Penetration Testing mailing list archives
Re: [PEN-TEST] Home-Banking PEN-TESTING
From: Peter Van Epp <vanepp () SFU CA>
Date: Wed, 23 Aug 2000 20:51:47 -0700
Peter Van Epp wrote:I expect the card holder agreement holds the client liable for the security of their machine in the fine print.snipand I expect the same thing applies i.e. the card holder agreement says if it was with your password/passphrase it is considered youCan anyone verify this? Up until this time, credit card companies have assumed the risk of fraud. If home banking, stock trading, etc. starts putting the risk on the consumer this should be brought out in the open ASAP. Considering that many home computers are shared by children and other relatively unsophisticated users who download all manner of software, the risk would seem astronomical. AV software is no help against unknown, possibly custom, malware.
From the fine print of the first (Canadian) online trading site that I remember bombarding me on the radio (in 3 point type marked "fine print" at the very bottom of the web page ...): "Virus Checks When using this web site, it is up to you to take reasonable precautions to scan for computer viruses, worms, Trojan horses, and other items of a destructive nature. It is also up to you to ensure that you have a complete and current backup of the information contained on your computer system prior to using this web site." There are some more about not accepting any liability for anything including neglegance which I'm not sure would stand up (reminds me of a software licence agreement in fact ...) there as well. Probably keep a lawyer employed and in court for life I expect. I expect you can find a similar example at almost any online trading site or perhaps in their written card holder policy. Lots of wriggle room there for their lawyer, and I bet they have more money than you do ... Again to make this somewhat relevant to this list, all you penitration testers should be insuring that the bank or company does have such legal language protecting them from liability on the customer's machine in their agreement with the customer as part of your security audit. Otherwise you have left a gapping hole in their security defences (breach by liability law suit, a new CVE classification :-) ). I assume anyone using such a service (or a bank card which both this and online banking are far closer to than the CC companies) has read all the fine print, but I doubt it. One of my colleges got a very suprised reaction from her bank when (after reading the fine print and asking) she insisted on a separate account unlinked to her main account for her bank card since the agreement said the bank could transfer funds from any of her accounts to cover a request by the bank machine for funds without limit in the fine print and she wasn't agreeable. You probably won't be suprised to discover she is damn good at NT security (not necessarily %100 successful, but damn good ...) While not a lawyer nor do I play one on Usenet or mailing lists I'd expect that this clause (and some more like it) would put the responsibility on me (if I was trusting or foolish enough to use such a service) and thee for the security of my machine (which is only common sense, if failing to plainly state the risk the customer is assuming) of a back orifice or friends breakin. That is certainly true of bank cards, if your PIN is presented the transaction is yours (again at least here in Canada, your milage and/or laws may vary). To date at least here, online banking isn't that dangerous (except possibly to your privacy). There is no value proposition (at least that I can see) other than the hassle of correcting all your money being applied to your own hydro account for instance. You currently can't transfer money to other people electronically (at least where I bank, not that I bank electronicially anyway). Online stock trading is a different proposition. Although some people who do trade say I couldn't profit by setting a cheap buy order and then using your account to sell at below my buy price, some kind of pool and limits would kick in. But even if I can't personally profit, I can (as I see it anyway) cause you a big loss and big hassle and if I don't like you (think script kiddie here) ... I've always assumed that our banks understand this perfectly. I have been told the bastion hosts on the bank systems are B2 evaluated and maintained by people that know how to secure them, you probably won't get in via their end but the customer end is a different story and plainly the customers problem. You are unlikely to be able to break SSL on the link from the bank to you (and there is good argument that would be Netscape or Microsoft's fault if you could not the bank's). That leaves the customer's machine which is likely wide open and all the encryption or VPNs in the world won't protect that (not that the average consumer probably understands that), but no sensible company would take on that liability either. Since I don't bank electronicly I don't have a card holder agreement to read, but I expect it has words equivelent to those above to protect the bank (its certainly what I would be advising should I work for the bank and I expect they have lots of people just as paranoid as me ...). #include <std.disclaimer> (I'm speaking for myself only here ...)
Current thread:
- [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Peter Van Epp (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Flynn, Gary (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Peter Van Epp (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Pluto (Aug 26)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Domenico De Vitto (Aug 28)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Flynn, Gary (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Peter Van Epp (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Erik Tayler (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H D Moore (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Iván Arce (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H Carvey (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Lucio A. Molina Focazzio (Aug 23)
- <Possible follow-ups>
- Re: [PEN-TEST] Home-Banking PEN-TESTING Loschiavo, Dave (Aug 23)