I'm preparing an article looking at the different options for those
looking to run a business with RISC OS, and am thus again opening the
floor to those with experience in such matters.
Which software applications do you use on a daily basis, and why?
Why RISC OS above Windows or Mac OS?
Any difficulties experienced, and how you got over them?
That sort of thing.
I'm going to provide an overview of the applications available, both
freeware and commercial, and hopefully sort out some deals so anybody
who needs that sort of thing can get them a little cheaper (for a
limited period, of course).
If you've got screenshots/illustrations, more the better - don't leave
any personal business data on the screen though... sharing your bank
details with hundreds of other users is never a good idea.
David
> I'm preparing an article looking at the different options
> for those looking to run a business with RISC OS, and am
> thus again opening the floor to those with experience in such matters.
> Which software applications do you use on a daily basis,
> and why? Why RISC OS above Windows or Mac OS? Any
> difficulties experienced, and how you got over them?
I shall reply privately on this.
> sharing your bank details with hundreds of other users is
> never a good idea.
So we are always told, but I really do not understand why.
In Germany no one would dream of dealing with a firm that
did not make its bank details public. They are /always/
stated on printed notepaper - including the badly worded
direct mailshot I got this morning.
Equally, magazine publishers always publish their bank
account details - it makes subscriptions so much easier if
people know how to pay you!
This is so that people can pay by paying into your account.
I write about 2 German cheques a year. There is no way that
I can go to my German bank and ask them to extract money
from someone else's bank account. Why should it be any
different here?
--
Russell
http://www.russell-hafter-holidays.co.uk
Russell Hafter Holidays E-mail to enquiries at our domain
Holiday specialists for Germany, Czech Republic, Belgium, bits of France...
Tel 01946 861652 Fax 01946 862085
I suspect he was referring to confidential information and/or
credit/debit card numbers etc rather than just plain bank account number
and sort code.
> I write about 2 German cheques a year. There is no way that
> I can go to my German bank and ask them to extract money
> from someone else's bank account. Why should it be any
> different here?
It's not.
Adam
--
Adam Richardson
Email me at: monkeyadam~but.not.this.monkey~@ntlworld.com
Carpe Diem
> I'm preparing an article looking at the different options for those
> looking to run a business with RISC OS, and am thus again opening the
> floor to those with experience in such matters.
Depends what you mean by a "business". The software to run a business is
no different to what an individual might make use of: word processor,
spreadsheet, e-mail, browser....
The one thing a business is likely to need which an individual will not,
is a competent, VAT capable, accounts package. Once a business is above a
certain size, it then needs a competent, VAT capable, person to operate
the accounts package.
Prophet is fully capable of running quite a large business, but a lot of
accountants don't like it because you can change things. To my mind that
is one of its assets, but stuck-in-the-muds say you *have* to use Sage.
Anyway, my company has a full-time staff of six plus five freelancers, all
plugging away on RISC OS machines. A vast amount of what we do here
continues to depend on RISC OS, and plans to change are a long way in the
future.
HTH,
--
Kell Gatherer
ke...@locsource.com is now a SPAMTRAP
e-mail: kell at location hyphen works dot com
www.locationworks.com
If I had to give up all my RISC OS programs bar one the one which
would remain would be Prophet - the ability to change things is a
great asset if you are a bad 2 fingered typist.
If I was allowed 2 programs the other would have to be Pluto.
--
A T (Sandy) Morton
on the Bicycle Island
In the Global Village
http://www.millport.net
Will reply by mail - we *only* use ROS!
Richard
--
www.beamends-lrspares.co.uk sa...@beamends-lrspares.co.uk
Running a business in a Microsoft free environment - it can be done
Powered by Risc-OS - you won't get a virus from us!!
Helping keep Land Rovers on and off the road to annoy the Lib Dems
> > So we are always told, but I really do not understand
> > why.
> I suspect he was referring to confidential information
> and/or credit/debit card numbers etc rather than just
> plain bank account number and sort code.
Maybe, but financial journalists tell us not to divulge
these. And, supposedly, one of the aims of the Nigeria-type
scam letters is to get people to divulge bank account number
and sort code.
--
> Will reply by mail - we *only* use ROS!
So do we... Why? - because it all works so brilliantly. We've never
needed anything else.
(I've already replied privately with the details.)
Chris.
I know many people who who will not put the basics of Bank Account name,
Sort code and account number on the web!
Whilst providing such information is a start for someone phishing to enable
fraud/idenity theft, the same information appears on any cheque or bank
transfer.
Being wary does have it's downside, I have a friend who was caught up in the
Tsunami disaster and helped out at the Phuket Christian Centre who were
appealing for donations, but as they didn't want to put the details on the
web site you had to email them for them, she spent a lot of time dealing
with such emails. Admitedly in other countries the basic information Ac.
Name, No. & Sort Code may get you further in a fraud attempt.
Chris Evans
--
CJE Micro's / 4D 'RISC OS Specialists'
Telephone: 01903 523222 Fax: 01903 523679
ch...@cjemicros.co.uk http://www.cjemicros.co.uk/
78 Brighton Road, Worthing, West Sussex, BN11 2EN
The most beautiful thing anyone can wear, is a smile!
> In Germany no one would dream of dealing with a firm that
> did not make its bank details public. [...]
>
> This is so that people can pay by paying into your account.
> I write about 2 German cheques a year.
I cannot even remember when I wrote my last German cheque - must have been
years ago... After they cancelled eurocheques (which were guaranteed)
cheques became almost extinct here.
> There is no way that I can go to my German bank and ask them to extract
> money from someone else's bank account.
Actually, you can. :-) Just ask for a "Lastschrift" from the account.
However, you can only extract money to your account, so it is known who
took it and it might look a bit suspicious if you are not a business. If
there is a dispute (which would be quite likely in this case) you have to
prove that you were authorised to take it - e.g., by producing an
authorising statement signed by the account holder (the infamous
"Einzugsermächtigung"). This is how most people pay their phone bills.
Otherwise, you would have to transfer a different amount each month.
So, if you spread your bank details to the world you need at least keep an
eye on your account statements - which companies do of course, so it is no
problem for them to make the details public.
Martin
--
---------------------------------------------------------------------
Martin Wuerthner MW Software spam...@mw-software.com
replace "spamtrap" by "info" to reply
---------------------------------------------------------------------
Wow! So keeping your bank numbers secret is a lot more important in
Germany than the UK! [1] That's a bit of a turn around from Russell's
initial observation.
> "Einzugsermächtigung"). This is how most people pay their phone bills.
> Otherwise, you would have to transfer a different amount each month.
It sounds like this is the equivalent of a UK "direct debit" - except
that the DD requires a signed authorisation before anyone can make use
of it.
Adam
[1] For instance, if you don't keep track of your bank statements, a
Lastschrift payment might go unnoticed I suppose.
Really, what reasons do they give?
On their own your account number and sort code will not allow any fraudulent
access, however they do identify your bank and branch, and if several other
pieces of information are known about you, identity fraud is possibile.
---druck
--
The ARM Club Free Software - http://www.armclub.org.uk/free/
The 32bit Conversions Page - http://www.quantumsoft.co.uk/druck/
> > In Germany no one would dream of dealing with a firm
> > that did not make its bank details public. [...]
> > This is so that people can pay by paying into your
> > account. I write about 2 German cheques a year.
> I cannot even remember when I wrote my last German cheque
> - must have been years ago... After they cancelled
> eurocheques (which were guaranteed) cheques became almost
> extinct here.
There is a taxi firm in Bavaria that insists on payment by
V-Scheck. No idea why. He takes months to cash them, whereas
if he gave me his bank details he would have the money in a
day or so.
