Re: [PEN-TEST] Home-Banking PEN-TESTING

[Domenico De Vitto <dom () DEVITTO DEMON CO UK>]

I've quite a bit of experience of Internet Banking, (I help run the 4th
biggest in the world).

Stuff like (encrypted) pages being stored in the cache, and so available
to any/all users of the same computer are often considered by the press
to be breaches in security, but fundamentally you must look at the
comparitive risk - do you use your credit card in resturants?

> From my experience, the banks are simply trusting the fraud detection
computers to pick up dodgy transactions, of any kind, and alert the
authorities.

..and frankely, considering that fraud is relatively rare, that's not
a bad idea.

Dom

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Jim Miller
Sent: 29 August 2000 21:34
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] Home-Banking PEN-TESTING


IMHO2:  You will never get a banking customer in West Texas to usethe
Internet for banking if you require him to "enter the 3rd, 26th, 38th, 41st
and 107th character's of your password".  It's unreasonable.  My own bank
has a box on the login screen that asks if the customer wants to have his
system remember the password so he does not have to be pained for it.  I
think that puts the Bank at Risk of being sued, and plan to ask if it can be
removed.  It stores the password in a cookie on the customer's drive.  And
it can be hacked.  I have seen no system prevention against a site reading
another site's cookies, and it is certainly hackable locally.

Jim Miller, CISA, CDP
VP & IS Audit Mgr
First American Bank Texas
Bryan, Texas   77805-8100
979/361-6515
801/835-5546
millerj () fabtexas com

> > > Chris () LAYCOCK-KETTON FREESERVE CO UK 08/29/00 04:29AM >>>
IMHO: The bank should warn people not to store their password in the Cache
of their web browser.  This would stop some attacks, although they shouldn't
be responsible for Keystroke logs.  Most of the problems would be solved if
the user had a long password and was asked for random characters from it eg.
"Please enter the 3rd, 26th, 38th, 41st and 107th character's of your
password" and setting it so that only logging on and off will change the
charcters required.  AFAIK this system is used by some banks over the phone
but not over the net.

Chris
-----Original Message-----
From: Rafael Coninck Teigao <rafael () SAFECORE NET>
To: PEN-TEST () SECURITYFOCUS COM <PEN-TEST () SECURITYFOCUS COM>
Date: 26 August 2000 21:07
Subject: Re: [PEN-TEST] Home-Banking PEN-TESTING


> I'm not cracking the client machine. I'm asking that if it is possible
> to
> someone to crack the client machine and get the password, should the
> bank
> hold liability for it? I already broke into my own machine for that
> purpose, so I know it is vulnerable.
>
>    []'s,
>    RCT.
>
>
> Erik Tayler wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > I do not believe the bank even has the right to have you test
> > personal computers that are housed in a residence. Ask a lawyer to be
> > certain, but that seems like a large invasion of privacy. I have
> > previously used home-banking, and I would be furious if my bank hired
> > people to break into my home network. I think one could consent to
> > such a service, I am not saying it is un-performable, but it sounds
> > like a pain to get such permission from everyone subscribing to the
> > home-banking system. Sniffing someone while they are transferring
> > sensitive information is just as effective as breaking into their
> > network/pc. None of what I just said is of any relevance if you are
> > not referring to the consumers that actually access the bank via
> > modem or web-interface to view their financial data.
> >
> > Erik Tayler
> > 14x Network Security
> > http://www.14x.net