Penetration Testing mailing list archives
Re: [PEN-TEST] Home-Banking PEN-TESTING
From: "Tonick, Mike" <Mike.Tonick () PS NET>
Date: Wed, 23 Aug 2000 10:14:08 -0500
Rafeal, The bank is not responsible for securing their customer's machines, as there may be pre-existing vulnerabilities that the customer has introduced. However, if the bank is aware of a vulnerability, introduced by their client based software, then they have an obligation to notify their clients immediately, and to correct the problem, either with a patch - if the problem is serious enough, or at the next scheduled release of software, whichever can be accomplished first. What you have described is the main issue with installing and maintaining client based software, and why it is sometimes avoided wherever possible. You cannot force your client into doing the right thing. Your responsibility is to document the issue. Describe the vulnerability, describe how it may be manipulated, and list the names of those whom you have made aware of the issue. Make sure your documentation of the vulnerability is distributed to the responsible parties, at the bank, and to your internal management. If there is a master account file maintained by your company, you should make sure your documentation of the vulnerability is filed for safekeeping. Regards, Michael D. Tonick, CISSP Senior Security Consultant Perot Systems Dallas, Texas -----Original Message----- From: Rafael Coninck Teigao [mailto:rafael () SAFECORE NET] Sent: Monday, August 21, 2000 5:32 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Home-Banking PEN-TESTING Hi, ppl. I'm pen-testing a home-banking system. My client has a doubt and we basically disagree in some level: is the client's machine of the responsibility of the bank? I mean, if I can break the client's machine and steal useful information from it (passwords, account's data, etc.), is the bank responsible, having in mind that it's programmers can fix the problem (they just don't do it 'couz it is costly)? Let me hear what you think. []'s, RCT. -- ---------------------------------------------------------------------------- --- And the Raven, never flitting, still is sitting, still is sitting On the pallid bust of Pallas just above my chamber door; And his eyes have all the seeming of a demon's that is dreaming, And the lamp - light o'er him streaming throws his shadow on the floor; And my soul from out that shadow that lies floating on the floor Shall be lifted - nevermore! E. A. Poe --> The Raven (c1845) ---------------------------------------------------------------------------- ---
Current thread:
- Re: [PEN-TEST] Home-Banking PEN-TESTING, (continued)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Erik Tayler (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H D Moore (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Iván Arce (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H Carvey (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Lucio A. Molina Focazzio (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Loschiavo, Dave (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Gontarczyk, Andrew (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Cintron, Jose (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Klahn, Paul (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Tonick, Mike (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Chris Calabrese (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Christopher Laycock (Aug 29)
- [PEN-TEST] SQL Server blank account Seth Georgion (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Marc Maiffret (Aug 29)
- Re: [PEN-TEST] SQL Server blank account M. Burnett (Aug 29)
- Re: [PEN-TEST] SQL Server blank account H D Moore (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Attonbitus Deus (Aug 29)
- [PEN-TEST] SQL Server blank account Seth Georgion (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Ben Lull (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING van der Kooij, Hugo (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Erik Tayler (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Jim Miller (Aug 29)