[4241] in WWW Security List Archive
Sceptic about (Funds Transfer w/o PIN)
daemon@ATHENA.MIT.EDU (Jay Heiser)
Mon Feb 3 13:31:39 1997
Date: Mon, 03 Feb 1997 11:32:27 -0500
From: Jay Heiser <Jay@homecom.com>
Reply-To: jay@homecom.com
To: WWW-SECURITY@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
This story on hacking Quicken with ActiveX presents a few probs for me:
Under what circumstances could such an ActiveX applet be hidden on a
server that Quicken users are likely to access? How long would it be
there before being accessed & disabled? How quickly could the money
arrive at the hacker's account? CheckFree takes a minimum of 5 business
days. This exploit would have to remain undetected for 5+ days in order
to succeed. Is that likely?
I'm using CheckFree with Quicken. It won't let you xfer money (i.e.,
write a virtual check) w/o setting up an account. Normally, I also
review outgoing transactions before I upload. A request to add a new
account would stick out like a wart. Quicken also summarizes the type &
number of xfers when you tell it to upload transactions. Is it possible
to hide a request to create a new account such that it wouldn't be
indicated in the dialogue box as a pending transaction? Even if you
didn't review outgoing transactions like I do, you would see that you
were creating a new account.
You would see the transaction when you balanced your checkbook. In
answer to the question "who checks every entry on their statements?"
Virtually everyone! I'll bet 90% of the people using Quicken for their
checking accts reconcile it regularly. Its so easy to do, its silly not
to. If you're not balancing your checkbook, you have no reasonable
expectation of accuracy. If you're not following what your bank or
CheckFree or your insurance company or your ISP or your cleaning service
is regularly withdrawing from your bank & credit card accounts, then you
shouldn't worry about obscure hacker attacks either.
More hype. This works in a laboratory, but in practice, there are much,
much easier ways to steal money.
--
Jay Heiser, 703-610-6846, jay@homecom.com
Homecom Internet Security Services
http://www.homecom.com/services/hiss
For company & industry news...subscribe to newsletter@homecom.com
