From: IN%"watt@sware.com" "Charles Watt" 16-APR-1996 13:06:06.52

First, the U.S. banking system is very nice to account holders. The banks, rather than the customers, assume all risk associated with security problems in telephone banking, ATMs, etc... Internet banking is no different, which explains why so few banks have jumped onto the net with real transactions. If an SFNB customer should lose any funds due to a security problem, SFNB pays, not the customer.

That would depend on whether the customer can prove a security problem, because otherwise you're going to get a lot of con artists making a lot of money off of you.

Second, in order to break the SSL-protected password of an SFNB account holder, you need access to the encrypted data. This is not easy to obtain over the Internet, and would generally require illegal activity in order to gain control of a host within the Internet infrastructure or collusion with the account holder. Should an attacker crack the key and obtain the account number and password of an SFNB account holder, they are clearly warned upon login that they are engaging in illegal activity. Once they

One, ever heard of a packet sniffer? If the account holder is on an Intranet, then someone within it could easily get such information. Two, somehow I suspect that the penalties for computer breakins are significantly less than those for bank fraud/grand theft; they aren't going to matter if you're willing to take the risk.

have logged in, there is no way to transfer money out of the account without leaving a target address and phone number for the recipient. Furthermore, any payment to an individual or unknown entity would be made in the form of a physical check that would have to be cashed at a physical bank. The whole process is heavily audited with real-time audit filtering and pattern matching capabilities -- SFNB is, afterall, running on a military grade secure operating system (see SWP at www.secureware.com). Any security system that is deployed should be compared against the value you are trying to protect. It seems like a pretty big risk to an attacker -- and I assure you SFNB will prosecute.

Target address and phone number? Make fake ID, get yourself a PO box and a telephone forwarding/answering service (giving the PO box as the address), then target it there. Use the fake ID at a check-cashing place. You can make the fake ID in whatever name you want, which makes it easier.

Finally, I whole-heartedly agree that 40-bit encryption is far too weak for many applications, and that the current export limitations are absurd.

I'm glad you realize that. I've edited out what look to be improvements, which I hope for your stockholders' sake you've implemented. -Allen