Re: [PEN-TEST] Home-Banking PEN-TESTING

["Flynn, Gary" <flynngn () JMU EDU>]

Peter Van Epp wrote:
> I expect the card holder agreement holds the client liable for the security
> of their machine in the fine print.
snip
> and I
> expect the same thing applies i.e. the card holder agreement says if it was
> with your password/passphrase it is considered you

Can anyone verify this? Up until this time, credit card companies
have assumed the risk of fraud. If home banking, stock trading, etc.
starts putting the risk on the consumer this should be brought
out in the open ASAP. Considering that many home computers are shared
by children and other relatively unsophisticated users who download
all manner of software, the risk would seem astronomical. AV software
is no help against unknown, possibly custom, malware.

I saw a recent news posting by a student helpdesk worker who
was complaining that they were being subject to disciplinary action
because their newly acquired linux machine was traced as the source
of a cracked university system. The admitted new linux user was
asking how he could prove his system was hacked. Expanding this
scenario to banking, stocks, voting and other critical functions makes
for interesting possibilities...both for innocent victims and guilty
perpetrators. How to prove or disprove a cracked system if it was done
properly with log files (when they exist) removed and without ISP tracing?

As for the original question :

> "I mean, if I can break the client's machine
> and steal useful information from it (passwords, account's data, etc.),
> is the bank responsible,"

I wouldn't think the bank would be responsible for loss of privacy
but their terms and conditions would determine whether they were
responsible for any loss through their services because of it. Again,
does anyone have any definitive documentation on who assumes the
risk of a compromised home computer used in critical applications?
This would turn the industry upside down...user responsibility
for inadequate personal computer security and administration. Think
of the practicalities..."you're responsible for the loss because you
didn't load the ten patches Microsoft has released in the last few
weeks for Internet Explorer/Outlook" or "hey, your kid downloaded the
neat screensaver and let the whole world into your computer to trade
stocks....tough, pay up." Then, "you say somebody disabled your AV
software and personal firewall through an email exploit and then broke
in through the VPN, I don't think so, our "expert security witness"
says 512 bit VPNs are unbreakable and the jury agrees, guilty." It
gets ugly real fast.

thanks,

Gary Flynn
Security Engineer - Technical Services
James Madison University