Re: [PEN-TEST] Home-Banking PEN-TESTING

[H D Moore <hdm () SECUREAUSTIN COM>]

Hello,

My work allows me to to test literally dozens of different home-banking
systems and every single one of them had a dislaimer which places blame
on the customer if their account is compromised through a client
security hole.  Something that my company is offering is a security
scanning service that banks can resell to thier customers.  If someone
really wants to protect thier account, they can have an automated
assessment done on thier home system on their own time.  If the data is
stored in such a way on the client's system that it is trivial to steal
given system access, then the bank should either attempt to minimize
this problem (crypto) or release a document stating the sensitiviy of
access to the cient's computer.  If they tell the client that anyone
sitting at thier computer could theoretically steal thier account
information, then that client is going to take steps to minimize the
possibility of that happening.

-HD

http://www.digitaldefense.net

http://www.digitaldoffense.net


Erik Tayler wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I do not believe the bank even has the right to have you test
> personal computers that are housed in a residence. Ask a lawyer to be
> certain, but that seems like a large invasion of privacy. I have
> previously used home-banking, and I would be furious if my bank hired
> people to break into my home network. I think one could consent to
> such a service, I am not saying it is un-performable, but it sounds
> like a pain to get such permission from everyone subscribing to the
> home-banking system. Sniffing someone while they are transferring
> sensitive information is just as effective as breaking into their
> network/pc. None of what I just said is of any relevance if you are
> not referring to the consumers that actually access the bank via
> modem or web-interface to view their financial data.
>
> Erik Tayler
> 14x Network Security
> http://www.14x.net
>
> - ----- Original Message -----
> From: "Rafael Coninck Teigao" <rafael () SAFECORE NET>
> To: <PEN-TEST () SECURITYFOCUS COM>
> Sent: Monday, August 21, 2000 5:31 PM
> Subject: Home-Banking PEN-TESTING
>
> > Hi, ppl.
> >     I'm pen-testing a home-banking system. My client has a doubt
> > and we basically disagree in some level: is the client's machine of
> > the
> > responsibility of the bank? I mean, if I can break the client's
> > machine and steal useful information from it (passwords, account's
> > data, etc.), is the bank responsible, having in mind that it's
> > programmers can fix the problem (they just don't do it 'couz it is
> > costly)?
> >     Let me hear what you think.
> >
> >     []'s,
> >     RCT.