> > There is no way that I can go to my German bank and ask
> > them to extract money from someone else's bank account.
> Actually, you can. :-) Just ask for a "Lastschrift" from
> the account. However, you can only extract money to your
> account, so it is known who took it and it might look a
> bit suspicious if you are not a business.
Yes - I thought about this after I had just clicked on the
send button.
:-)
> If there is a dispute (which would be quite likely in
> this case) you have to prove that you were authorised to
> take it - e.g., by producing an authorising statement
> signed by the account holder (the infamous
> "Einzugsermächtigung"). This is how most people pay their
> phone bills. Otherwise, you would have to transfer a
> different amount each month.
The form I have is headed "Ermächtigung zum Einzug von
Forderungen durch Lastschriften", which must re-inforce many
english speakers in all their prejudices about the German
language.
> So, if you spread your bank details to the world you need
> at least keep an eye on your account statements - which
> companies do of course, so it is no problem for them to
> make the details public.
Yes - it never used to occur to me that people would not do
this; now I know better - lots of people never seem to
check!
> Maybe, but financial journalists tell us not to divulge
> these. And, supposedly, one of the aims of the Nigeria-type
> scam letters is to get people to divulge bank account number
> and sort code.
But if you ever send a cheque to somebody you will be divulging these
codes.
--
__ __ __ __ __ ___ _____________________________________________
|__||__)/ __/ \|\ ||_ | / Acorn StrongArm Risc_PC
| || \\__/\__/| \||__ | /...Internet access for all Acorn RISC machines
___________________________/ dhw...@argonet.co.uk
Techwriter to read Word documents and also generate letters etc for
sending to PC-bound types.
A Postscript printer - colour & Duplex preferably. !Printers can handle
these well. (If you have any doubts e-mail me).
An accounts package (no personal experience), but for a small throughput I
use a spreadsheet (Tablemate, Fireworks)
Riscript for converting various external formats to Drawfiles and for
generating pdf versions of documents for distribution. (And a program to
clean up the drawfiles - see Hariet Bazley's or my website).
For the Web I use a Broadband router and a local network to link RiscPC
printer etc. I still use Voyager/Fresco/Posty for almost all my web access
and e-mail. A tiny minority of occasions forces me to go to a PC. (NB I have
a Spacecube PC on the local network - and share the screen, keyboard and
mouse with the RiscPC using R-Comp's software - no hardware switch).
I have dual 80Mbt IDE hard disks and sychronise them on every shutdown
using !Shutdown and David Pilling's !SyncDisks. This handles all my
day-to-day backups.
I also use !CDBurn to generate less freqent large Backup's and to
distribute data.
I have now run a (registered) beta PC version of Ovation Pro on the
Spacecube. I sometimes transfer RISCOS DTP files with extensive graphics to
this to speed printing. However almost every other operation is quicker on
a RISCPC than on the spacecube - compare the time it takes to open a Word
Document on a PC and a Word or Ovation Document on a RISCPC.
John (mija...@argonet.co.uk)
--
__ __ __ __ __ ___ _____________________________________________
|__||__)/ __/ \|\ ||_ | /
| || \\__/\__/| \||__ | /...Internet access for all Acorn RISC machines
___________________________/ mija...@argonet.co.uk
[snip]
> Riscript for converting various external formats to Drawfiles and for
> generating pdf versions of documents for distribution. (And a program to
> clean up the drawfiles - see Hariet Bazley's or my website).
>
I suspect you mean Rosemary Miskin's - one female is much like
another. ;-)
--
Harriet Bazley == Loyaulte me lie ==
It is far better to be deceived than to be undeceived by those we love.
Not to MY very non-PC eyes :)))
--
|) [
|)ryn [vans mail to - br...@bryork.com
http://www.bryork.com
> In a mad moment - Harriet Bazley <baz...@feathermail.co.uk> mumbled :
> > I suspect you mean Rosemary Miskin's - one female is much like
> > another. ;-)
> >
>
> Not to MY very non-PC eyes :)))
>
Do you mean 8-( : vs ;-) 8 ?
PC is not politcally correct
--
Dave
John
:))
There should be a new version of TidyDraw soon, which copes (even) better
with the output from Riscript.
Rosemary
--
Rosemary Miskin ZFC LVIII mis...@argonet.co.uk
Loughborough, UK http://www.argonet.co.uk/users/miskin
Hi David,
I would recommend a small business to look at using Prophet for
accounting. It's approved by the tax office and VAT people as keeping
adequate book-keeping records, and is way easier to use than Sage, etc. I
ran my own business for several years, and found it far more flexible and
capable than I had expected.
Ian Gooding.
> > Maybe, but financial journalists tell us not to divulge
> > these. And, supposedly, one of the aims of the
> > Nigeria-type scam letters is to get people to divulge
> > bank account number and sort code.
> But if you ever send a cheque to somebody you will be
> divulging these codes.
True, which is why I have always wondered about the sense of
the articles I reacall having read.
> > Maybe, but financial journalists tell us not to divulge
> > these.
> Really, what reasons do they give?
Identity theft, and I have seen suggestions that fraudsters
would be able to raid your accounts with just that
information.
Which is rubbish. All it gives fraudsters is a starting point, far more
information is needed in order to make a withdrawal from the account,
via either electronic or physical means.
Yes, I accept that this is a valid concern - if a little more nebulous than:
> ... fraudsters would be able to raid your accounts with just that information.
which just sounds like FUD to me!
> Which is rubbish. All it gives fraudsters is a starting
> point, far more information is needed in order to make a
> withdrawal from the account, via either electronic or
> physical means.
My opinion too.
That has not stopped said financial journalists from telling
their readers not to divulge bank account numbers and sort
codes.
Its more a case of they want to be seen to be telling people something, while
the banks sit on their arses blaming the customer and raising charges to
cover vastly inflated fraud losses.
All phishing and most social engineering attacks can be defeated very easily
by two way authentication.
1) You enter some details such as user name and password
2) The bank site displays a pass phrase which you have previously registered
3) You enter a PIN code
Step 2 ensures that if you are not at the website you think you are, the pass
phrase wont be correct, and you wont (unless you are criminally stupid) enter
the final PIN which is required to access the account.
Many sites already have the technlogy in place already, allowing you to give
a pass phrase incase you forget your password. But of course the banks know
all this, but its far more profitable to change the Ts&Cs to make the user
liable for all internet related fraud.
> In article <4d3bb8b5...@argonet.co.uk>, David H Wild
> <dhw...@argonet.co.uk> wrote:
> > In article <4d3b79ae...@walkingingermany.invalid>,
> > Russell Hafter <see...@walkingingermany.invalid>
> > wrote:
> > > > I suspect he was referring to confidential
> > > > information and/or credit/debit card numbers etc
> > > > rather than just plain bank account number and sort
> > > > code.
>
> > > Maybe, but financial journalists tell us not to divulge
> > > these. And, supposedly, one of the aims of the
> > > Nigeria-type scam letters is to get people to divulge
> > > bank account number and sort code.
>
> > But if you ever send a cheque to somebody you will be
> > divulging these codes.
>
> True, which is why I have always wondered about the sense of
> the articles I reacall having read.
>
But surely, you only send cheques to a recipient you trust and who has a
valid address. Don't you? ;-)
Be very careful of Box numbers (which can be very short lived). Be
even more careful of Web addresses (which can be even shorter lived).
Memo to self: ask RComp why they are not using https for their
ordering page.
--
Dave
> All phishing and most social engineering attacks can be
> defeated very easily by two way authentication.
> 1) You enter some details such as user name and password
> 2) The bank site displays a pass phrase which you have
> previously registered
> 3) You enter a PIN code
Interesting one, this!
