Penetration Testing mailing list archives
Re: [PEN-TEST] Home-Banking PEN-TESTING
From: "Flynn, Gary" <flynngn () JMU EDU>
Date: Tue, 22 Aug 2000 23:10:46 -0400
Peter Van Epp wrote:
I expect the card holder agreement holds the client liable for the security of their machine in the fine print.
snip
and I expect the same thing applies i.e. the card holder agreement says if it was with your password/passphrase it is considered you
Can anyone verify this? Up until this time, credit card companies have assumed the risk of fraud. If home banking, stock trading, etc. starts putting the risk on the consumer this should be brought out in the open ASAP. Considering that many home computers are shared by children and other relatively unsophisticated users who download all manner of software, the risk would seem astronomical. AV software is no help against unknown, possibly custom, malware. I saw a recent news posting by a student helpdesk worker who was complaining that they were being subject to disciplinary action because their newly acquired linux machine was traced as the source of a cracked university system. The admitted new linux user was asking how he could prove his system was hacked. Expanding this scenario to banking, stocks, voting and other critical functions makes for interesting possibilities...both for innocent victims and guilty perpetrators. How to prove or disprove a cracked system if it was done properly with log files (when they exist) removed and without ISP tracing? As for the original question :
"I mean, if I can break the client's machine and steal useful information from it (passwords, account's data, etc.), is the bank responsible,"
I wouldn't think the bank would be responsible for loss of privacy but their terms and conditions would determine whether they were responsible for any loss through their services because of it. Again, does anyone have any definitive documentation on who assumes the risk of a compromised home computer used in critical applications? This would turn the industry upside down...user responsibility for inadequate personal computer security and administration. Think of the practicalities..."you're responsible for the loss because you didn't load the ten patches Microsoft has released in the last few weeks for Internet Explorer/Outlook" or "hey, your kid downloaded the neat screensaver and let the whole world into your computer to trade stocks....tough, pay up." Then, "you say somebody disabled your AV software and personal firewall through an email exploit and then broke in through the VPN, I don't think so, our "expert security witness" says 512 bit VPNs are unbreakable and the jury agrees, guilty." It gets ugly real fast. thanks, Gary Flynn Security Engineer - Technical Services James Madison University
Current thread:
- [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Peter Van Epp (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Flynn, Gary (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Peter Van Epp (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Pluto (Aug 26)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Domenico De Vitto (Aug 28)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Flynn, Gary (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Peter Van Epp (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Erik Tayler (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H D Moore (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Iván Arce (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H Carvey (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Lucio A. Molina Focazzio (Aug 23)