[PEN-TEST] Your opinions ... last request

[Jim Miller <MillerJ () FABSSB COM>]

Thank you all for your elucidating responses.  I have come to understand better the technology that my bank will 
deploy.  I just have one last point to clarify, and would like to ask one more time for info on this specific point.

The client side security is less than adequate, and the bank intends to protect itself using legal stipulations in 
signed client contracts.  But this obvious step will be pointless if the system we deploy to the customer is easily 
hacked.  For the customer, physical security is a recommended control, and necessary to prevent the obvious hack, theft 
of the hardware.  

But if the certificate itself is easily removed from the client and can be transported and installed on another PC, the 
client is even more easily hacked.  It would not do the bank any good to deploy the system to any customer if the 
certificate is readily accessible by any employee with a fair technical knowledge.

This begs [the last and final] question:  can the certificate be exported to another PC without re-issuance by the 
bank?  Where does the certificate reside on the client?  How easily is it hacked, copied, transported, and / or 
re-installed?



Jim Miller, CISA, CDP
VP & IS Audit Mgr
First American Bank Texas
Bryan, Texas   77805-8100
979/361-6515
801/835-5546
millerj () fabssb com