RE: Bank pen test

["Craig Wright" <cwright () bdosyd com au>]

Just to procrastinate from what I should be doing...
 
Jon Stated..."In terms of media value, its pretty much infinite.  A bank or other
financial organization will tend to do whatever it can to avoid any kind
of negative press, especially as it relates to integrity/confidentiality
breaches, as long as the cure wouldn't bankrupt them too."
 
The issue is that the public have short memories.
 
Citibank have been compromised a number of times. The "recent" ATM etc issue with Citibank (and they are an example - 
one of many so nothing personal against Citibank) is an example that goes back to 2002.
See http://cryptome.org/citi-ban.htm
 
In addition Citibank have stopped a large number of merchants and ATMs due to "suffering a series of fraudulent cash 
withdrawals ". 
 
From the "Big 4" Australian Banks, there have been numerous phishing scams, card issues and the list goes on. Many of 
the banks only just updated the links from DES shared key in Dec 05 and only as they had to by law (some have missed 
this date and are in breach).
 
Westpac (http://www.westpac.com.au) has created a click pad for online banking to defeat trojans, but has developoed 
this in Java script and the algorithim is in the clear (and still at the moment is this way). There are higher end 
alternatives - but if you have a $25,000 transfer limit...
 
The "spin" is also mostly FUD. NAB and Westpac have both come out stating that "numerous Asian customers have had their 
fingers cut off because of biometrics" as a justification to why they would not consider this. This does not explain 
ALL the other forms and infact any "good" biometric will detect a dead finger. Further, people get kidnapped for their 
pins, does this mean that we all forget security?
 
So I put less value into the publicity cost (as percieved by banks) than you. It costs less to hire a PR firm and 
"spin" than to fix many issues. 
 
Regards
Craig

        -----Original Message----- 
        From: Jon Gucinski [mailto:Jgucinski () midwestbank com] 
        Sent: Wed 8/03/2006 8:46 AM 
        To: pen-test () securityfocus com 
        Cc: 
        Subject: RE: Bank pen test
        
        
         


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.  

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.