Re: limits of end-user "testing"

[Andrew van der Stock <vanderaj () greebo net>]

This is my day job. ;)

As a warning to anyone reading this who doesn't know any better,  
Internet Banking sites are the most closely watched systems at most  
banks, so whatever you do, do not tackle them in an effort to  
determine if they are secure or not. Not only is tackling them for  
impromptu penetration tests illegal in most countries, it's a really  
stupid idea.

The best way to determine if a site is secure is to ask the bank what  
they will do:

a) if money is transferred using IB without your permission, say via  
phishing attacks
b) if money is transferred by others using faults in the software

If they are a good bank, they will be upfront and honest about how to  
go about reporting such fraud and how to get all your money back.  
Sometimes, they will limit your losses to $50, but most banks will  
simply wear this as a good will gesture. Find out. As a consumer,  
this is all you really need to know.

Generally, most banks are able to reverse transactions if the money  
has not left their own bank. Once it hits SWIFT (International  
payments) or the domestic payments systems, banks have less control  
and some are  reluctant to chase these funds. These are the bad  
banks, and you should avoid them if they don't guarantee your money  
back, even if you do the right thing by the bank.

Personally, I'd be looking for places that:

a) have two factor transaction signing (SMS or token based) to  
prevent unauthorized transfers via phishing
b) have reasonable terms and conditions (such as notify us early, and  
you'll pay only the first $50 or better)
c) if you have to use passwords to sign on with, the passwords should  
be allowed to be really long (so you can use pass phrases) and you  
can change them easily

I don't think two factor sign on authentication is much of a win  
against phishing, but it's better than passwords when you have to use  
potentially trojan'd or untrustworthy computers.

At the end of the day, banks know they have the potential to lose a  
great deal of consumer trust through faults in these systems, and so  
they usually pay a lot of attention to their design, implementation,  
testing, and operational security. I know this is true all the Banks  
I've worked at in Australia (and that's almost all of the majors and  
two of the minors). Maybe because I know first hand how good they  
are, I trust internet banking over any other channel as I believe it  
to be the safest, lowest risk channel available to me.

thanks,
Andrew

On 17/11/2005, at 2:19 AM, Jeff Robertson wrote:

> People occasionally ask me if I can help them figure out if the online
> banking site they use is secure. I tell them not unless the bank  
> hires me to
> do so.
>
> Is there *anything* that an end user can do in the way of checking  
> for the
> Top 10 type of problems, that would be considered "fair use" (I know..
> copyright law term, not really applicable here) or "self-defense"  
> rather
> than malicious?
>
> For purposes of simplicity and relevance to my current location,  
> lets assume
> that both the user, the website, and the company that owns the site  
> are all
> in the U.S.