I have not seen exactly this anywhere, either in the UK or
elsewhere in Europe.
The nearest thing to it that I do have experience of is the
way my Swiss Bank works: it uses a PIN encryption system:
I enter the username and the bank responds with a 6 fig
number.
I put a smart card into a special reader / calculator which
the bank sent me, switch it on and and enter my own 6 fig.
PIN. Press OK, then enter the 6 fig number from the screen.
The reader responds with an 8 character code which is what I
actually enter on screen, so were I to be stupid enough to
respond to phishing, the username and PIN on their own are
useless anyway.
My German bank also seems pretty sound:
Accessing the site is fairly trivial - just a user name that
is an abbreviated version of an account number and a 5 char
PIN.
But I cannot carry out any activity without authenticating
it with a 6 fig transaction number, which can only be used
once.
The numbers are stored, encrypted, on the bank's computer
while I have a hard copy of them which I keep in a safe.
So phishing is again pointless, as with just username and
PIN you can do nothing, while there is presumably no way in
which the transaction numbers could be hacked. The weakest
point would appear to be the hard copy of the transaction
numbers.
In the UK things vary a lot, I find, but the one with
apparently the least security only allows transfers to an
account of my own at a different bank anyway. Not much point
there.
Perhaps inevitably, the weakest one seems to be my Belgian
bank, which is owned in the USA. MY USA-resident brother
tells me that he is impressed by how much more care UK banks
take with internet security compared with USA ones.
A useful analogy:
http is as secure as a wet paper bag
https is as secure as a very-slightly-less-wet paper bag
with "MONEY IN HERE" written on the side in big letters.
Chris.
So we should all be using PGP for this purpose then. Cue: pv
--
Dave
[..snips?]
> > That has not stopped said financial journalists from telling their readers
> > not to divulge bank account numbers and sort codes.
> Its more a case of they want to be seen to be telling people something, while
> the banks sit on their arses blaming the customer and raising charges to
> cover vastly inflated fraud losses.
> All phishing and most social engineering attacks can be defeated very easily
> by two way authentication.
> 1) You enter some details such as user name and password
> 2) The bank site displays a pass phrase which you have
> previously registered
> 3) You enter a PIN code
Barclays Online already seem do something very similar,
if not just about identical, to that which you very
reasonably suggest...
Procedure for customers entering own secured site
held with Barclays Online Banking Services:
a) - enter name
b) - enter online account number, (already forwarded
by Royal Mail to known address).
(to next secure page)
c) - enter 'invisible' personal password forwarded by
land mail to known address held by Barclays..
(then using a pre-registed password recorded when account
first opened)
d) - confirm by selecting from a-z list of letters the
letter corresponding to a random number generated
by the secure site. (Random number is selected by
site from the total nunber of letters making up the
pre-registered password).
e) Repeat confirmation by selecting differing letter
from the pre-registered password as again randomly
enumerated by the secure site.
If all is well, enter your own secure accounts and information
pages - make a complete horlicks of it -
f) - pay 2000gbp to an account when you mean to pay only
20.00gbp (regardless of the type of 'point' ;))
and
g) - end up ringing the Barclays Online Helpdesk who, in
a friendly and polite manner, will pleasantly end up
doing it all for you anyway!
See ..not as complicated as it appears... ;))
btw.. Barclays Online Banking Services are well aware of
RISC OS - having beta tested their site with all the
EISC OS browsers they could get their hands on. They've
made the effort, which is a great deal more than many.... :))
Hope info is useful..
Bill ZFC
--
Freedom2-ArgoNet Domain Host -==- ad...@billsimpson.com
and internet provider for all -==- http://www.argonet.co.uk/
Adoption InterLink UK -==- http://www.billsimpson.com/
******************************* NO! **********************************
You've completely missed the point - at no point in the above can does
the website give you any indication it is really your bank and not a
facsimile - you are giving it all the information and its giving you nothing
in return.
Only at the end of the process will you either find your are viewing your
account information, or you'll be left looking at a blank page or error
message about a page not being available - and next time you check your money
wont be available either!
The point is of two way authentication is:-
1) You enter some information to identify yourself to the
website, but not enough to gain access to anything
2) The website gives you back some information which only the genuine
bank will have, so you know who you are talking to.
3) Only then do you enter the final piece of information which gains
access.
> two way authentication
This does seem like a very sound plan - with the bonus that it can
(maybe?) be less complex than the various log-in procedures I am
currently subjected to.
In fact I have a feeling you've mentioned this before somewhere and I
agreed then - shame the people-who-matter don't seem to notice :-(
Stop it with this FUD!
> Be very careful of Box numbers (which can be very short lived).
No. Well, not until you explain to me how you'd get your sticky fingers
on my money using only my account number and sort code.
> No. Well, not until you explain to me how you'd get your sticky
> fingers on my money using only my account number and sort code.
Write a cheque (ie instruction) quoting those numbers and present it.
--
Jeremy C B Nicoll - my opinions are my own.
> > No. Well, not until you explain to me how you'd get your sticky
> > fingers on my money using only my account number and sort code.
> Write a cheque (ie instruction) quoting those numbers and present it.
I suspect that, if it wasn't on the preprinted form with the correct
signature, you'd not succeed.
> I suspect that, if it wasn't on the preprinted form with the correct
> signature, you'd not succeed.
Preprinted forms are not needed. Normally it's enough for an account
holder to provide clear instructions to the bank about what is to be
done with the account holder's money. As for the signature, I'm not
sure whether that would ever be checked - it might depend on the amount
concerned.
Banks may charge extra for "special presentation" in these cases. I've
only once handled a non-usual cheque, written on a piece of cardboard
shaped & painted to look like a banana - after I foolishly told a bunch
of students that a cheque "could be written on anything, even a
banana". I wasn't charged for the special presentation, partly because
I was a member of staff, I think, though they did suggest that I should
not make a habit of it. I asked how they processed things like that,
and they said that a standard sized voucher would be made out carrying
the necessary details and that'd go through the cheque sorters (big
machines handling trays of cheques) etc, and the cardboard original
would manually be kept with the right tray of cheques. All the other
bank staff thought it was a huge joke.
> ******************************* NO! **********************************
Oh, my dear druck.. am I really /that/ unclear..? =:()
..put aside the general identification that it is indeed
my bank, my various accounts and other pertinent facts
coming in the second secure page of detail known only
between myself and my Bankers.
Should perchance the professional hacker have already
invaded my 'secure' area, wherein part of the logon
procedure takes place - and merely be presenting me
with a, "..facsimile..", of that area - then I would
rather think she would have no need of any entry of mine
anyway. Rather - I would be presented with a blank
secure area - with my various accounts already purloined.
(Of course they, as I, may be waiting for me to deposit
my next Lotto jackpot windfall in Barclays (.GB) rather
than 'Barclays' (.CH).
However, you would be correct if you were to identify
one possible loophole - ie., a hacker 'looking', as it
were, over my shoulder whilst I enter the little 'bits'
of information that make up that small part of my already
pre-registered detail(s).
This, of course, may also defeat the two-way security
that you suggest, at least in one manner. The hacker
would only have to wait until the bank presents their
identification to me - and for me to accept it as
identifying them - before having some knowledge of that
information; knowledge that they can then use the 'next
time' I log on or behind my back, even as I logoff!
This precise scenario has happened and indeed on more
than one, if infrequent, occasion around the world.
Fortunately, my bankers indemnify me against this (and
other frauds) whilst I'm using their Online Banking Service.
That aside:
I hope that, at least in my own manner, that I did take
on board your proposal as you list in (2):
> 2) The website gives you back some information which only the genuine
> bank will have, so you know who you are talking to.
