Re: [PEN-TEST] SV: [PEN-TEST] Home-Banking PEN-TESTING

[paul m <paul () 2BET CO UK>]

On Wed, Aug 23, 2000 at 10:36:12AM +0200, mikhail.iakovlev () TELENOR COM wrote:
> Lets say I want to go on
> vacation, and there is some internet cafe. Friend of mine is calling and
> asking me to transfer some money to his account. In this way any browser
> supporting SSL (IE,Netscape) will do the job. All I'd have to do is to
> remember acces code to my account in the first place, and have a card with
> random codes in hand. If my wallet is stolen, thief wouldn't know what
> account thos numbers belong to,

I take it your wallet doesn't contain any bank/debit/cerdit cards or
cheque books then?

> and wouldn't be able to access the account
> in the first place, since 4 digit number is memorized and not on the
> card.

but in the scenario described above you are wide open to shoulder
surfing  - precisely the modus operandii of ATM thieves fraudster.

> If somehow attacker takes over client's machine and get information to
> accessing account - again, he'd not get too far - the only thing he would
> see is balance on account and nothing else.
> Of course, there is a little chance that someone would target _you_
> specifically , but than it qould require 2 crimes to be commited - hacking
> into your computer AND stealing your walled/card.

Again - this is precisely the kind of thing  ATM fraudsters do -
shoulder surf someone to get the number then target them for
pickpocketing - I believe it was common to do this then replace the
wallet , so cards could then be forged without attracting suspicion.

Given that people have gone to the lengths of installing false fronts
on ATM machines to gather information, I think we can safely assume
that publically accessible machines will be trojaned if people take to
using them for thier banking. Albeit that these machines have a wider
variety of uses than an ATM.

This said, I do think idea of verification information that is not
stored electronically could be a good idea (assuming they really are
unique, one-time random numbers and the verification mechanism on the
other end is secure) but you do expose the system to human factors  -
if you have difficulty remembering which number on the card you used
last and cross them off as you go its value is somewhat lessened is it
not?

A cautiounary tale: When I was younger circumstances meant the company
I kept was somewhat less salubrious than it is now and I had the
acquiatance of a professional credit card fraudster. He was often able
t ouse the same card for months at a time.  How? He had a friendly
postman who steal company credit cards before they were
delivered. (And  yes they are sent by ordinary post - after all doing
other wise would cost the bank a little more)

paul m.


>  However, you would
> probably give a message to the bank and they would disable all thos codes on
> the card at once, and send you a new one.
> RSA card solutions could also be used but is a bit more expensive for
> bank.However, remember that RSA _software_ card simulator is not a good idea
> since it also could be taken over since it is resident software on target
> computer.
>
>
> I hope this helps:)
>
>
> Best wishes.
> Mikhail Iakovlev jr.
> Security officer for Cerber Security Norway, System engineer for Telenor
> Mobil AS
> Email: mikhail.iakovlev () telenor com, misha () privat sysedata no
> Phone: +47-99579541,+47-98213738, fax: +47-22870954