Penetration Testing mailing list archives
Re: [PEN-TEST] Home-Banking PEN-TESTING
From: Peter Van Epp <vanepp () SFU CA>
Date: Tue, 22 Aug 2000 17:36:24 -0700
Hi, ppl. I'm pen-testing a home-banking system. My client has a doubt and we basically disagree in some level: is the client's machine of the responsibility of the bank? I mean, if I can break the client's machine and steal useful information from it (passwords, account's data, etc.), is the bank responsible, having in mind that it's programmers can fix the problem (they just don't do it 'couz it is costly)? Let me hear what you think. []'s, RCT.
The obvious one is insinuate BO2K on to the client machine. Security gone since the attacker can simulate the client (with sniffed real password from the client's machine). How would the bank differentiate this from the real client? Why would the bank take responsibility for the client's machine? I expect the card holder agreement holds the client liable for the security of their machine in the fine print. Now for publicity reasons they may eat this so as to not scare off other customers, and there isn't much useful that you can do (at least on the local version our banks run, ymmv). The one I expect to see the first big hit from is on line stock trading. The potential loss is likely to be too high for a brokarage to swallow and I expect the same thing applies i.e. the card holder agreement says if it was with your password/passphrase it is considered you (unless you can prove that the broker's end of the connection was compromised which no one in their right mind would try given an undefended client machine). If you know of a way to fix the client's machine in the general case, I (and I'm sure a lot of other worried security people) would like to hear about it. BO2K will defeat (with varying amounts of difficulty) even VPNs if you can get BO2K on to the client machine in the first place (preventing which is the only defence I'm aware of, and thats not trivial in a distributed case). Feel free to substitute Sub7 or any of the 30 or 40 other equivelent to BO packages floating around out there for BO2K in all instances here (because they are equivelent ...).
Current thread:
- [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Peter Van Epp (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Flynn, Gary (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Peter Van Epp (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Pluto (Aug 26)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Domenico De Vitto (Aug 28)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Flynn, Gary (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Peter Van Epp (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Erik Tayler (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H D Moore (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Iván Arce (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H Carvey (Aug 23)