Re: Bank Of Montreal Online Security

[Nathan V <nathan.v () gmail com>]

Using anything other than OTP is asking for trouble.  Even click-in
PINs and some MFA can be captured with ZeuS.  As long as there is a
repeatable login there will be malware than can reply it to steal your
information.

How big of an issue it is for someone to get into your account is
lower impact if the data they can find once logged in isn't helpful.
For example;  Logging into my bank account doesn't show full account
information or much that is very useful and I have the features that
would allow electronic transfer outbound disabled.  I'd still prefer
to keep my privacy but at least someone won't be able to steal my
money.  Currently there is no standards on what can or can't be shown
without better authorization and the differences have resulted in
breaches as we've seen but that is something the industry is slowly
improving on already.

Someone above mentioned PCI compliance.  PCI compliance focuses on the
technical side of how the servers that process credit card information
are set up and how they communicate and store that data.  IIRC the
only passwords that PCI actually cares about are for accessing those
systems directly, not end-user authentication.  PCI will help you
prevent a massive breach but it doesn't specifically protect the
individual users if you have a crummy backend.

On Fri, Nov 23, 2012 at 4:15 PM, Ken Schaefer <ken () adopenstatic com> wrote:
> I'd count one example as "rare" :)
>
> In any case, the Citibank example cited isn't an attack by one party on another person's account. It is an attack 
> against the bank's systems, but retrieving money from one's own account(s).
>
> Ultimately the question comes down to cost/benefit. Whilst I agree that banks (and others) are under daily attack, 
> that's not a justification for deploying and operating more complex security infrastructure.
>
> Unless (("cost of implementation" < "cost of non-implementation") AND ("nothing better to spend IT budget on"==true)) 
> then it's not going to happen. For some orgs the equation above works, and for others it doesn't.
>
> Cheers
> Ken
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Davin Enigl
> Sent: Sunday, 4 November 2012 12:51 PM
> To: security-basics () securityfocus com
> Subject: Re: Bank Of Montreal Online Security
>
>
>
> On 11/02/2012 12:07 PM, Mikhail A. Utin wrote:
> > Hello,
> > Frankly, considering usual number of a bank customers, which could be up to 10 million, using anything better than a 
> > user name and a password create a technical problem for IT, meaning finally money. Breaking in bank's accounts and 
> > stealing information is relativily rare. I do remember they replaced my credit cards twice during twenty years. I 
> > have accounts with 5 major banks, so see the statistics. I would believe that it is much cheaper for a bank fixing 
> > accounts, replacing cards, etc. than keeping on-line complex authentication system.
> > RBS Citizens uses as well an image associated with an account that adds some security value.
> > Regards
> >
> > Mikhail utin, CISSP
>
> Rare? You have got to be kidding. You are a CISSP?
>
>  --Fourteen Charges in Precision Cyberheist Case (October 30, 31 & November 1, 2012) Fourteen people have been 
> charged in connection with a coordinated cyberheist that netted thieves more than US $1 million through cash-advance 
> kiosks at casinos in Nevada and California. The scheme exploited a flaw in Citibank's system that is supposed to 
> prevent checking accounts from being overdrawn and involved making a coordinated series of withdrawals from accounts 
> in a brief window of time.
> Ringleader Ara Keshishyan faces up to 30 years in prison and a fine of US $1 million. The others face prison 
> sentences of up to five years and US $250,000 fines.
> http://www.zdnet.com/fbi-catches-gone-in-60-seconds-bank-fraudsters-7000006719/
> http://www.informationweek.com/security/attacks/60-second-cash-kiosk-hackers-steal-1-mil/240012604?cid=InformationWeek-Twitter
> http://arstechnica.com/security/2012/10/atm-heist-clears-1-million-exploiting-citigroup-e-payment-flaw/
> https://www.fbi.gov/sandiego/press-releases/2012/fourteen-charged-in-million-dollar-gone-in-60-seconds-bank-fraud
>
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------



-- 
___________________________
Nathan V

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------