from his telephone :-). Customer
protection (both technically and legally) therefore requires immediate
action, as Chaos Computer Club commented in press.

Interestingly, German banks offer enterprises a secure solution based on
RSA-licensed encryption software. So far, this is NOT offered to private
customers as it canNOT interoperate with T-Online. Financial institutions
are discussing presently a solution (either with a chipcard including sort
of DES or a solution using an RSA-implementation with 784 bit key, which may
be distributed via diskettes) but it is unclear when this solution will be
available. As long as such solution is not available, "every day may become
payment day even for the most lousy hackers" as one German newspaper (TAZ)
wrote.

Klaus Brunnstein (Jan.23,1996)

------------------------------

-------------------------------------------------------------------------
Steven Weller                      |  "The Internet, of course, is more
                                   |  than just a place to find pictures
                                   |  of people having sex with dogs."
stevenw@best.com                   |       -- Time Magazine, 3 July 1995