As I said, in one of the entries using pre-registered
detail only known to my bankers and myself, I am required
within the secure site to enter two small 'bits' of
information that are only a part of one of the joint
passwords. I'm further required to enter them in a
manner that makes it harder for an itinerate key hacker.
I can and I have - although I don't have to - check
that it is indeed /my/ bank by entering a deliberate
mistake at this stage.
If it really is my bank - then the deliberate 'mistake'
will be acknowledged and I will be returned to the start
of the whole registration process.
As you say, a hacker wouldn't know this and would be
forced to accept even a deliberate mistake as the genuine
article. My suspicion would not only ring a bell, but
would be immediately confirmed as I ring Barclays Online
Banking, which is available 24/7.
In fact, as there are only a couple of small bits of
the pre-registered information passing between my bank
and myself, it is possible that a hacker is even less
likely to gain access to our joint password than in
your proposal.
It is this that I said was, "..something very similar..",
and did continue on to say, "..just about identical..",
before suggesting, however, that your idea is, "..very
reasonable..".
> Only at the end of the process will you either find your are viewing
> your
> account information, or you'll be left looking at a blank page or
> error
> message about a page not being available - and next time you check
> your money wont be available either!
...erk!!
Um... as a separate matter and perhaps with some Banks, yes!
However, in Barclays Online Banking as I have observed it,
should the site be 'down', then it will be either inaccessible,
or very front page will say so - and usually why and when
it's likely to be 'up' again. This can be checked by an
immediate call, 24/7.
Should the site 'crash' in the middle of use and after
login- then the User will have to make a decision, regardless,
as to where their suspicion might lie.
If they have the slightest concern then they're asked, again,
to inform Barclays immediately.
> The point is of two way authentication is:-
> 1) You enter some information to identify yourself to the
> website, but not enough to gain access to anything
Agreed - and this is exactly as it happens with
Barclays Online Banking Services...
> 2) The website gives you back some information which only the genuine
> bank will have, so you know who you are talking to.
Hopefully answered above.. at least as Barclays present it.
> 3) Only then do you enter the final piece of information which gains
> access.
Well, as in your (2), with Barclays it's only little bits
of the agreed, pre-registered information.. but yes, I can
then gain access to my part of the secure site - and carry
on making a mess of it until some kind personal manager
bails me out! It's always fascinating to see just how
paternal/maternal the helpline squad become when presented
with a polite if small, helpless voice at 03.00hrs when
they're bored, with not much to do.. ;))
Although I think that Barclays may have already taken on
board an understanding similar to yours, as I've attempted to
briefly outline above, might I suggest that you get in touch
with the techies in their site security and design department.
From experience - a little bit - I think they will be happy to
listen to your suggestion and, perhaps, incorporate it more
positively than Barclays might momentarily present similar to
the casual observer.
Not sure if your idea has the potential to make you a very
rich gentleman, but it's worth a try, in'it?!
:))
Bill ZFC
e&oe..;))
> It sounds like this is the equivalent of a UK "direct debit" - except
> that the DD requires a signed authorisation before anyone can make use
> of it.
Not true - I've setup direct debits online which required no signature.
As long as the requesting company can prove they have checked your
identity, the banks are happy to setup DDs under the standard "DD guarantee"
Cheers,
/Neil/
--
Web design, hosting and domain registration
http://www.spellings.net/
> > I suspect that, if it wasn't on the preprinted form with the correct
> > signature, you'd not succeed.
> Preprinted forms are not needed. Normally it's enough for an account
> holder to provide clear instructions to the bank about what is to be
> done with the account holder's money. As for the signature, I'm not
> sure whether that would ever be checked - it might depend on the amount
> concerned.
I would have thought that if the instructions were on a non-standard piece
of paper (or whatever) someone might have looked at the signature. I know
its for adminsistrative convenience, but even the dimmest member of staff
might suspect the possibility of fraud.
> > It sounds like this is the equivalent of a UK "direct debit" - except
> > that the DD requires a signed authorisation before anyone can make use
> > of it.
> Not true - I've setup direct debits online which required no signature.
> As long as the requesting company can prove they have checked your
> identity, the banks are happy to setup DDs under the standard "DD
> guarantee"
i've set them up that way, too, but I needed to proved my identity before
accessing my account.
Heh. Now you mention it, so have I!
>> As long as the requesting company can prove they have checked your
>> identity, the banks are happy to setup DDs under the standard "DD
>> guarantee"
>
> i've set them up that way, too, but I needed to proved my identity before
> accessing my account.
Right, but you prove your identity to the payee - not to your own bank!
As Neil says, if it did go pair-shaped you could always get your money
back through the DD guarantee - but that's presumably no different to
the Lastschrift arrangement, which I was contrasting with Direct Debits.
druck is proposing a system to prevent phishing - that is: you arrive at
a website which *looks* (maybe even including the address in the URL bar
in the worst case scenario) identical to your bank website and proceed
to log in.
Now, you know that your mother's maiden name is "Jones", and you told
your bank that when you opened your account.
So, you've entered something like your username and maybe a password and
are presented with:
"Hi, your mother's maiden name is: Jones"
At that point your enter a PIN and log in happily.
If the site had said:
"Hi, your mother's maiden name is: Gogglebottom"
...then you would know something is wrong and would not proceed!
All the technical details about entering "the third character from the
right end of your personal security PIN number followed by the last
number in your user ID times the month you were born in" are besides the
point.
> druck is proposing a system to prevent phishing - that is: you arrive at
> a website which *looks* (maybe even including the address in the URL bar
> in the worst case scenario) identical to your bank website and proceed
> to log in.
> Now, you know that your mother's maiden name is "Jones", and you told
> your bank that when you opened your account.
> So, you've entered something like your username and maybe a password and
> are presented with:
> "Hi, your mother's maiden name is: Jones"
> At that point your enter a PIN and log in happily.
> If the site had said:
> "Hi, your mother's maiden name is: Gogglebottom"
> ...then you would know something is wrong and would not proceed!
Maybe I misunderstood Druck also! I presumed he was describing a system
such as is used by my bank, Bank of Scotland (also known as HBOS), where
the question is "Your mother's first name?" or one of three other agreed
questions. Seems to me a perfectly good defence system though I can see a
flaw in that the customer is asked to enter username and password at the
same time so a dedicated crook could harvest all three details and stand a
sporting chance of being able to use them.
I would be happier if the Security question was asked, perhaps with the
username, as one dialogue which then led on to another which came up with
the answer for another of my security questions and asked me to confirm it
before asking for the password. This should stop the above happening since
the phisher wouldn't be able to come up with the correct answer even if it
pretended to accept the first answer.
Or have I missed something?
Cheers
Alan
[Snip]
I can see the advantages (reassurance) of the method druck has mentioned,
sounds very good and easy to implement it! Is anyone using it yet?
The nearist I've had is one of my credit card companies, (I forget which)
who quote my post code to me in emails to reassure me that it is from them.
I though am still reluctant to click one an URL even in those emails!
Regarding Barclays site which I use every day, whilst the letters of the
password are only known to Barclays I phisher could quite easily obtain all
the letters, I won't spell it out here but it is childs play.
Chris Evans
--
CJE Micro's / 4D 'RISC OS Specialists'
Telephone: 01903 523222 Fax: 01903 523679
ch...@cjemicros.co.uk http://www.cjemicros.co.uk/
78 Brighton Road, Worthing, West Sussex, BN11 2EN
The most beautiful thing anyone can wear, is a smile!
You still aren't getting it. At step 2 YOU dont enter anything, the bank
provides a pre-registered pass phrase that you set up when creating the
account, preferably by phone so it doesn't involve the computer at all.
