Penetration Testing mailing list archives
Re: [PEN-TEST] Home-Banking PEN-TESTING
From: "Klahn, Paul" <paul () FISHNETSECURITY COM>
Date: Wed, 23 Aug 2000 08:40:01 -0500
Peter -- I'm not sure it matters what is reasonable to us, the bank has attorneys, who are rarely reasonable. I was recently in a meeting with a major commercial FW/IDS provider. They are involved in almost the exact situation you discuss, so I would imagine this will be prevelant with the on-line banks. Their direction was pushing an agent to the desktop to test the security of the user prior to allowing access to their on-line service. But hey, isn't that the resellers' advantage - paranoia!? Paul -----Original Message----- From: Peter Van Epp [mailto:vanepp () SFU CA] Sent: Tuesday, August 22, 2000 7:36 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: Home-Banking PEN-TESTING
Hi, ppl. I'm pen-testing a home-banking system. My client has a doubt and we basically disagree in some level: is the client's machine of the responsibility of the bank? I mean, if I can break the client's machine and steal useful information from it (passwords, account's data, etc.), is the bank responsible, having in mind that it's programmers can fix the problem (they just don't do it 'couz it is costly)? Let me hear what you think. []'s, RCT.
The obvious one is insinuate BO2K on to the client machine. Security gone since the attacker can simulate the client (with sniffed real password from the client's machine). How would the bank differentiate this from the real client? Why would the bank take responsibility for the client's machine? I expect the card holder agreement holds the client liable for the security of their machine in the fine print. Now for publicity reasons they may eat this so as to not scare off other customers, and there isn't much useful that you can do (at least on the local version our banks run, ymmv). The one I expect to see the first big hit from is on line stock trading. The potential loss is likely to be too high for a brokarage to swallow and I expect the same thing applies i.e. the card holder agreement says if it was with your password/passphrase it is considered you (unless you can prove that the broker's end of the connection was compromised which no one in their right mind would try given an undefended client machine). If you know of a way to fix the client's machine in the general case, I (and I'm sure a lot of other worried security people) would like to hear about it. BO2K will defeat (with varying amounts of difficulty) even VPNs if you can get BO2K on to the client machine in the first place (preventing which is the only defence I'm aware of, and thats not trivial in a distributed case). Feel free to substitute Sub7 or any of the 30 or 40 other equivelent to BO packages floating around out there for BO2K in all instances here (because they are equivelent ...).
Current thread:
- Re: [PEN-TEST] Home-Banking PEN-TESTING, (continued)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Erik Tayler (Aug 22)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Rafael Coninck Teigao (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H D Moore (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Iván Arce (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H Carvey (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Lucio A. Molina Focazzio (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Loschiavo, Dave (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Gontarczyk, Andrew (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Cintron, Jose (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Klahn, Paul (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Tonick, Mike (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Chris Calabrese (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Christopher Laycock (Aug 29)
- [PEN-TEST] SQL Server blank account Seth Georgion (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Marc Maiffret (Aug 29)
- Re: [PEN-TEST] SQL Server blank account M. Burnett (Aug 29)
- Re: [PEN-TEST] SQL Server blank account H D Moore (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Attonbitus Deus (Aug 29)
- [PEN-TEST] SQL Server blank account Seth Georgion (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Ben Lull (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING van der Kooij, Hugo (Aug 29)