Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases

["Dennis Henderson" <hendomatic () gmail com>]

On 6/27/07, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
> On Wed, 27 Jun 2007 22:01:33 CDT, Dennis Henderson said:
> > Can anyone explain how getting pnwed by a keylogger or a trojan is not
> their
> > fault? Do we have to argue what "fault" is? I hope not, becuase that
> could
> > take days... :)
>
> Hmm.. there was a bunch of Italian websites serving up exploits pretty
> recently.  Who's fault is it if you visit some presumably trustable and
> legitimate website that you've been visiting for *years*, and that morning
> they got hacked and send your copy of IE an exploit for a yet-unpatched
> vulnerability?


Yes and I inlcluded 0days as a vector.



Or even better - a 3rd party site that does banner ads and the like is the
> one that got hacked.
>
> So you visit www.snopes.com, and you find out the hard way that
> www.burstnet.com
> was pwned.
>
> Care to explain to me how *THAT* is the fault of any Joe
> Sixpack?  Remember
> that if you say it's their fault, you *also* need to provide *workable*
> advice on how they were supposed to prevent it.  Good luck explaining
> noscript.net to Joe Sixpack, let me know how that works out for you...


So Valdis, you got pwned on snopes? :)

So tell me what steps do you take to make sure your online banking
experience is a safe one? If you don't do online banking, then please don't
comment further in this thread. Is it so beneath you to provide positive
advice or commentary on *any* topic?

Goes right back the the responsibility of doing online banking. People who
are clueless about Internet risks should not do their banking online. If
they cannot take the time to get/keep their computer in shape, and perhaps
read about how to set their browser security to appropriate levels and know
the signs of their companies real website as opposed to a fake one, then
they share some responsibility in their potential loss.

Dont download every free tool and software you can get your hands on.
Read the EULA's when you do. These are basic bits of information that can
help people stay out of trouble.
Make Fergie happy, run TrendsAV.
Patch to the hilt.
Run a firewall.
Learn how to tell if your actually on your bank's site. Its really not that
hard given all the resources that browsers come with these days.
Dont click on any and all links in emails especially if they're from your
bank or financial institution.
If your bank sends you emails with links, find another bank.

These are basic bits of information that can help people stay out of
trouble.
Sounds clueless? Well to clueless people these things are probably sage
advice.


Wont remove the risk, but it can reduce it dramatically.

0days are still a minor vector compared to what's keeping the online banking
fraud cartels alive.

> Does anyone have the balls to admit that they have been pwned thru no
fault
> of their own? I would love to hear that story.

There's this security person by the name of Raven Adler.  I suggest you ask
her
who's fault it was she got nailed by a MacOSX 0-day in front of everybody,
and
how things turned out when she went to talk to Apple about it...

Unlike you, I dont want to be argumentative about every little topic, but
IIRC, her box was probably already pwned when she got there and someone
scanned it, and found the pwnage while she was presenting.

She mentioned that her boyfirend was using the laptop. It probably got pwned
due to his surfing habit. Yes it probably was a 0day, but the more a user
strays to the dark side of the Internet, the more likely they are to visit a
site with "free software" or nifty little iframes and suffer the results of
the "other" stuff that comes with it.

So banks should just happily pay out lost money due to the habits and lack
of responsibility of the customer? It will eventually come to a head when
banks get tired of losing money due to the stupidity of their customers.


To bring this back to the original purpose of the thread, I am not a
proponent of wanting to inspect every persons computer that reports fraud. I
am more a proponent of having customers do preventative things up front that
will reduce the incidence of reported fraud in the first place. Or not do
stupid things that can bring about fraud.

I've looked  referrer logs and saw a customer's personal portal that has a
link to my bank and the link text is their friggin userid. That person is
one that should lose out on any fraud loss challenge. I've even seen portal
pages where they have the id and a hint as to what the password is..
These customers get locked out and when they call in, we force them to
remove that info before we let them back in. If they then fire us, we say
sorry, see you later, but our overall risk probably just went down a tick.

Anyway, peace and love!

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.