Penetration Testing mailing list archives
Re: [PEN-TEST] Home-Banking PEN-TESTING
From: Peter Van Epp <vanepp () SFU CA>
Date: Tue, 22 Aug 2000 17:36:24 -0700
Hi, ppl.
I'm pen-testing a home-banking system. My client has a doubt and we
basically disagree in some level: is the client's machine of the
responsibility of the bank? I mean, if I can break the client's machine
and steal useful information from it (passwords, account's data, etc.),
is the bank responsible, having in mind that it's programmers can fix
the problem (they just don't do it 'couz it is costly)?
Let me hear what you think.
[]'s,
RCT.
The obvious one is insinuate BO2K on to the client machine. Security
gone since the attacker can simulate the client (with sniffed real password
from the client's machine). How would the bank differentiate this from the
real client? Why would the bank take responsibility for the client's machine?
I expect the card holder agreement holds the client liable for the security
of their machine in the fine print. Now for publicity reasons they may eat
this so as to not scare off other customers, and there isn't much useful
that you can do (at least on the local version our banks run, ymmv). The
one I expect to see the first big hit from is on line stock trading. The
potential loss is likely to be too high for a brokarage to swallow and I
expect the same thing applies i.e. the card holder agreement says if it was
with your password/passphrase it is considered you (unless you can prove that
the broker's end of the connection was compromised which no one in their
right mind would try given an undefended client machine). If you know of a
way to fix the client's machine in the general case, I (and I'm sure a lot
of other worried security people) would like to hear about it. BO2K will
defeat (with varying amounts of difficulty) even VPNs if you can get BO2K
on to the client machine in the first place (preventing which is the only
defence I'm aware of, and thats not trivial in a distributed case). Feel
free to substitute Sub7 or any of the 30 or 40 other equivelent to BO packages
floating around out there for BO2K in all instances here (because they are
equivelent ...).
Current thread:
- [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Peter Van Epp (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Flynn, Gary (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Peter Van Epp (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Pluto (Aug 26)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Domenico De Vitto (Aug 28)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Flynn, Gary (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Peter Van Epp (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Erik Tayler (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H D Moore (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Iván Arce (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H Carvey (Aug 23)