Re: Internet banking 'no longer safe'

[InfoSec News <isn () c4i org>]

Forwarded from: Eric Hacker <isn () erichacker com>

Comments inline

>  http://www.theadvertiser.news.com.au/common/story_page/0,5936,8912876%
>  255E421,00.html
> >
>  By Simon Atkinson and Michael Corkill
>  09 mar 04
>
>  ONLINE banking in Australia was fraught with danger and "manifestly
>  not suitable" for Internet transactions via the home computer, says
>  leading Internet security expert, Professor Bill Caelli, AO.

It is 'experts' like Mr. Caelli that give serious InfoSec
practitioners a bad name amongst business people. As illustrated below
he doesn't seem to get the differences between vulnerabilities,
threats, and risk.

...
>  "A home PC was never designed for home banking," said Professor
>  Caelli, .... "Do not use it, it's no longer safe."

Was it ever safe by his definition? Banking online is safe because the
banks cannot afford to have widespread fraud or any appearance of
such.

...
>  "It is like telling people to stop driving their cars because the
>  roads are not safe," said ABA chief executive David Bell.

Mr. Bell, a businessman, groks security better than Mr. Caelli the
academic security expert. Cars are vulnerable to all kinds of attacks.

Imagine one is driving down a country road. On the side is an
obviously homemade detour sign pointing down a gravel road leading
into a forest. Following this road and around the bend are a bunch of
thugs who will threaten the car's occupants with guns, steal the car,
and leave the occupants lost in the country.

Mr. Caelli would have you believe that this is the fault of the car.

Mr. Bell would be happy that everyone was safe and that one had car
theft insurance. That is managing risk, not vulnerabilities.

...
>  The Brisbane-based Australian Computer Emergency Response Team
>  (ACERT), which handles national computer threats, said it had seen
>  a steady rise in e-mail "phishing expeditions" by hackers (attempts
>  to persuade consumers to click on fake web banking pages and
>  thereby gain access to account information and passwords).
>
>  "It is not a major problem but it is a major concern," said general
>  manager Graham Ingram.

Actually, in the financial industry phishing is a major problem right
now. The financial industry wants to protect the consumer and remove
all the homemade detour signs to make the roads safer, but they don't
own the roads and aren't allowed to touch the signs. It is often
difficult to get the road crew out there to remove the detour signs.

>  However Griffith University network security lecturer Dr Vallipuram
>  Muthukkumarasamy said most banks would not admit being the victim
>  of computer hackers.
>
>  He said academics knew that "several banks have been compromised
>  not only in Australia but in other countries".

If customers were unhappy with the way their money was being handled,
then they'd be leaving and we'd be hearing about it. So long as the
banks are absorbing the risk of online banking, then it is secure for
users to do so.

Security is an absence of risk, not vulnerability.

Eric Hacker



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.