[4247] in WWW Security List Archive
RE: Sceptic about (Funds Transfer w/o PIN)
daemon@ATHENA.MIT.EDU (Dirk Husemann)
Tue Feb 4 06:42:49 1997
Date: Tue, 4 Feb 1997 09:39:05 +0100
From: Dirk Husemann <hud@zurich.ibm.com>
To: jay@homecom.com
Cc: WWW-SECURITY@ns2.rutgers.edu
In-Reply-To: <32F6131B.2BA8@HomeCom.com>
Errors-To: owner-www-security@ns2.rutgers.edu
>>>>> "JH" == Jay Heiser <Jay@homecom.com> writes:
JH> This story on hacking Quicken with ActiveX presents a few probs for me:
JH> Under what circumstances could such an ActiveX applet be hidden on a
JH> server that Quicken users are likely to access? How long would it be
JH> there before being accessed & disabled? How quickly could the money
JH> arrive at the hacker's account? CheckFree takes a minimum of 5 business
JH> days. This exploit would have to remain undetected for 5+ days in order
JH> to succeed. Is that likely?
Careful, you are assuming a US background. From what I read, it sounded
like a German home banking application: Instead of the (quaint) US system
of sending checks around you usually issue bank orders in Germany (and
quite a lot of other European countries); with home banking these bank
orders get transmitted to the customer's bank electronically (in Germany
using the national videotext system, and recently the Internet). To make
this process at least a little bit more secure the banks are issuing PINs
to the customer with which the customer identifies herself to the bank
(basic authentication), and, in addition, you get a number of TANs
(transaction numbers) that you use to authorize each bank order
individually. To avoid having the customer key in a PIN/TAN combination for
each bank order, the banks are offering the possibility of entering a whole
batch of bank orders and authorizing that batch with a single PIN/TAN
combination.
[...]
JH> You would see the transaction when you balanced your checkbook. In
JH> answer to the question "who checks every entry on their statements?"
JH> Virtually everyone! I'll bet 90% of the people using Quicken for their
JH> checking accts reconcile it regularly. Its so easy to do, its silly not
JH> to. If you're not balancing your checkbook, you have no reasonable
JH> expectation of accuracy. If you're not following what your bank or
JH> CheckFree or your insurance company or your ISP or your cleaning service
JH> is regularly withdrawing from your bank & credit card accounts, then you
JH> shouldn't worry about obscure hacker attacks either.
Right. However, the higher the number of bank orders in a given period of
time and the higher the number of people involved/authorized to issue bank
orders (e.g., think of a company) the higher the probability that these
attacks go unoticed for quite some time.
Cheers,
Dirk
Dr. Dirk Husemann Phone +41 1 724 8573
IBM Research Division FAX +41 1 710 3608
IBM Zurich Research Laboratory
Saeumerstrasse 4 Internet hud@zurich.ibm.com
CH-8803 Rueschlikon WWW: http://www.zurich.ibm.com/~hud/
Switzerland PGP: http://www.zurich.ibm.com/~hud/PGP/
