funsec mailing list archives
Re: How do I exploit thee ...
From: "Joel R. Helgeson" <joel () helgeson com>
Date: Tue, 12 Oct 2010 14:26:48 -0500
How about taking a picture of someone else's check and depositing it into my account. These checks are not necessarily human reviewed, they are machine read and encoded. I could deposit your paycheck before you get it to the bank. -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Rob, grandpa of Ryan, Trevor, Devon & Hannah Sent: Friday, October 08, 2010 3:47 PM To: funsec () linuxbox org Subject: [funsec] How do I exploit thee ... PayPal iPhone app makes cheque deposits http://www.cbc.ca/technology/story/2010/10/08/con-cheque-app.html Let me count the ways: Are the images encrypted in transit? Are they encrypted in storage on the iPhone? (How are they protected at Paypal?) Can the images be modified, in order to change cheque numbers, for instance, and multiply transactions? Is this only available with a non-jailbroken iPhone? If they can be modified, they can be created for fake accounts ... I'm sure that there are controls in place, particularly for these obvious ideas. Are the controls sufficient? The idea of trusting an image captured by a user-owned interface device just seems to be asking for trouble ... ====================== (quote inserted randomly by Pegasus Mailer) rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org If you do buy a computer, don't turn it on. - Richards' 2nd Law victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://www.infosecbc.org/links http://twitter.com/rslade _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- How do I exploit thee ... Rob, grandpa of Ryan, Trevor, Devon & Hannah (Oct 08)
- Re: How do I exploit thee ... Joel R. Helgeson (Oct 12)