Penetration Testing mailing list archives
Re: [PEN-TEST] SV: [PEN-TEST] Home-Banking PEN-TESTING
From: paul m <paul () 2BET CO UK>
Date: Thu, 24 Aug 2000 12:08:49 +0100
On Wed, Aug 23, 2000 at 10:36:12AM +0200, mikhail.iakovlev () TELENOR COM wrote:
Lets say I want to go on vacation, and there is some internet cafe. Friend of mine is calling and asking me to transfer some money to his account. In this way any browser supporting SSL (IE,Netscape) will do the job. All I'd have to do is to remember acces code to my account in the first place, and have a card with random codes in hand. If my wallet is stolen, thief wouldn't know what account thos numbers belong to,
I take it your wallet doesn't contain any bank/debit/cerdit cards or cheque books then?
and wouldn't be able to access the account in the first place, since 4 digit number is memorized and not on the card.
but in the scenario described above you are wide open to shoulder surfing - precisely the modus operandii of ATM thieves fraudster.
If somehow attacker takes over client's machine and get information to accessing account - again, he'd not get too far - the only thing he would see is balance on account and nothing else. Of course, there is a little chance that someone would target _you_ specifically , but than it qould require 2 crimes to be commited - hacking into your computer AND stealing your walled/card.
Again - this is precisely the kind of thing ATM fraudsters do - shoulder surf someone to get the number then target them for pickpocketing - I believe it was common to do this then replace the wallet , so cards could then be forged without attracting suspicion. Given that people have gone to the lengths of installing false fronts on ATM machines to gather information, I think we can safely assume that publically accessible machines will be trojaned if people take to using them for thier banking. Albeit that these machines have a wider variety of uses than an ATM. This said, I do think idea of verification information that is not stored electronically could be a good idea (assuming they really are unique, one-time random numbers and the verification mechanism on the other end is secure) but you do expose the system to human factors - if you have difficulty remembering which number on the card you used last and cross them off as you go its value is somewhat lessened is it not? A cautiounary tale: When I was younger circumstances meant the company I kept was somewhat less salubrious than it is now and I had the acquiatance of a professional credit card fraudster. He was often able t ouse the same card for months at a time. How? He had a friendly postman who steal company credit cards before they were delivered. (And yes they are sent by ordinary post - after all doing other wise would cost the bank a little more) paul m.
However, you would probably give a message to the bank and they would disable all thos codes on the card at once, and send you a new one. RSA card solutions could also be used but is a bit more expensive for bank.However, remember that RSA _software_ card simulator is not a good idea since it also could be taken over since it is resident software on target computer. I hope this helps:) Best wishes. Mikhail Iakovlev jr. Security officer for Cerber Security Norway, System engineer for Telenor Mobil AS Email: mikhail.iakovlev () telenor com, misha () privat sysedata no Phone: +47-99579541,+47-98213738, fax: +47-22870954
Current thread:
- [PEN-TEST] SV: [PEN-TEST] Home-Banking PEN-TESTING mikhail . iakovlev (Aug 23)
- Re: [PEN-TEST] SV: [PEN-TEST] Home-Banking PEN-TESTING paul m (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Shaun Dewberry (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Job de Haas (Aug 24)
- <Possible follow-ups>
- [PEN-TEST] SV: [PEN-TEST] Home-Banking PEN-TESTING mikhail . iakovlev (Aug 24)