Penetration Testing mailing list archives
Re: [PEN-TEST] Home-Banking PEN-TESTING
From: Job de Haas <job () ITSX COM>
Date: Thu, 24 Aug 2000 09:12:22 +0200
Hi all, First about the responsibility. I think there not so much a question on the technical responsibility of the customer over his own machine and the bank over the succesfull performance of its software. What I have noticed is that banks very much go out of their way to stress the safety of online payment, but very much lack in the way they inform and educate their customer on the risks and the customers role in this. With clients I always stress that the fact that they want to be in the forefront of offering all these interesting services to customers who often very poorly understand the issues, gives them an additional responsibility in this area (of education).
More than that - banks which _do_ use this kind of rutine for online banking are setting their customers in unneccessary danger by leaving this possibility to attacker. After we demonstrated how it's possible to take over this account, we also suggested modifications to this specific bank: 1. Do not install any software on clients computer 2. Use web browser's authentication methods with SSL & java applets to enter account number and 4/5 digit access code that is permanent and should be memorized by client
Pretty funny to read this after I saw a BBC 2 item (Newsnight I think) on insecurities of online banking in which completely the opposite was recommended by someone (ie. from Web based to local app). I'd have my reservations with web based systems too. Notably the ease of redirecting a site to a mirror site and taking advantage of people not noticing the SSL lock or registring slightly modified DNS names and getting a valid certificate for it. Let alone all the browser bugs that have been found, which would help subversion and MITM pretty well. In the end general purpose platforms are just not good enough for secure transactions. The amount of fraud committed will decide wether we'll see banks coming up with another platform or not. Job
Current thread:
- [PEN-TEST] SV: [PEN-TEST] Home-Banking PEN-TESTING mikhail . iakovlev (Aug 23)
- Re: [PEN-TEST] SV: [PEN-TEST] Home-Banking PEN-TESTING paul m (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Shaun Dewberry (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Job de Haas (Aug 24)
- <Possible follow-ups>
- [PEN-TEST] SV: [PEN-TEST] Home-Banking PEN-TESTING mikhail . iakovlev (Aug 24)