Penetration Testing mailing list archives
Re: [PEN-TEST] Home-Banking PEN-TESTING
From: Jim Miller <MillerJ () FABTEXAS COM>
Date: Tue, 29 Aug 2000 15:33:49 -0500
IMHO2: You will never get a banking customer in West Texas to usethe Internet for banking if you require him to "enter the 3rd, 26th, 38th, 41st and 107th character's of your password". It's unreasonable. My own bank has a box on the login screen that asks if the customer wants to have his system remember the password so he does not have to be pained for it. I think that puts the Bank at Risk of being sued, and plan to ask if it can be removed. It stores the password in a cookie on the customer's drive. And it can be hacked. I have seen no system prevention against a site reading another site's cookies, and it is certainly hackable locally. Jim Miller, CISA, CDP VP & IS Audit Mgr First American Bank Texas Bryan, Texas 77805-8100 979/361-6515 801/835-5546 millerj () fabtexas com
Chris () LAYCOCK-KETTON FREESERVE CO UK 08/29/00 04:29AM >>>
IMHO: The bank should warn people not to store their password in the Cache of their web browser. This would stop some attacks, although they shouldn't be responsible for Keystroke logs. Most of the problems would be solved if the user had a long password and was asked for random characters from it eg. "Please enter the 3rd, 26th, 38th, 41st and 107th character's of your password" and setting it so that only logging on and off will change the charcters required. AFAIK this system is used by some banks over the phone but not over the net. Chris -----Original Message----- From: Rafael Coninck Teigao <rafael () SAFECORE NET> To: PEN-TEST () SECURITYFOCUS COM <PEN-TEST () SECURITYFOCUS COM> Date: 26 August 2000 21:07 Subject: Re: [PEN-TEST] Home-Banking PEN-TESTING
I'm not cracking the client machine. I'm asking that if it is possible to someone to crack the client machine and get the password, should the bank hold liability for it? I already broke into my own machine for that purpose, so I know it is vulnerable. []'s, RCT. Erik Tayler wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I do not believe the bank even has the right to have you test personal computers that are housed in a residence. Ask a lawyer to be certain, but that seems like a large invasion of privacy. I have previously used home-banking, and I would be furious if my bank hired people to break into my home network. I think one could consent to such a service, I am not saying it is un-performable, but it sounds like a pain to get such permission from everyone subscribing to the home-banking system. Sniffing someone while they are transferring sensitive information is just as effective as breaking into their network/pc. None of what I just said is of any relevance if you are not referring to the consumers that actually access the bank via modem or web-interface to view their financial data. Erik Tayler 14x Network Security http://www.14x.net-- ---------------------------------------------------------------------------
----
And the Raven, never flitting, still is sitting, still is sitting On the pallid bust of Pallas just above my chamber door; And his eyes have all the seeming of a demon's that is dreaming, And the lamp - light o'er him streaming throws his shadow on the floor; And my soul from out that shadow that lies floating on the floor Shall be lifted - nevermore! E. A. Poe --> The Raven (c1845) ---------------------------------------------------------------------------
----
Current thread:
- Re: [PEN-TEST] Home-Banking PEN-TESTING, (continued)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Tonick, Mike (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Chris Calabrese (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Christopher Laycock (Aug 29)
- [PEN-TEST] SQL Server blank account Seth Georgion (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Marc Maiffret (Aug 29)
- Re: [PEN-TEST] SQL Server blank account M. Burnett (Aug 29)
- Re: [PEN-TEST] SQL Server blank account H D Moore (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Attonbitus Deus (Aug 29)
- [PEN-TEST] SQL Server blank account Seth Georgion (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Ben Lull (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING van der Kooij, Hugo (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Jim Miller (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H D Moore (Aug 29)