Re: [PEN-TEST] Home-Banking PEN-TESTING

[Job de Haas <job () ITSX COM>]

Hi all,

First about the responsibility. I think there not so much a question on the
technical responsibility of the customer over his own machine and the bank
over the succesfull performance of its software. What I have noticed is that
banks very much go out of their way to stress the safety of online payment,
but very much lack in the way they inform and educate their customer on the
risks and the customers role in this. With clients I always stress that the
fact that they want to be in the forefront of offering all these interesting
services to customers who often very poorly understand the issues, gives
them an additional responsibility in this area (of education).

> More than that - banks which _do_ use this kind of rutine for
> online banking
> are setting their customers in unneccessary danger by leaving this
> possibility to attacker. After we demonstrated how it's possible to take
> over this account, we also suggested modifications to this specific bank:
> 1. Do not install any software on clients computer
> 2. Use web browser's authentication methods with SSL & java
> applets to enter
> account number and 4/5 digit access code that is permanent and should be
> memorized by client

Pretty funny to read this after I saw a BBC 2 item (Newsnight I think) on
insecurities of online banking in which completely the opposite was
recommended by someone (ie. from Web based to local app).

I'd have my reservations with web based systems too. Notably the ease of
redirecting a site to a mirror site and taking advantage of people not
noticing the SSL lock or registring slightly modified DNS names and getting
a valid certificate for it. Let alone all the browser bugs that have been
found, which would help subversion and MITM pretty well.

In the end general purpose platforms are just not good enough for secure
transactions. The amount of fraud committed will decide wether we'll see
banks coming up with another platform or not.

Job