Re: [PEN-TEST] Home-Banking PEN-TESTING

["Klahn, Paul" <paul () FISHNETSECURITY COM>]

Peter -- I'm not sure it matters what is reasonable to us, the bank has
attorneys, who are rarely reasonable.  I was recently in a meeting with a
major commercial FW/IDS provider.  They are involved in almost the exact
situation you discuss, so I would imagine this will be prevelant with the
on-line banks.  Their direction was pushing an agent to the desktop to test
the security of the user prior to allowing access to their on-line service.
But hey, isn't that the resellers' advantage - paranoia!?

Paul


-----Original Message-----
From: Peter Van Epp [mailto:vanepp () SFU CA]
Sent: Tuesday, August 22, 2000 7:36 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: Home-Banking PEN-TESTING


> Hi, ppl.
>     I'm pen-testing a home-banking system. My client has a doubt and we
> basically disagree in some level: is the client's machine of the
> responsibility of the bank? I mean, if I can break the client's machine
> and steal useful information from it (passwords, account's data, etc.),
> is the bank responsible, having in mind that it's programmers can fix
> the problem (they just don't do it 'couz it is costly)?
>     Let me hear what you think.
>
>     []'s,
>     RCT.

        The obvious one is insinuate BO2K on to the client machine. Security
gone since the attacker can simulate the client (with sniffed real password
from the client's machine). How would the bank differentiate this from the
real client? Why would the bank take responsibility for the client's
machine?
I expect the card holder agreement holds the client liable for the security
of their machine in the fine print. Now for publicity reasons they may eat
this so as to not scare off other customers, and there isn't much useful
that you can do (at least on the local version our banks run, ymmv). The
one I expect to see the first big hit from is on line stock trading. The
potential loss is likely to be too high for a brokarage to swallow and I
expect the same thing applies i.e. the card holder agreement says if it was
with your password/passphrase it is considered you (unless you can prove
that
the broker's end of the connection was compromised which no one in their
right mind would try given an undefended client machine). If you know of a
way to fix the client's machine in the general case, I (and I'm sure a lot
of other worried security people) would like to hear about it. BO2K will
defeat (with varying amounts of difficulty) even VPNs if you can get BO2K
on to the client machine in the first place (preventing which is the only
defence I'm aware of, and thats not trivial in a distributed case). Feel
free to substitute Sub7 or any of the 30 or 40 other equivelent to BO
packages
floating around out there for BO2K in all instances here (because they are
equivelent ...).