Perhapse its easier to understand that it means the bank has to "log on" to
you, as well as you logging on to the bank.
> You still aren't getting it. At step 2 YOU dont enter anything, the bank
> provides a pre-registered pass phrase that you set up when creating the
> account, preferably by phone so it doesn't involve the computer at all.
So the raider is given access to your phrase? No. The bank asks you for
the nth word in your phrase. That way no-one gets the full phrase. Bank of
Scotland use a system like this for verbally querying credit card details.
> Perhaps its easier to understand that it means the bank has to "log on"
> to you, as well as you logging on to the bank.
They'd have to for any check like "Mother's Maiden Name"
> Bank of Scotland use a system like this for verbally querying credit
> card details.
Most companies using systems like "what's the 3rd digit in your PIN?"
do so so that the staff they have asking the questions don't see the
value of your PIN either.
No no no! The entire point of this scheme is that the bank makes a
statement and does *not* ask you a question.
They can, by all means, include any kind of obscure questions they like
at some other stage - but not at the "anti-phishing" stage.
> Maybe I misunderstood Druck also! I presumed he was describing a system
> such as is used by my bank, Bank of Scotland (also known as HBOS), where
> the question is "Your mother's first name?" or one of three other agreed
> questions.
There's nothing secure about a site that asks you a standard question,
even if it is one of a random set of standard questions (where were you
born, what's mum's maiden name, what primary school did you go to?
etc). A phisher preparing a spoof site can ask the same standard
question.
OTOH if there's a question that's unique to you, eg: "do you like
purple apples?" and that shows up on the site, then you have a high
level of confidence that you really have reached the correct place.
> No no no! The entire point of this scheme is that the bank makes a
> statement and does *not* ask you a question.
OK for the first time the phisher can't get in, but then, he/she can do a
dedicated attack on you - knowing your bank's identification phrase
> [snip 1st paragraph]
>
> I would be happier if the Security question was asked, perhaps with the
> username, as one dialogue which then led on to another which came up with
> the answer for another of my security questions and asked me to confirm it
> before asking for the password. This should stop the above happening since
> the phisher wouldn't be able to come up with the correct answer even if it
> pretended to accept the first answer.
>
> Or have I missed something?
No, your second paragraph was spot on :-)
Thats why its a pass phrase, i.e. long, and it doesn't reveal the all the
phrase at once. As standard practice multiple login attempts to reveal the
whole phrase results the account being locked out, and requires both the
password and passphrase being changed to regain access.
Again no. This is easily defeated, the scam site just rejects anything you
put in as an incorrect entry, and makes you go back through asking for a
different subset - even legitmate banks have this flaw in their system.
> > Perhaps its easier to understand that it means the bank has to "log on"
> > to you, as well as you logging on to the bank.
>
> They'd have to for any check like "Mother's Maiden Name"
This is nothing to do with asking *you* for an answer. Mothers maiden names
are extremely bad and shouldn't be used for anything as its now trivial to
find out with more census information being placed online.
One last time, and if you still dont understand too bad. Here is what the
processes is trying to achive:-
1) The bank asks something only you should know
(traditional username and password)
Now the bank knows who you are, but you dont know if the bank is who they say
they are.
2) You ask the bank something only it should know
(A passphrase you gave them when opening the account)
Only if the bank sends you this passphrase (not asks you for it), do you
know the bank is real. At this point both parties are sure the other is
who they say they are.
3) Lastly you give the bank one last piece of information only you should
know (a PIN code)
Then you can access you account information.
This last step is necessary, as if you discover it isn't the bank from an
incorrect response at step 2, the scammer only has half the information and
can't access the account. The PIN is only revealed when both parties trust
each other.
Unfortunately after seeing the responses here, I know understand why the
banks are happy to let the current situation continue. If significant number
of people cant understand how 2 way authentication is more secure, there is
no point in them doing it - after all its your money you'll be loosing not
theirs.
In message <4d3f6b91...@omba.demon.co.uk>
Jeremy C B Nicoll <Jer...@omba.demon.co.uk> wrote:
> In article <4d3f5f2b...@charleshope.demon.co.uk>,
> charles <cha...@charleshope.demon.co.uk> wrote:
>
> > I suspect that, if it wasn't on the preprinted form with the correct
> > signature, you'd not succeed.
>
> Preprinted forms are not needed. Normally it's enough for an account
> holder to provide clear instructions to the bank about what is to be
> done with the account holder's money. As for the signature, I'm not
> sure whether that would ever be checked - it might depend on the amount
> concerned.
About 6 years ago my son was hit with two direct debits set up be
people who had removed papers from his rubbish bag (left at the gate
ready for the binmen).
The signatures were not checked by the Bank of Scotland and when we
got a copy o the DD paperwork were obviously completly different from
the account holder. The bank, once they were convinced it was fraud were
reasonably accommodating, refunding the money and charges.
Getting the mobile operators to accept contracts had been entered into
without authorisation was a much more difficult exercise.........
Cheers
Tommy
Please send me all you cash : BN11 2EN
Good grief.
--
To reduce your BT phone bill by up to a half,
to obtain your own spam-proof address, or to contact me, visit
www.invalid.org.uk or email postmaster at invalid dot org dot uk
(To avoid spam, email to 1...@invalid.org.uk is deleted unread).
... "Our doubts are traitors, and make us lose the good we oft might win, by fearing to attempt" M for M, Act i, Sc.5
[ snipped ]
> Unfortunately after seeing the responses here, I know understand why the
> banks are happy to let the current situation continue.
Having experienced this very situation of positively identifying a bank,
but over the phone, I have discovered that the reason for their
reluctance to implement such a system is based more on their arrogance
("but I'm your bank" ... "I know you keep saying that, but I want you to
prove it to me" .. "but I'm your bank" and so on.)
Whilst they query our payments (totally f****d up a booking I made with
expedia.co.uk and a purchase from savastore.com) they still think that
using a computer to dial my home whilst withholding CLI is going to
convince me of their identity. I am sure their arrogance (they have
plenty to go 'round) will extend to their internet banking.
As has been shown with credit cards over the years, UK banks are happy to
live with any level of fraud, just so long as they can pass the cost on
to customers and still make 30 billion quid a year between them.
The fact that other contributors here failed to understand your idea may
be down to your expertise at communicating, rather that their ability to
understand. However, banks do assume all customers are stupid crooks but
I'm sure everyone knows that....
--
To reduce your BT phone bill by up to a half,
to obtain your own spam-proof address, or to contact me, visit
www.invalid.org.uk or email postmaster at invalid dot org dot uk
(To avoid spam, email to 1...@invalid.org.uk is deleted unread).
... "For where thou art, there is the world itself, and where though art not, desolation" Henry VI, Act iii, Sc.2
> Whilst they query our payments (totally f****d up a booking I made with
> expedia.co.uk and a purchase from savastore.com) they still think that
> using a computer to dial my home whilst withholding CLI is going to
> convince me of their identity
Withholding CLI is the normal situation with any any organization which uses
a switchboard for incoming callers. Many of these use different lines for
calling out on, These lines would have individual numbers, but might not
end up on any particular extension. What is needed in these cases is CLI
faking so that the main switchboard number is shown, no matter which line is
used to dial out on.
An example, from many years ago, was BBC TV Centre. The incoming number was
SHEperd's Bush 8000, but the outgoing lines all were lines on the Actom
exchange. It stopped irate callers "blocking the exchange" preventing
normal outgoing calls. CLI can't yet cope with this, AFAIK.
This almost what HBOS does do in letting you set one question and answer,
alongside the four standard questions. This is then supposed to be used if
you try to transfer money to another account. Not actually tried
transferring money so I don't know if it works but it does seem pretty
secure. Still worry a little that it might be possible for my username,
password and the answer to one of the security questions to be harvested.
