Security Basics mailing list archives
RE: Core Banking Applications
From: "Beauford, Jason" <jbeauford () EightInOnePet com>
Date: Thu, 22 Sep 2005 12:59:13 -0400
The very first thing that popped into my head is "I don't know anything about banking systems." Then I wondered how many people DO know about the kinds of systems working within a bank environment and how they interact. I answered "Probably not too many."
From a security point of view, I tend to think the fact that such
information is "relatively" unknown is a good thing. From a Social Engineering / Phishing standpoint, if I wanted to know what systems were running at what Bank I could go through the archives of the posts and look for email addresses relating to @citibank.com or @HSBC.com or what have you. Then I could read about some poor schlep who can't get "system a" to work with "system b" and hes getting "error code c". Now with that, I have a lot of information about what systems are running at a particular bank and what problems they are having. I could research the error and find out that "error code c" is produced when some application is running a particular level of code. I could then research the particular application and search for or create an exploit for it. Now armed with all that, I can work on owning your bank systems. I know the argument of security through obscurity has been debated before, and in MOST cases shouldn't apply. However with the increase of Identity theft, and online DB's being hacked / stolen, I am thinking that this kind of information, while it will certainly be useful where applied, may fall into the wrong hands and be used improperly. We can say the same for any of these kinds of lists. The difference is, while your Email Server or File Server or SQL Server may contain sensitive data and those forums give out A LOT of personal-important info, you probably don't work in a BANK or FINANCE INSTITUTION where the primary job function is to process, store and distribute money. My money and your money. When you get money involved, people go out of there way to get some. If you provide a repository for bank specific security information, be sure that it will be monitored by an unscrupulous bunch. This is simply my first notion of the idea. Personally, I'd like to know more about banking infosec. It's just that such information seems quite sensitive considering its content. Good Luck with it, and where can I sign up? -JMB | -----Original Message----- | From: Lbuchalski () bankinfosecurity com | [mailto:Lbuchalski () bankinfosecurity com] | Sent: Tuesday, September 20, 2005 2:06 PM | To: security-basics () securityfocus com | Subject: Core Banking Applications | | Hello, | | I am considering creating a core application | security mailing list for the banking industry, and | wanted to know if others felt that it would be a | worthwhile endeavor. I have already submitted this | question to the pen-test list, however, I am | looking for some additional guidance. | | My name is Lila Buchalski, and I am the editor for | www.Bankinfosecurity.com (BIS). BIS is Banking | specific information security portal that features | technology and news updates, up-to-date event | calendars, webinar information, white papers, and more. | | Others in the industry have expressed interest in | both joining and moderating this list, but I am | looking for feedback in regard to its organization. | For example, should there be specific application | threads, etc. I want to know what others are | interested in seeing! | | Also, if would like to join, please send an e-mail | to CoreAppSecurity () Bankinfosecurity com. | | Thanks in advance. | Lila B. | lbuchalski () bankinfosecurity com | |
Current thread:
- Core Banking Applications Lbuchalski (Sep 22)
- <Possible follow-ups>
- RE: Core Banking Applications Beauford, Jason (Sep 26)
- RE: Core Banking Applications Barrie Dempster (Sep 27)
- RE: Core Banking Applications Beauford, Jason (Sep 27)
- Re: Core Banking Applications Tracy Bost (Sep 28)