Re: [PEN-TEST] Home-Banking PEN-TESTING

[Peter Van Epp <vanepp () SFU CA>]

> Peter Van Epp wrote:
> > I expect the card holder agreement holds the client liable for the security
> > of their machine in the fine print.
> snip
> > and I
> > expect the same thing applies i.e. the card holder agreement says if it was
> > with your password/passphrase it is considered you
>
> Can anyone verify this? Up until this time, credit card companies
> have assumed the risk of fraud. If home banking, stock trading, etc.
> starts putting the risk on the consumer this should be brought
> out in the open ASAP. Considering that many home computers are shared
> by children and other relatively unsophisticated users who download
> all manner of software, the risk would seem astronomical. AV software
> is no help against unknown, possibly custom, malware.

        From the fine print of the first (Canadian) online trading site that
I remember bombarding me on the radio (in 3 point type marked "fine print" at
the very bottom of the web page ...):

"Virus Checks

When using this web site, it is up to you to take reasonable precautions to
scan for computer viruses, worms, Trojan horses, and other items of a
destructive nature. It is also up to you to ensure that you have a complete and
current backup of the information contained on your computer system prior to
using this web site."

        There are some more about not accepting any liability for anything
including neglegance which I'm not sure would stand up (reminds me of a
software licence agreement in fact ...) there as well. Probably keep a lawyer
employed and in court for life I expect.
        I expect you can find a similar example at almost any online trading
site or perhaps in their written card holder policy. Lots of wriggle room there
for their lawyer, and I bet they have more money than you do ...
        Again to make this somewhat relevant to this list, all you penitration
testers should be insuring that the bank or company does have such legal
language protecting them from liability on the customer's machine in their
agreement with the customer as part of your security audit. Otherwise you have
left a gapping hole in their security defences (breach by liability law suit,
a new CVE classification :-) ).
         I assume anyone using such a service (or a bank card which both this
and online banking are far closer to than the CC companies) has read all the
fine print, but I doubt it. One of my colleges got a very suprised reaction
from her bank when (after reading the fine print and asking) she insisted on
a separate account unlinked to her main account for her bank card since the
agreement said the bank could transfer funds from any of her accounts to cover
a request by the bank machine for funds without limit in the fine print and
she wasn't agreeable. You probably won't be suprised to discover she is
damn good at NT security (not necessarily %100 successful, but damn good ...)
        While not a lawyer nor do I play one on Usenet or mailing lists I'd
expect that this clause (and some more like it) would put the responsibility on
me (if I was trusting or foolish enough to use such a service) and thee for the
security of my machine (which is only common sense, if failing to plainly state
the risk the customer is assuming) of a back orifice or friends breakin. That
is certainly true of bank cards, if your PIN is presented the transaction is
yours (again at least here in Canada, your milage and/or laws may vary). To
date at least here, online banking isn't that dangerous (except possibly to
your privacy). There is no value proposition (at least that I can see) other
than the hassle of correcting all your money being applied to your own hydro
account for instance. You currently can't transfer money to other people
electronically (at least where I bank, not that I bank electronicially anyway).
Online stock trading is a different proposition. Although some people who do
trade say I couldn't profit by setting a cheap buy order and then using your
account to sell at below my buy price, some kind of pool and limits would kick
in. But even if I can't personally profit, I can (as I see it anyway) cause you
a big loss and big hassle and if I don't like you (think script kiddie here) ...
        I've always assumed that our banks understand this perfectly. I have
been told the bastion hosts on the bank systems are B2 evaluated and maintained
by people that know how to secure them, you probably won't get in via their end
but the customer end is a different story and plainly the customers problem.
You are unlikely to be able to break SSL on the link from the bank to you (and
there is good argument that would be Netscape or Microsoft's fault if you could
not the bank's). That leaves the customer's machine which is likely wide open
and all the encryption or VPNs in the world won't protect that (not that the
average consumer probably understands that), but no sensible company would take
on that liability either.
        Since I don't bank electronicly I don't have a card holder agreement
to read, but I expect it has words equivelent to those above to protect the
bank (its certainly what I would be advising should I work for the bank and
I expect they have lots of people just as paranoid as me ...).

#include <std.disclaimer> (I'm speaking for myself only here ...)