On the plus side the HBOS site works fine with Oregano 1 or 2 so I feel
pretty friendly towards them! Especially as there was a period after
Halifax got involved when it didn't. Maybe my moaning did have some
effect!
Cheers
Alan
[Snip]
> One last time, and if you still dont understand too bad. Here is what
> the processes is trying to achive:-
> 1) The bank asks something only you should know (traditional username
> and password)
> Now the bank knows who you are, but you dont know if the bank is who
> they say they are.
Not really - they only know that you have possession of the username and
password
> 2) You ask the bank something only it should know (A passphrase you gave
> them when opening the account)
> Only if the bank sends you this passphrase (not asks you for it), do you
> know the bank is real. At this point both parties are sure the other is
> who they say they are.
> 3) Lastly you give the bank one last piece of information only you
> should know (a PIN code)
>
[Snip]
> This last step is necessary, as if you discover it isn't the bank from
> an incorrect response at step 2, the scammer only has half the
> information and can't access the account. The PIN is only revealed when
> both parties trust each other.
> Unfortunately after seeing the responses here, I know understand why the
> banks are happy to let the current situation continue. If significant
> number of people cant understand how 2 way authentication is more
> secure, there is no point in them doing it - after all its your money
> you'll be loosing not theirs.
I think I understand what you are on about :-) and one of my previous
interventions had a suggestion of how my current HBOS online account could
be improved using a very similar method to your step 2, except that the
bank sends the pass phrase/item without your actually having to ask for it.
What I don't understand is your step 3. It seems to me that if step 2 is
passed satisfactorily then it is your bank so you are satisfied and that
point they could ask you another security question (preferably one that you
have created, not a standard one) to satisfy themselves that you are who
you say they are. I have enough problems remembering user names, passwords
and PIN numbers without having to be burdened with getting it right at this
stage! I am assuming that the PIN number is not the same as for your
credit/debit card which would be a possible security risk in itself.
Cheers
Alan
> Which is rubbish. All it gives fraudsters is a starting point, far more
> information is needed in order to make a withdrawal from the account,
> via either electronic or physical means.
<banking hat on>
Not entirely true.
There have been plenty of cases where, armed with only the information
present on a bank statement fraudsters have duped (stupid) bank clerks to
give away loads of cash.
<banking hat off, burnt, and ashes swept outside>
--
To reduce your BT phone bill by up to a half,
to obtain your own spam-proof address, or to contact me, visit
www.invalid.org.uk or email postmaster at invalid dot org dot uk
(To avoid spam, email to 1...@invalid.org.uk is deleted unread).
... "This is the very ecstasy of love" Hamlet, Act ii, Sc.1
You have to divest yourself of the belief that the bank is worried about
security upfront. Their 'cost effective' security model is based on 99%
of transactions being genuine and they will investigate others when
customers draw their attention to unexpected debits and their balance
having gone pear-shaped.
If they fail to resolve a fraud the cost is passed on to the rest of you.
Direct Debits are something you should never allow on your account if
squeamish. Use standing orders instead and stay in control.
[ snip ]
> Cheques aren't as secure as people think.
The truest statement in this thread.
Long, long, ago, clearing banks stopped checking whether cheques are
signed or dated correctly or that the words and figures agree. Nobody
'does a clearing' any more. It is (apparently) more cost effective to
wait for the customer to uncover a fraud or error and sort it out later,
even if it means bearing the cost which in any case they divvy it up and
make the rest of you pay for their laziness.
Cashiers are expected to check that instruments are signed etc., when
paid in but have no way of knowing whether signed correctly. In fact, the
banks have, for years, contemplated not even bothering to present
individual cheques at drawee banks branches. What's the point if nobody
examines them? Just pull the occasional one out later when the need
arises.
The clearing banks' inability to prevent fraud in the UK has already
destroyed the usefulness of the Credit Clearing (Bank Giro Credits) and I
daresay the days of the Debit Clearing are numbered. If anyone wants to
send me a cheque for 50p I'll have a supervised attempt at extracting
more cash or information from their bank. I know it's easy. I know the
system, as do the crooks, and I've seen first hand how it's done and
easily passed myself off, in supervised experiments, as real customers
(with their permission, of course).
I just wish someone would stop reading what journalists write, especially
in the Daily Mail....
--
To reduce your BT phone bill by up to a half,
to obtain your own spam-proof address, or to contact me, visit
www.invalid.org.uk or email postmaster at invalid dot org dot uk
(To avoid spam, email to 1...@invalid.org.uk is deleted unread).
... "Words without thoughts never to heaven go" Hamlet, Act iii, Sc.3
I get that with my credit card company. Somebody phones up and asks me for my
account details. They have great difficult understanding why I wont give them
this, as I didn't call them, so have no idea who is on the other end of the
phone.
But anyway at least since they moved the call centre to India, the accent is
so uninteligable I can tell its them straight away, so I can say very slowly
for the umpteenth time "NO I DO NOT WANT PAYMENT PROTECTION"!
> [ snip ]
> > Cheques aren't as secure as people think.
> The truest statement in this thread.
> Long, long, ago, clearing banks stopped checking whether cheques are
> signed or dated correctly or that the words and figures agree. Nobody
> 'does a clearing' any more.
Not quite true. I payed in a cheque recently and the cashier wouldn't
accept it as the signature was in the white bit at the bottom and not on
the printed bit above.
As it was my own cheque transferring funds from one account to the other,
she was quite happy for me to resign it above.
I thought it might be something to do with a scanning machine that looks
for signatures.
Cheers,
Ray D
--
Ray Dawson
r...@magray.freeserve.co.uk
MagRay - the audio & braille specialists
Absolutely, but that's a whole different kettle of fish.
> What I don't understand is your step 3. It seems to me that if step 2 is
> passed satisfactorily then it is your bank so you are satisfied and that
> point they could ask you another security question (preferably one that you
> have created, not a standard one) to satisfy themselves that you are who
> you say they are.
Yes, but you need the third step because you only realise that you're on
a phishing website /after/ they display your chosen phrase or whatever,
which is /after/ you've typed in your username/password. In this
scenario, the phishers get your password and username but are thwarted
before you give away your PIN. (Presumably you would, at that point,
make a hasty call to your real bank!)
> I have enough problems remembering user names, passwords
> and PIN numbers without having to be burdened with getting it right at this
> stage!
I agree, but most of the banking sites I use already have a combination
of three username/password/PIN s so it would not necessarily mean an
increase in the number of things you have to remember - it just means
they'd be used more effectively.
Fair enough, but we can't be expected to predict the incorrect actions
of other people! After all, someone /could/ go into a branch of NatWest
and say "hi, I'm Adam and my sort code is 601712 but I can't remember my
last name, address or account number. Can I withdraw 1000 pounds
please?" and for all I know the clerk might give it to them!
> > [ snip ]
> > > Cheques aren't as secure as people think.
> > The truest statement in this thread.
> > Long, long, ago, clearing banks stopped checking whether cheques are
> > signed or dated correctly or that the words and figures agree. Nobody
> > 'does a clearing' any more.
> Not quite true. I payed in a cheque recently and the cashier wouldn't
> accept it as the signature was in the white bit at the bottom and not
> on the printed bit above.
That's an example of a cashier not knowing what constitutes a valid
instrument.
> As it was my own cheque transferring funds from one account to the
> other, she was quite happy for me to resign it above.
> I thought it might be something to do with a scanning machine that
> looks for signatures.
