Penetration Testing mailing list archives
RE: Bank pen test
From: "Bergert, David" <David.Bergert () rsmi com>
Date: Wed, 8 Mar 2006 10:38:10 -0600
At first glance Ingdirect looks to have a pretty good implementation of this type of thing: https://secure.ingdirect.com/myaccount/ The letters and imagename is passed and mapped serverside at ing rather then at the client, and the keypad is randomized each page load/refresh. Regards, David Bergert Supervisor, Technology Risk Management Services RSM McGladrey, Inc. 201 North Harrison Street, Suite. 300 Davenport, IA 52801 Office: 563-888-4023 Mobile: 563-650-6006 Fax: 563-324-6939 david.bergert () rsmi com www.rsmmcgladrey.com -----Original Message----- From: Craig Wright [mailto:cwright () bdosyd com au] Sent: Wednesday, March 08, 2006 3:36 AM To: Jon Gucinski; pen-test () securityfocus com Subject: RE: Bank pen test Hello, Further to procrastinating... I gave Westpac as an example from a bank in the last post. Now they have changed to a "virtual keypad" (see https://businessonline.westpac.com.au/esis/Login/SrvPage) to "improve security" and stop trojans from being able to capture data. Unfortunately there is no gain other than perception and FUD. Looking at the page source - no hacking, not even the simple stuff, the java (ie java script) is not complied. There is a VERY simple form submission. The keys are mapped - Table 1 contains numbers ordered from 1 to zero Table 2 contains letters ordered from A to M Table 3 contains letters ordered from N to Z Writing a ***SMALL*** script/trojan to capture the form submission is simple. So you mix it up, they give the mappings. Eg "<TD><input type="button" name="M" tabindex="27" alt="M" onclick="act(34, this);" class="key" value=" M "></TD>" I come back and it is "randomised": "<TD><input type="button" name="M" tabindex="27" alt="M" onclick="act(18, this);" class="key" value=" M "></TD>" But it is Stored on the PC. So I send a code - big deal - they map it. I just need to store the mapping (ie the page source extract) and the form. They should at LEAST compile the Java into a class file and try to make it a little more difficult to make a trojan designed to capture the key mappings. Just displaying the information IN THE CLEAR does not even require any skills to create a compromise. (At least Citibank compiles the Java). You include the following in the code: <SCRIPT LANGUAGE='JAVASCRIPT'> <!-- function assignEntry() { var uP = document.form.pwd.value; document.form.password.value = "w" + uP; document.cookie = "checker=cookiesEnabled; path=/; domain=.westpac.com.au"; } //--> </SCRIPT> and <!-- function prepareSubmit() { a=document.form.password.value; b=document.form.halgm.value; b=b.replace(/\n|\r|\r\n|\n\r/g,""); document.form.password.value=a+"*"+b; } and <SCRIPT language="JavaScript"> <!-- var malgm="6FWDGTZMISY179R5BCOLQVXNH8P3KEU024JA"; //--> </SCRIPT> <input type="hidden" name="halgm" value="hAlW//lNKdxt9XigOOszWi+H77/0s2p8nglqSJRT2/8Oxb2pc7wDnxZ8N9uGeIB81 CZjy3hweaJP +yXbrnfneSk5Oq6DbAv/fpSDxlMvWlxZ8Y3p+07oSw=="/> <!--END PWD_AREA--> Etc This means you display the mapping and thus the randomisation is useless. The hash can be stored if you wish, but as the keys can be mapped and the table captured there is no reason to even bother with this. So, do [large] banks really care. Well some of the people do, but unfortunately they are not the ones making the decisions. This also relates back to the everyone should be securing their systems, well yes, but should be and are doing so are not the same. This is a vulnerability. The issue is fixing it will cost money and thus it is there. The level of risk is not high for the bank and if you do not use public terminals and have good pracvtices at work and home etc it should be a minimal risk for the consumer. Many people do use banking in kiosks so..... Regards, Craig Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. DISCLAIMER: This e-mail is only intended for the person(s) to whom it is addressed and may contain confidential information. Unless stated to the contrary, any opinions or comments are personal to the writer and do not represent the official view of the company. If you have received this e-mail in error, please notify us immediately by reply e-mail and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person. Thank you for your cooperation. Any advice contained in this email (including any attachments unless expressly stated otherwise) is not intended or written to be used, and cannot be used, for purposes of avoiding tax penalties that may be imposed on any taxpayer. ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com ------------------------------------------------------------------------------
Current thread:
- RE: Bank pen test Craig Wright (Mar 06)
- Re: Bank pen test Vaidya (Mar 07)
- <Possible follow-ups>
- RE: Bank pen test Craig Wright (Mar 07)
- RE: Bank pen test Jon Gucinski (Mar 07)
- RE: Bank pen test Craig Wright (Mar 08)
- RE: Bank pen test Craig Wright (Mar 08)
- RE: Bank pen test Craig Wright (Mar 08)
- RE: Bank pen test Omar A. Herrera (Mar 09)
- RE: Bank pen test Bergert, David (Mar 09)