Penetration Testing mailing list archives
Re: [PEN-TEST] Home-Banking PEN-TESTING
From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Wed, 23 Aug 2000 12:51:28 -0500
Hello, My work allows me to to test literally dozens of different home-banking systems and every single one of them had a dislaimer which places blame on the customer if their account is compromised through a client security hole. Something that my company is offering is a security scanning service that banks can resell to thier customers. If someone really wants to protect thier account, they can have an automated assessment done on thier home system on their own time. If the data is stored in such a way on the client's system that it is trivial to steal given system access, then the bank should either attempt to minimize this problem (crypto) or release a document stating the sensitiviy of access to the cient's computer. If they tell the client that anyone sitting at thier computer could theoretically steal thier account information, then that client is going to take steps to minimize the possibility of that happening. -HD http://www.digitaldefense.net http://www.digitaldoffense.net Erik Tayler wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I do not believe the bank even has the right to have you test personal computers that are housed in a residence. Ask a lawyer to be certain, but that seems like a large invasion of privacy. I have previously used home-banking, and I would be furious if my bank hired people to break into my home network. I think one could consent to such a service, I am not saying it is un-performable, but it sounds like a pain to get such permission from everyone subscribing to the home-banking system. Sniffing someone while they are transferring sensitive information is just as effective as breaking into their network/pc. None of what I just said is of any relevance if you are not referring to the consumers that actually access the bank via modem or web-interface to view their financial data. Erik Tayler 14x Network Security http://www.14x.net - ----- Original Message ----- From: "Rafael Coninck Teigao" <rafael () SAFECORE NET> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Monday, August 21, 2000 5:31 PM Subject: Home-Banking PEN-TESTINGHi, ppl. I'm pen-testing a home-banking system. My client has a doubt and we basically disagree in some level: is the client's machine of the responsibility of the bank? I mean, if I can break the client's machine and steal useful information from it (passwords, account's data, etc.), is the bank responsible, having in mind that it's programmers can fix the problem (they just don't do it 'couz it is costly)? Let me hear what you think. []'s, RCT.
Current thread:
- [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Peter Van Epp (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Flynn, Gary (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Peter Van Epp (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Pluto (Aug 26)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Domenico De Vitto (Aug 28)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Flynn, Gary (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Peter Van Epp (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Erik Tayler (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H D Moore (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Iván Arce (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H Carvey (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Lucio A. Molina Focazzio (Aug 23)
- <Possible follow-ups>
- Re: [PEN-TEST] Home-Banking PEN-TESTING Loschiavo, Dave (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Gontarczyk, Andrew (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Cintron, Jose (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Klahn, Paul (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Tonick, Mike (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Chris Calabrese (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Christopher Laycock (Aug 29)