Penetration Testing mailing list archives
Re: [PEN-TEST] Home-Banking PEN-TESTING
From: Ben Lull <blull () VALLEYLOCAL COM>
Date: Tue, 29 Aug 2000 10:02:40 -0700
I haven't been following this thread to much, but in response to Christopher's and Rafael Conick's E-Mails... Christopher Laycock wrote:
IMHO: The bank should warn people not to store their password in the Cache of their web browser. This would stop some attacks, although they shouldn't be responsible for Keystroke logs. Most of the problems would be solved if the user had a long password and was asked for random characters from it e.g.. "Please enter the 3rd, 26th, 38th, 41st and 107th character's of your password" and setting it so that only logging on and off will change the characters required. AFAIK this system is used by some banks over the phone but not over the net.
If the banking is done via http, the bank is responsibly for the security because it should all be handled on their side. Cookies should simply identify that the machine accessing the page is allowed to or not.. It should contain a user name or password (encrypted or not). This way people who just try to access it, can not with out having a correct cookie (the cookie could be something such as a hash'ed md5sum of the person's username + social security + bank number... stuff that people should not have. All authentication should be done via SSL using username/password authentication. The username and password should both be linked to the cookie on the clients browser thus only allowing login to there single account from there single machine. This will defeat all problems with caching and cookies... Since the banking is being done via http, they are not responsible for the end users security UNLESS anything they place on the users system can be used to gain unprivileged access. If they were to (a username/password in a cookie), they should be held responsible. If the banking is done via custom software, the software which is created should take extra measures of security. The persons password should not be stored locally, but remotely. The software itself should not contain vulnerabilities such as Stack/Heap/String Format Validation. Extra caution should be taken with creation of the software (canary's, a completely non-exec stack). All communications should be encrypted and verification that input is coming from the attached keyboard. It really wouldn't be to difficult to create a secure banking environment weather its using customer software supplied by the bank, or via http access.
-----Original Message----- From: Rafael Coninck Teigao <rafael () SAFECORE NET> To: PEN-TEST () SECURITYFOCUS COM <PEN-TEST () SECURITYFOCUS COM> Date: 26 August 2000 21:07 Subject: Re: [PEN-TEST] Home-Banking PEN-TESTINGI'm not cracking the client machine. I'm asking that if it is possible to someone to crack the client machine and get the password, should the bank hold liability for it? I already broke into my own machine for that purpose, so I know it is vulnerable.
Of course the client machine could possibly be cracked. The bank should do everything they can on there side to protect there networks (ex.. don't store passwords in cookies, period (encrypted or not.. they should never be stored on the client machine). If the software being used to access the banks network was created by the bank... the same that applies to opensource/closesourced applications will apply here.. If there are security problems found in the software, it is the banks responsibility to fix them as fast as possible. The fact that software like that shouldn't have bugs in the first place should be obvious, and honestly if I was to do online banking and I heard the bank I was using had security issues with their software in the past, I wouldn't use them because that points to someone who is not security cautious, specifically with my money.
Erik Tayler wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I do not believe the bank even has the right to have you test personal computers that are housed in a residence. Ask a lawyer to be certain, but that seems like a large invasion of privacy. I have previously used home-banking, and I would be furious if my bank hired people to break into my home network. I think one could consent to such a service, I am not saying it is un-performable, but it sounds like a pain to get such permission from everyone subscribing to the home-banking system.
The bank shouldn't even ask you to perform tests against their customers computers without prior permission. If the bank sent out flyers to all its online banking customers stating they offer free security testing against your home PC to see if it is vulnerable to attack etc.. etc.. blah blah blah. At this point, the bank could contract a penetration tester to attempt unauthorized access to consenting individuals. I've noticed that banks seem to be one of the major influences in the average joe shmoes computer security understanding. Most banks say "Hackers could break in and steal confidential data, this is why we use Secure Socket Layers to protect your privacy"... That explains nothing to the customer, thus the customer interprets that completely wrong. If the bank explained that real threats come from the end user, and explained why and how it occurs... the end user will be more then willing to comply with all requests regarding security, as well as learn and practice security measures.
Attachment:
blull.vcf
Description: Card for Ben Lull
Current thread:
- Re: [PEN-TEST] Home-Banking PEN-TESTING, (continued)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Cintron, Jose (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Klahn, Paul (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Tonick, Mike (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Chris Calabrese (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Christopher Laycock (Aug 29)
- [PEN-TEST] SQL Server blank account Seth Georgion (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Marc Maiffret (Aug 29)
- Re: [PEN-TEST] SQL Server blank account M. Burnett (Aug 29)
- Re: [PEN-TEST] SQL Server blank account H D Moore (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Attonbitus Deus (Aug 29)
- [PEN-TEST] SQL Server blank account Seth Georgion (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Ben Lull (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING van der Kooij, Hugo (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Jim Miller (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H D Moore (Aug 29)