No. The white area below the signature is where the magnetic E13B
characters are printed for the amount. She doesn't know that as the
characters are magnetic, a signature underneath the E13Bs is irrelevant,
if a little more difficult to read.
> Cheers,
> Ray D
--
To reduce your BT phone bill by up to a half,
to obtain your own spam-proof address, or to contact me, visit
www.invalid.org.uk or email postmaster at invalid dot org dot uk
(To avoid spam, email to 1...@invalid.org.uk is deleted unread).
... "Love's gentle spring doth always fresh remain" Venus & Adonis
> Actually, I always choose the "What's your mothers maiden name?"
> question to those sort of things. What they don't know is that for
> each account I have a different, and random, "mothers maiden name"
> and only I know which random name I've given to each account, and to
> further confuse ID thieves, /none/ of them are my genuine mother's
> maiden name, which I guess would be relatively simple to find out for
> the average hacker.
Quite. A guess for your age applied to 1837 online
(http://www.1837online.com) would lead fairly easily to a reference to
the registration of your birth which would enable purchasing your birth
certificate which would give your mother's maiden name. The only
difficulty in this is the need for the fraudster to spend some time
on the search and to pay out the fees for 1837 online and for the
certificate.
Mind you the search would be more difficult if your surname was Smith.
--
Tim Powys-Lybbe t...@powys.org
For a miscellany of bygones: http://powys.org
> What they don't know is that for each account I have a different, and
> random, "mothers maiden name"...
I use a similar approach. What's worrying though is how clued-up the
bank people might be when a phisher phones them pretending to be me.
"What's your mother's maiden name? Snodgrass. Oh? - we've got Smith
here...."
(Names all wrong, of course.)
> Direct Debits are something you should never allow on your account if
> squeamish. Use standing orders instead and stay in control.
However it should be pointed out that you can cancel any direct debit
setup on your account and once done no funds can be withdrawn from it.
This is much better that setting up regular payments on credit cards,
which can be taken from your account even after closing the account!
Regards,
/Neil/
--
Web design, hosting and domain registration
http://www.spellings.net/
> > About 6 years ago my son was hit with two direct debits set up be people
> > who had removed papers from his rubbish bag (left at the gate ready for
> > the binmen).
>
> I invested in a relatively cheap cross-thread paper shreader from the local
> B&Q. I now routinely shread /anything/ with my name and/or address on it
> before putting it in the bin, even spam from credit card companies who want
> to offer me new accounts etc.
>
On a slightly different note, at a local branch of vehicle service
station paying for their services is contigent on you receiving
"marketing material from selected third parties..by post or telephone".
No opt out so I have to write to the marketing manager to stop this
from going any further than it automatically does go.
Privacy under attack from all directions it seems.
A.Weston
--
Staffordshire, UK of GB&NI.
An alternative vision for Britain and Europe: www.new-frontiers.org
> No opt out ...
How do they confirm that the address / telephone number you give them
is correct? Give them someone else's - but not mine!
[snip]
> One last time, and if you still dont understand too bad. Here is what the
> processes is trying to achive:-
>
> 1) The bank asks something only you should know
> (traditional username and password)
>
> Now the bank knows who you are, but you dont know if the bank is who they
> say they are.
>
> 2) You ask the bank something only it should know
> (A passphrase you gave them when opening the account)
>
> Only if the bank sends you this passphrase (not asks you for it), do you
> know the bank is real. At this point both parties are sure the other is
> who they say they are.
>
> 3) Lastly you give the bank one last piece of information only you should
> know (a PIN code)
>
> Then you can access you account information.
[snip]
Although you're absolutely right to highlight 2 way authentication as being
important (something the banks *really* need to get to grips with), it's
still important to be wary even if a bank implements something like the
above.
A phisher could quite easily pass the details obtained from step 1 on to the
genuine banking site and then scrape the returned page for the information
needed to present to the user in step 2.
This is why checking a site's certificate is so important, as it's much
harder to achieve the same thing with these.
Two way authentication like the above works much better over the phone, since
man-in-the-middle type attacks are also much harder in these circumstances.
David
--
Website: http://www.flypig.co.uk
> > > About 6 years ago my son was hit with two direct debits set up be
> > > people who had removed papers from his rubbish bag (left at the
> > > gate ready for the binmen).
> >
> > I invested in a relatively cheap cross-thread paper shreader from the
> > local B&Q. I now routinely shread /anything/ with my name and/or
> > address on it before putting it in the bin, even spam from credit
> > card companies who want to offer me new accounts etc.
> >
> On a slightly different note, at a local branch of vehicle service
> station paying for their services is contigent on you receiving
> "marketing material from selected third parties..by post or telephone".
> No opt out so I have to write to the marketing manager to stop this
> from going any further than it automatically does go.
> Privacy under attack from all directions it seems.
Particularly by those who breach guidelines but does anyone know where
online there are the guidelines the service station breaches? This should
be an opt-in thing only, I am sure.
As far as postal addresses are concerned,
<URL:http://www.plainenglish.co.uk/webdesign.html> makes some interesting
and valid points.
Hiding from the world is no way to attract business contacts even if that
means you have to endure junk mail.
--
To reduce your BT phone bill by up to a half,
to obtain your own spam-proof address, or to contact me, visit
www.invalid.org.uk or email postmaster at invalid dot org dot uk
(To avoid spam, email to 1...@invalid.org.uk is deleted unread).
... "I can no other answer make, but, thanks, and thanks" Twelfth N, Act iii, Sc.3
> I invested in a relatively cheap cross-thread paper shreader from the
> local B&Q. I now routinely shread /anything/ with my name and/or
> address on it before putting it in the bin, even spam from credit card
> companies who want to offer me new accounts etc.
Um. I can find most addresses online. I won't post your here but 192.com
seems to have something in PO4 xxx from 2003.
What does the 'C' stand for? ;-)
Why crooks bother to rifle through our rubbish when electoral rolls exist
is beyond my ken. It's so much warmer in the local library over the
photocopier than rifling through bin bags.
--
To reduce your BT phone bill by up to a half,
to obtain your own spam-proof address, or to contact me, visit
www.invalid.org.uk or email postmaster at invalid dot org dot uk
(To avoid spam, email to 1...@invalid.org.uk is deleted unread).
... "Sweet, above thought I love thee" Troilus & C, Act iii, Sc.1
[Snip]
> > There have been plenty of cases where, armed with only the
> > information present on a bank statement fraudsters have duped
> > (stupid) bank clerks to give away loads of cash.
> Fair enough, but we can't be expected to predict the incorrect actions
> of other people! After all, someone /could/ go into a branch of NatWest
> and say "hi, I'm Adam and my sort code is 601712 but I can't remember
> my last name, address or account number. Can I withdraw 1000 pounds
> please?" and for all I know the clerk might give it to them!
That's about the size of it. Given the number of temps the banks have now
to employ - because they let to many of us go - this could happen. As an
agency worker myself at times I know that we care less about The Company
than a devoted employee who has their future to worry about.
--
To reduce your BT phone bill by up to a half,
to obtain your own spam-proof address, or to contact me, visit
www.invalid.org.uk or email postmaster at invalid dot org dot uk
(To avoid spam, email to 1...@invalid.org.uk is deleted unread).
... "God shall be my hope, my stay, my guide, and lantern to my feet" Henry VI, Act ii, Sc.3
> > Direct Debits are something you should never allow on your account if
> > squeamish. Use standing orders instead and stay in control.
> However it should be pointed out that you can cancel any direct debit
> setup on your account and once done no funds can be withdrawn from it.
> This is much better that setting up regular payments on credit cards,
> which can be taken from your account even after closing the account!
