Re: [PEN-TEST] Home-Banking PEN-TESTING

[Ben Lull <blull () VALLEYLOCAL COM>]

I haven't been following this thread to much, but in response to Christopher's
and Rafael Conick's E-Mails...

Christopher Laycock wrote:

> IMHO: The bank should warn people not to store their password in the Cache
> of their web browser.  This would stop some attacks, although they shouldn't
> be responsible for Keystroke logs.  Most of the problems would be solved if
> the user had a long password and was asked for random characters from it
> e.g..
> "Please enter the 3rd, 26th, 38th, 41st and 107th character's of your
> password" and setting it so that only logging on and off will change the
> characters required.  AFAIK this system is used by some banks over the phone
> but not over the net.

    If the banking is done via http, the bank is responsibly for the security
because it should all be handled on their side.  Cookies should simply identify
that the machine accessing the page is allowed to or not.. It should contain a
user name or password (encrypted or not).  This way people who just try to
access it, can not with out having a correct cookie (the cookie could be
something such as a hash'ed md5sum of the person's username + social security
+ bank number... stuff that people should not have.  All authentication should
be done via SSL using username/password authentication.  The username and
password should both be linked to the cookie on the clients browser thus only
allowing login to there single account from there single machine.  This will
defeat all problems with caching and cookies...

    Since the banking is being done via http, they are not responsible for the
end users security UNLESS anything they place on the users system can be used
to gain unprivileged access.  If they were to (a username/password in a
cookie), they should be held responsible.

    If the banking is done via custom software, the software which is created
should take extra measures of security.  The persons password should not be
stored locally, but remotely.  The software itself should not contain
vulnerabilities such as Stack/Heap/String Format Validation.  Extra caution
should be taken with creation of the software (canary's, a completely non-exec
stack).  All communications should be encrypted and verification that input is
coming from the attached keyboard.  It really wouldn't be to difficult to
create a secure banking environment weather its using customer software
supplied by the bank, or via http access.




> -----Original Message-----
> From: Rafael Coninck Teigao <rafael () SAFECORE NET>
> To: PEN-TEST () SECURITYFOCUS COM <PEN-TEST () SECURITYFOCUS COM>
> Date: 26 August 2000 21:07
> Subject: Re: [PEN-TEST] Home-Banking PEN-TESTING
>
> > I'm not cracking the client machine. I'm asking that if it is possible
> > to
> > someone to crack the client machine and get the password, should the
> > bank
> > hold liability for it? I already broke into my own machine for that
> > purpose, so I know it is vulnerable.

Of course the client machine could possibly be cracked.  The bank should do
everything they can on there side to protect there networks (ex.. don't store
passwords in cookies, period (encrypted or not.. they should never be stored on
the client machine).  If the software being used to access the banks network
was created by the bank... the same that applies to opensource/closesourced
applications will apply here.. If there are security problems found in the
software, it is the banks responsibility to fix them as fast as possible.  The
fact that software like that shouldn't have bugs in the first place should be
obvious, and honestly if I was to do online banking and I heard the bank I was
using had security issues with their software in the past, I wouldn't use them
because that points to someone who is not security cautious, specifically with
my money.


> > Erik Tayler wrote:
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > I do not believe the bank even has the right to have you test
> > > personal computers that are housed in a residence. Ask a lawyer to be
> > > certain, but that seems like a large invasion of privacy. I have
> > > previously used home-banking, and I would be furious if my bank hired
> > > people to break into my home network. I think one could consent to
> > > such a service, I am not saying it is un-performable, but it sounds
> > > like a pain to get such permission from everyone subscribing to the
> > > home-banking system.

The bank shouldn't even ask you to perform tests against their customers
computers without prior permission.  If the bank sent out flyers to all its
online banking customers stating they offer free security testing against your
home PC to see if it is vulnerable to attack etc.. etc.. blah blah blah.  At
this point, the bank could contract a penetration tester to attempt
unauthorized access to consenting individuals.  I've noticed that banks seem to
be one of the major influences in the average joe shmoes computer security
understanding.  Most banks say "Hackers could break in and steal confidential
data, this is why we use Secure Socket Layers to protect your privacy"... That
explains nothing to the customer, thus the customer interprets that completely
wrong.  If the bank explained that real threats come from the end user, and
explained why and how it occurs... the end user will be more then willing to
comply with all requests regarding security, as well as learn and practice
security measures.

Attachment: blull.vcf
Description: Card for Ben Lull