Home page logo

isn logo Information Security News mailing list archives

Security Top Concern for Online Banking
From: William Knowles <wk () c4i org>
Date: Tue, 3 Jul 2001 11:41:12 -0500 (CDT)


Charles R. Smith
Wednesday, June 27, 2001 

Fear of Hacking Slowing Industry to Halt

The dirty little secret in the Internet industry is exactly how
insecure and inconvenient online banking really is.

The real reason for the failure of Internet banking is security.
According to a recent survey, poor security was the second most often
cited reason for dropping online banking. After all, if the U.S. Army,
the Nasdaq and FAA are vulnerable to hackers, then a bank account must
be easy meat.

Banks have instituted a number of physical security features in order
to erect barriers between the hacker and your money. These physical
security features include a waiting period for all transactions,
forcing customers to go to a branch to verify transactions, and

Online bank users are encouraged to change their passwords regularly
and users frequently are locked out after typing errors. The
transaction is then sent using 64-bit or 128-bit encryption to your

However, recent advances in computer technology mean that even these
elaborate levels of security can be beaten and cracked. The Allies
cracked password security in 1942, 64-bit encryption is considered
weak, and 128 ciphers have recently come under attack.

In addition, the typical hacker has changed. Instead of a single
teen-age student with little or no social life, the modern hacker now
wears a uniform.

In November 2000, Major General Dai Qingmin, director of the People's
Liberation Army Communications Department of the General Staff HQ,
wrote a major paper on "Information Warfare." According to General
Dai, Chinese army pre-emptive attacks on American civilian computer
and information systems will use "information warfare techniques which
differ from U.S. IW plans."

The PLA has reserve Information Warfare units located in the cities of
Datong, Xiamen, Shanghai, Echeng, and Xian, each developing specialty
capabilities to attack U.S civilian computers. For example, the
Shanghai unit is focusing on attacking wireless telecom networks and
double-encryption passwords.

In his November paper, General Dai outlined several Chinese Info-war
strategies. General Dai's paper included such hacker techniques as
jamming or sabotaging enemy info systems, giving a false impression
while launching an Info-war attack, and blinding and deafening an
enemy with false impressions.

The Chinese army is deadly serious about attacking U.S. civilian
computers. The recent massive PLA Taiwan invasion exercise included an
Info-warfare operation in the Shenyang Military Region, simulating
attacks on U.S. civilian computers.

The Pentagon is not ignorant of the problem either. During a recent
U.S. military exercise, U.S. Air Force "red team" hackers were able to
shut down American military and civilian satellite communications. The
Air Force "red team" also demonstrated the vulnerability of American
power grids to Info-warfare attacks.

Nor is the security issue isolated to the U.S. In May 2001, the
European Parliament issued a report recommending that all European
institutions and businesses use encrypted e-mail because of suspected
American monitoring.

The European Parliament report is only half right. All e-mail is
monitored and recorded. Every e-mail passes through dozens of
computers while traveling over the Internet. In fact, Web sites that
offer free e-mail frequently store and monitor your information. If
you can read your private e-mail, then someone else can, too.

This little-known fact escaped even the brilliant Bill Gates during
the Microsoft v. U.S. trial. During the case, U.S. Deptartment of
Justice lawyers were able to recover and submit Mr. Gates' own e-mail
as evidence.

The European Parliament is right to call for general use of modern
ciphering software. In comparison, the U.S. continues to rely on 1960s
commercial security designs that can be successfully attacked by
modern supercomputers, or worse, nothing at all.

Ironically, it is now possible to match the powerful pad ciphers used
by captured Russian spies. According to Dr. David Kahn, a sitting
member of the National Security Agency Cryptography Museum, the pad
systems are "unbreakable in both theory and in Practice."

The U.S. Internet industry should take note of the slim numbers
enrolled in online banking because of poor security and privacy
issues. The fact remains that few trust the Internet for banking and
only the ignorant will continue to send private e-mail in un-ciphered

"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org

ISN is hosted by SecurityFocus.com
To unsubscribe email isn-unsubscribe () SecurityFocus com 

  By Date           By Thread  

Current thread:
  • Security Top Concern for Online Banking William Knowles (Jul 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]