True. Though the simple solution is to write to the Card Issuer refusing
to make any payments or accept any further interest charges until they
have corrected the issue. Also if a Direct Debit Originator takes more
than they are entitled to from a bank account you are entitled to a full
and immediate refund from the bank who themselves must pursue a refund
for themselves.
Cue posters who have been told by un-trained bank staff that customers
have to sort this out themselves. It is because of the hassle caused by
poorly trained bank clerks D/Ds are best avoided whenever possible.
When they go wrong banks can make them a time-consuming nightmare as
visiting a branch to shout and bang on the counter is sometimes the only
way to get satisfaction.
--
To reduce your BT phone bill by up to a half,
to obtain your own spam-proof address, or to contact me, visit
www.invalid.org.uk or email postmaster at invalid dot org dot uk
(To avoid spam, email to 1...@invalid.org.uk is deleted unread).
... "She looked yesternight fairer than ever I saw her look, or any woman else" Troilus & C, Act i, Sc.1
> Talking about insecurity, I had an interesting conversation with one of
> the girls in my branch of Abbey this morning.
> I went in their to complete opening a new business account for Orpheus
> Internet. They wanted several items of ID, which I provided them with -
> passport, utility bill etc. However, one item of ID which they required
> was some headed notepaper for the company in question. I told her I
> hadn't got any printed yet, to which she replied that she couldn't open
> the account until I provided some.
> I said "What kind of security is that?" and she merely said, that's what
> they need, to which I replied that if she was really sure, I guess I
> could easily knock something up on the laser printer at home - was there
> any particular design she favoured? I think she saw the point I was
> making, but it was obviously something the bank required, so she just
> replied, that would be fine. I could fax it through direct to her if I
> wanted and she'd ensure the account was setup promptly!
It's when the bank you have used for 30+ years asks for passport: "Haven't
got one."
NI Card: "Didn't issue them in my day."
Driving licence:"OK - but if you want one with a photograph - hard luck"
At that point I ask if my personal banker of over 30 years would be enough
of a recommendation...
--
John Cartmell john@ followed by finnybank.com FAX +44 (0)8700-519-527
Qercus magazine & FD Games www.finnybank.com www.acornuser.com
Qercus - a fusion of Acorn Publisher & Acorn User magazines
> This is nothing to do with asking *you* for an answer. Mothers maiden
> names are extremely bad and shouldn't be used for anything as its now
> trivial to find out with more census information being placed online.
You don't have to give the real one, just remember the one that you did
give. The Coop Bank asked me, when I subscribed to telephone banking, for
five pieces of information and the young lady pointed out that none of them
needed to be true, as long as you could remember what you had given.
--
__ __ __ __ __ ___ _____________________________________________
|__||__)/ __/ \|\ ||_ | / Acorn StrongArm Risc_PC
| || \\__/\__/| \||__ | /...Internet access for all Acorn RISC machines
___________________________/ dhw...@argonet.co.uk
Try, but multiple account accesses from a particular phishing site should be
flagged up very quickly. But of course these days with vast armies of Windows
bot nets at scammers disposal, it would be quite easy to farm these requests
out via proxies to prevent detection.
> This is why checking a site's certificate is so important, as it's much
> harder to achieve the same thing with these.
Anyone can purchase a certificate, and then IE, Firefox and most other
browsers will display the padlock symbol which is the most people know to
look for. How many do you think then bring up the certificate information,
and hone up the bank asking then if they can confirm it is genuine
registration - zero I suspect. Even if sites dont have a valid certificate,
how many people understand what the warning message means?
> Two way authentication like the above works much better over the phone,
> since man-in-the-middle type attacks are also much harder in these
> circumstances.
Certainly, and many would argue that if you value your money, you dont use
online banking at all.
No! This only verifies they have purchased a valid SSL certificate from one
of the issuing authorities. Are you going to check the postal address of the
registrant against companies house (or the national equivelent) for each site
you visit?
> Unfortunately this isn't possible with any RISC OS browser as far as I'm
> aware.
NetSurf has some checking for valid certificates, I'm not sure how complete
it is checking for revocation etc.
<snip>
> > Talking about insecurity, I had an interesting conversation with
> > one of the girls in my branch of Abbey this morning...
<and again>
> It's when the bank you have used for 30+ years asks for passport:
> "Haven't got one."
Same here.
> NI Card: "Didn't issue them in my day."
Same for me.
> Driving licence:"OK - but if you want one with a photograph - hard
> luck"
Ah, now: I don't habe one of those either and never have. This could
be tricky!
> At that point I ask if my personal banker of over 30 years would be
> enough of a recommendation...
Is that the one you keep in the cupboard?
--
John M Ward : RISC OS computing since 1987, now Iyonix-powered!
Acorn/RISC OS web page: www.john-ward.org.uk/personal/john/computers
> Probably because council employees are so stupid - I still get my
> community charge bills sent "to the occupier"!!
> It's amazing that someone the other side of the world can probably
> find out my details, but the local council can't - or doesn't make
> the effort!
No, it's because it's "the occupier", whoever they are, that is
legally responsible for paying the council tax bill. It's not because
they don't know or can't find out your name, it's because it's
irrelevant.
--
David Holden - APDL - <http://www.apdl.co.uk>
> In article <ant19201...@ukonline.co.uk>,
> A.Weston <nospam@invalid> wrote:
>
> > No opt out ...
>
> How do they confirm that the address / telephone number you give them
> is correct? Give them someone else's - but not mine!
>
A tactic adopted by most of the toads that the police stop on the
streets ;-(
--
Dave
> In article <4d3fdce...@cartmell.demon.co.uk>,
> John Cartmell <jo...@cartmell.demon.co.uk> wrote:
> > In article <4d3fc6199eu...@segfault.co.uk>, pv
> > <usenet...@segfault.co.uk> wrote:
>
> <snip>
>
> > > Talking about insecurity, I had an interesting conversation with
> > > one of the girls in my branch of Abbey this morning...
>
> <and again>
>
> > It's when the bank you have used for 30+ years asks for passport:
> > "Haven't got one."
>
> Same here.
>
> > NI Card: "Didn't issue them in my day."
>
> Same for me.
>
> > Driving licence:"OK - but if you want one with a photograph - hard
> > luck"
>
Also at the Abbey, I had an almost identical conversation. But she did
accept my old style driving licence, even although it had a postcode
that was changed by the PO some years ago.
All this is supposed to make money laundering very slightly more
difficult for inept criminals.
--
Dave
Fine as far as it goes, I suppose, but what about the 'ept' ones?
As for me, I moved from abbey to the Nationwide well over a year ago,
and I took with me my box of Medway Council (see sig) business cards
and the local council newspaper that showed my picture and details
after having been elected -- plus a couple of utilities bills. Worked
for me ;-)
--
John M Ward, one of the 3 Councillors for Horsted South & Horsted ward.
~~~~~~~~~~~ Go to: www.horsted.pwp.blueyonder.co.uk
for my "Councillor's Website", an extensive resource.
* * Keep Rochester Airport * *
But to be successful that would require the user to visit the phishing
site twice /and/ to have not changed their passwords or contacted their
bank in the meantime. Seems a bit far fetched...
Adam
--
Adam Richardson
Email me at: monkeyadam~but.not.this.monkey~@ntlworld.com
Carpe Diem
> It's when the bank you have used for 30+ years asks for passport: "Haven't
> got one."
> NI Card: "Didn't issue them in my day."
> Driving licence:"OK - but if you want one with a photograph - hard luck"
It's anti money laundering regulation - they need to be able to prove to
regulators that you are who you say you are.
> At that point I ask if my personal banker of over 30 years would be enough
> of a recommendation...
I don't see what bearing that has on it. Unless you gave your passport
to your personal banker 30 years ago for safe keeping?