FOOL SCHOOL
Online Banking & Security

October 31, 2003

A lot of people worry about online banking security. You hear all sorts of pretty mystifying stuff about 128-bit encryption, Triple-DES, and SSL. Not to mention the occasional report in the papers about how someone accidentally accessed another person's account.

Well, the latter point is easily dealt with. It's extremely rare that this happens and it's the bank's fault -- and that makes them liable if any of your money is stolen. Which means they're going to make damn sure their software doesn't go wrong again! Your only task is to take some sensible precautions such as making sure no-one knows your password. More on this later but let's deal with the technical stuff first by having a look at what happens in a "Secure Session" with your bank.

A Typical Secure Session

There are various ways of setting up a secure connection between you and your bank, but they are different ways of achieving the same thing. One of them is SSL, or "Secure Sockets Layer". Here is roughly what actually happens under SSL.

1. Your computer requests a secure connection.

2. The bank's computer (the server) responds with a "certificate" from some independent authority (such as Verisign) which confirms that the page you are looking at really belongs to your bank. Your software reads the certificate, and tells you if anything is wrong. There's usually also a way for you to view the details yourself.

3. The bank also sends you its public key, which is a very large, apparently random number. This number acts like a box with an open padlock.

4. Your browser now thinks up another large number, called the session key. It scrambles this number using the bank's public key. This is done in such a way that it can only be unscrambled using a different number, the private key, which the bank has kept to itself (more on this below). In effect, your browser puts the session key inside the box, shuts the lock, and sends the box back to the bank.

5. The bank's server opens the box. Both sides now have the "session key", and they can be sure that no-one else does.

6. The two computers now encode and decode their messages by feeding them, along with the session key, through a scrambling system such as Triple DES (Data Encryption Standard). These scrambling systems get improved on at intervals.

7. When you say goodbye, the session key is destroyed.

So What?

This process is ridiculously secure. The part with public and private keys works because certain mathematical operations are easy to do one way, but practically impossible to do in reverse. The public key is created from the private key, but you can't go back the other way. Even if you overhear everything that's transmitted, it's useless without the private key, which is never transmitted at all. The part where both sides are using the same key depends for its security on the length of the key (say, "128 bits"), the system used (such as Triple DES), and the fact that the key is secret and is only used once. Again, to a listener, nothing makes sense.

These systems are not infinitely secure. Research mathematicians keep looking for ways to crack them, and by doing so they find out exactly how secure they are. But, when mathematicians say a thing is "very difficult", or "practically impossible", they really, really mean it.

Enough of Your Computer -- Now You

Encryption does nothing except prevent eavesdropping. It builds a virtually indestructible steel pipe between two computers. None of it proves that the person clicking your mouse is you.

When you open an online account, the bank asks you for various bits of information, things that you can be expected to know, but which can't easily be guessed. Typically, they include place of birth, mother's maiden name, and so forth. So, after setting up your secure connection, the bank's computer asks you a few questions from its list. It checks that the answers are the same as you gave before, and if they are, it assumes that you're you.

You are expected to remember all the answers and keep them to yourself. You can make the system more secure by making up funny answers to all the factual questions rather than using the real ones, and you can also make it totally useless by writing all the answers down in your diary on a page marked "Banking." So, at the end of the day, your security is basically under your control.

If you take the trouble to read the agreement when you open an account, you may see that, if the codes are cracked, the bank pays. If you write down your passwords in a letter to your lover and he steals your money, that's your fault, and you pay. The reason they write the contract that way is that the cracking almost certainly won't happen, but the telling very often does.

The most important thing to look for when you are accessing your account is the little padlock in the bottom right-hand corner of your screen. This tells you that the encryption mechanism is in operation. The second most important thing is to log out of your account when you have finished. And never, ever walk away from your computer whilst your account is 'open'.

Recently, we've seen a rash of e-mail scams as well. How to avoid these are discussed in this article.

A Cautionary Tale

A man has an argument with his wife. On a cold, sad, winter's night, she decides to take revenge. She sits down at his computer and summons up his savings account. She enters his account number and sort code, which are in his desk diary. She knows where he was born (at the hospital up the road). She guesses that his "memorable date" is the date of their marriage, and that the four-digit PIN is the one he's told her, and which he uses for everything else as well. She knows what his first school and his last school were (both the same as hers). She knows his mother's maiden name perfectly well. She knows him well enough to guess that his password is "DamonHill." She transfers all his savings into her own account with the same bank. She leaves a sticky note on the screen, saying 'Ha, ha, ha". Five minutes later she departs for Bali.

Forging a signature would have been easier to detect, would probably have taken longer, and almost certainly would have required more luck, planning, and nerve.

Conclusions

You should probably make sure that your browser is up-to date and supports 128-bit encryption, and you should probably download anything the bank suggests you should. But the conclusion is that encryption is not something to worry about in online banking. What you should worry about is this: banking security systems are there to protect the bank. The major difference between ordinary banking and internet banking is that the Internet puts responsibility, as well as power, squarely with you.

Compare online accounts in our banking centre.