Penetration Testing: Re: [PEN-TEST] Home-Banking PEN-TESTING

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Penetration Testing mailing list archives

Re: [PEN-TEST] Home-Banking PEN-TESTING

From: Christopher Laycock <Chris () LAYCOCK-KETTON FREESERVE CO UK>
Date: Tue, 29 Aug 2000 10:29:54 +0100

IMHO: The bank should warn people not to store their password in the Cache
of their web browser.  This would stop some attacks, although they shouldn't
be responsible for Keystroke logs.  Most of the problems would be solved if
the user had a long password and was asked for random characters from it eg.
"Please enter the 3rd, 26th, 38th, 41st and 107th character's of your
password" and setting it so that only logging on and off will change the
charcters required.  AFAIK this system is used by some banks over the phone
but not over the net.

Chris
-----Original Message-----
From: Rafael Coninck Teigao <rafael () SAFECORE NET>
To: PEN-TEST () SECURITYFOCUS COM <PEN-TEST () SECURITYFOCUS COM>
Date: 26 August 2000 21:07
Subject: Re: [PEN-TEST] Home-Banking PEN-TESTING

I'm not cracking the client machine. I'm asking that if it is possible
to
someone to crack the client machine and get the password, should the
bank
hold liability for it? I already broke into my own machine for that
purpose, so I know it is vulnerable.

   []'s,
   RCT.


Erik Tayler wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I do not believe the bank even has the right to have you test
personal computers that are housed in a residence. Ask a lawyer to be
certain, but that seems like a large invasion of privacy. I have
previously used home-banking, and I would be furious if my bank hired
people to break into my home network. I think one could consent to
such a service, I am not saying it is un-performable, but it sounds
like a pain to get such permission from everyone subscribing to the
home-banking system. Sniffing someone while they are transferring
sensitive information is just as effective as breaking into their
network/pc. None of what I just said is of any relevance if you are
not referring to the consumers that actually access the bank via
modem or web-interface to view their financial data.

Erik Tayler
14x Network Security
http://www.14x.net


--
---------------------------------------------------------------------------

----

And the Raven, never flitting, still is sitting, still is sitting
On the pallid bust of Pallas just above my chamber door;
And his eyes have all the seeming of a demon's that is dreaming,
And the lamp - light o'er him streaming throws his shadow on the floor;
And my soul from out that shadow that lies floating on the floor
Shall be lifted - nevermore!
       E. A. Poe --> The Raven (c1845)
---------------------------------------------------------------------------

----

By Date By Thread

Current thread:

Re: [PEN-TEST] Home-Banking PEN-TESTING, (continued)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Gontarczyk, Andrew (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Cintron, Jose (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Klahn, Paul (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Tonick, Mike (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Chris Calabrese (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Christopher Laycock (Aug 29)
  - [PEN-TEST] SQL Server blank account Seth Georgion (Aug 29)
    - Re: [PEN-TEST] SQL Server blank account Marc Maiffret (Aug 29)
    - Re: [PEN-TEST] SQL Server blank account M. Burnett (Aug 29)
    - Re: [PEN-TEST] SQL Server blank account H D Moore (Aug 29)
    - Re: [PEN-TEST] SQL Server blank account Attonbitus Deus (Aug 29)