Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] Home-Banking PEN-TESTING

From: "Tonick, Mike" <Mike.Tonick () PS NET>
Date: Wed, 23 Aug 2000 10:14:08 -0500
Rafeal,

The bank is not responsible for securing their customer's machines, as there
may be pre-existing vulnerabilities that the customer has introduced.
However, if the bank is aware of a vulnerability, introduced by their client
based software, then they have an obligation to notify their clients
immediately, and to correct the problem, either with a patch - if the
problem is serious enough, or at the next scheduled release of software,
whichever can be accomplished first.

What you have described is the main issue with installing and maintaining
client based software, and why it is sometimes avoided wherever possible.

You cannot force your client into doing the right thing.  Your
responsibility is to document the issue.  Describe the vulnerability,
describe how it may be manipulated, and list the names of those whom you
have made aware of the issue.  Make sure your documentation of the
vulnerability is distributed to the responsible parties, at the bank, and to
your internal management.  If there is a master account file maintained by
your company, you should make sure your documentation of the vulnerability
is filed for safekeeping.


Regards,

Michael D. Tonick, CISSP
Senior Security Consultant
Perot Systems
Dallas, Texas


-----Original Message-----
From: Rafael Coninck Teigao [mailto:rafael () SAFECORE NET]
Sent: Monday, August 21, 2000 5:32 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Home-Banking PEN-TESTING


Hi, ppl.
    I'm pen-testing a home-banking system. My client has a doubt and we
basically disagree in some level: is the client's machine of the
responsibility of the bank? I mean, if I can break the client's machine
and steal useful information from it (passwords, account's data, etc.),
is the bank responsible, having in mind that it's programmers can fix
the problem (they just don't do it 'couz it is costly)?
    Let me hear what you think.

    []'s,
    RCT.

--
----------------------------------------------------------------------------
---
And the Raven, never flitting, still is sitting, still is sitting
On the pallid bust of Pallas just above my chamber door;
And his eyes have all the seeming of a demon's that is dreaming,
And the lamp - light o'er him streaming throws his shadow on the floor;
And my soul from out that shadow that lies floating on the floor
Shall be lifted - nevermore!
        E. A. Poe --> The Raven (c1845)
----------------------------------------------------------------------------
---
Previous By Date Next
Previous By Thread Next

Current thread: