[4249] in WWW Security List Archive
RE: Sceptic about (Funds Transfer w/o PI
daemon@ATHENA.MIT.EDU (Mirick, James R.)
Tue Feb 4 19:17:25 1997
Date: Tue, 4 Feb 97 16:06 EST
From: "Mirick, James R." <FBS/DEV01/JRMIRICK%First_Bank_System@mcimail.com>
To: jay <jay@homecom.com>, WWW SECURITY <WWW-SECURITY@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
Please reply to the following MCI Mail address: 692-1709
I agree that there are ways to stop this particular attack, but I think
the larger point is to "think and understand" from an attacker's point of
view if you hope to ferret out such opportunities. Java and (especially)
Active-X present new challenges and even if this one won't work so
easily, others like it might. That's the value of the discussion. If
elements of this attack __could__ work, someone will elaborate it in a
way that will make it work.
Also, our research shows that the majority of people don't in fact
reconcile their bank statements, and a sizeable number don't even open
the envelope! Perhaps this is different for people who are Quicken
users, but they may fall prey to the theory that "the computer will keep
things in order for me." If you don't believe people will do this (even
intelligent, computer-literate ones) you should spend some time reading
the comp.risks forum. So, as a banker, I need to structure a system that
will protect these people as well as those who check / reconcile as they
should.
Securely,
Jim Mirick
General Manager, FBS Interactive
First Bank System, Minneapolis www.fbs.com
----------
From: jay
Sent: Monday, February 03, 1997 11:44 PM
To: WWW SECURITY
Cc: James R. Mirick
Subject: Sceptic about (Funds Transfer w/o PIN)
MCI Mail date/time: Mon Feb 03, 1997 11:37 pm CST
Source date/time: Mon, 03 Feb 1997 11:32:27 -0500
-------------------
This story on hacking Quicken with ActiveX presents a few probs for me:
Under what circumstances could such an ActiveX applet be hidden on a
server that Quicken users are likely to access? How long would it be
there before being accessed & disabled? How quickly could the money
arrive at the hacker's account? CheckFree takes a minimum of 5 business
days. This exploit would have to remain undetected for 5+ days in order
to succeed. Is that likely?
I'm using CheckFree with Quicken. It won't let you xfer money (i.e.,
write a virtual check) w/o setting up an account. Normally, I also
review outgoing transactions before I upload. A request to add a new
account would stick out like a wart. Quicken also summarizes the type &
number of xfers when you tell it to upload transactions. Is it possible
to hide a request to create a new account such that it wouldn't be
indicated in the dialogue box as a pending transaction? Even if you
didn't review outgoing transactions like I do, you would see that you
were creating a new account.
You would see the transaction when you balanced your checkbook. In
answer to the question "who checks every entry on their statements?"
Virtually everyone! I'll bet 90% of the people using Quicken for their
checking accts reconcile it regularly. Its so easy to do, its silly not
to. If you're not balancing your checkbook, you have no reasonable
expectation of accuracy. If you're not following what your bank or
CheckFree or your insurance company or your ISP or your cleaning service
is regularly withdrawing from your bank & credit card accounts, then you
shouldn't worry about obscure hacker attacks either.
More hype. This works in a laboratory, but in practice, there are much,
much easier ways to steal money.
--
Jay Heiser, 703-610-6846, jay@homecom.com
Homecom Internet Security Services
http://www.homecom.com/services/hiss
For company & industry news...subscribe to newsletter@homecom.com
//BEGIN BINARY MAIL SEGMENT:
begin 0644 WINMAIL.DAT
M>)\^(BH- 0:0" $ ! $ 0>0!@ ( Y 0 #H $(@ <
M& $E032Y-:6-R;W-O9G0@36%I;"Y.;W1E #$( 0V ! " @ " $$
M@ $ *P %)%.B!38V5P=&EC(&%B;W5T("A&=6YD<R!4<F%N<V9E<B!W+V\@
M4$E.*0 )#@$%@ , #@ ,T' @ $ < , G ( .@$!(( # X #-!P(
M! ' "$ ,P " #<! 0F 0 A 1$0Y,3="03$U13=%1# Q,3A$1D,P,# T
M04-%03%$,3( 5 <!!) & .@" " # , # # "P /#@ "
M ?\/ 0 '8 &"49&!!N $( "LKBBD &+'@!D !H ,0!%
M$0!75U<@4T5#55))5%D 5U=7(%-%0U522519#0H@("!%35,Z($E.5$523D54
M#0H@("!-0E@Z(%=75RU314-54DE464!N<S(N<G5T9V5R<RYE9'4 > (P
M 0 0 !-0TD '@ #, $ !% 5U=7(%-%0U522519#0H@("!%35,Z
M($E.5$523D54#0H@("!-0E@Z(%=75RU314-54DE464!N<S(N<G5T9V5R<RYE
M9'4 P 5# $ # /X/!@ !X 3 ! #0 %=75R!314-54DE4
M60 " 0LP 0 $D !-0TDZ5U=7(%-%0U522519#0H@("!%35,Z($E.
M5$523D54#0H@("!-0E@Z(%=75RU314-54DE464!.4S(N4E541T524RY%1%4
M P .0 + $ Z 0 (!]@\! ! ,, P , 0
M + \. (!_P\! 5P 8)1D8$&X 0@ *RN**0 8L>
M &0 &@ H "\ 1 &IA>0!J87D-"B @($5-4SH@24Y415).150-"B @($U"
M6#H@:F%Y0&AO;65C;VTN8V]M > (P 0 0 !-0TD '@ #, $ O
M :F%Y#0H@("!%35,Z($E.5$523D54#0H@("!-0E@Z(&IA>4!H;VUE8V]M
M+F-O;0 P 5# $ # /X/!@ !X 3 ! ! &IA>0 " 0LP 0
M #, !-0TDZ2D%9#0H@("!%35,Z($E.5$523D54#0H@("!-0E@Z($I!64!(
M3TU%0T]-+D-/30 P .0 + $ Z 0 (!]@\! ! 10
M@@$#D 8 # L !( + ", , )@ "P I # "X
M , -@ 0 Y ,!>CR"B$KP!'@!P $ K 4D4Z(%-C97!T:6,@
M86)O=70@*$9U;F1S(%1R86YS9F5R('<O;R!024XI " 7$ 0 !8 !
MO!*B((>A>Y'>?EX1T(W\ 2LZAT2 # 80R/DEW0, !Q";"@ '@ ($ $
M !E 24%'4D5%5$A!5%1(15)%05)%5T%94U1/4U1/4%1(25-005)424-5
M3$%2051404-++$)55$E42$E.2U1(14Q!4D=%4E!/24Y425-43R)42$E.2T%.
M1%5.1$524U1!3D0B1E)/30 " 0D0 0 *,) "?"0 %1$ $Q:1G71
MH<<5_P * 0\"%0*D ^0%ZP*# % 3 U0" &-H"L!S973N,@8 !L,"@S(#Q@<3
M H.Z,Q,-?0J ",\)V3L5_W@R-34"@ J!#;$+8&[P9S$P,Q0@"PH2\@P!0F,
M0"!)(&$)PB#^=!' !4 ;8 20&T *P!M "'=A>00@=&\@<RT<H' ;400 ( JQ
M=&D\8W4+8 7 &X !D&-K<"P@8G4%0!K@'2%N:FL;HB =X6<$D!U@;V\+@ 5
M'4$<H2(?! !P9#P@=2%0!) <T"%!(B!O U(A,1X5!) G'5$@(V\X9B!V") '
MX :0('FY"& @:!SP&T$<L&8$D&<6 ".Q'K%S=1&P(\!P-R 0 " A@&D=H >0
M+B"@($IA=F$A,R@'D$4DX&,',6QY*1-P8^$=H'9E+5@=8!8 $?#]($%N!]$1
ML2A0"? ?T 0@_2%"92C@ Z D41TC B <,:T"("<%0"OP<A] <QRPW&5A ) H
M8!Z ;QNR!" <;&DC$"!@!4!M:6?T:'0G$50;<2-!'V(G8'<*02/"'V)D! =
MP 00:>L"("<122/@92HP!X ",,\KD2M%'B0G(%]?!: =T/YD,M G("Q2'H L
MH > *[/_ Q #(#% : %L!N +?,+@'\:\!Q"&U0T8P# +>0L4BYS"H4*A4%L
M+* M,0AP(-<I0@K )A%S),!W+Q(;A/TVH6H%L"; -? CT23@'/#O*C P,"P#
M-8%F - %0!8 706@;B@@.X$;L6D%P&+_ ' L@0&0-2 Q<QZ (4(G<)T D'HL
MT )@&T!N=0;0_Q_A.[0JXR31 Z ?8@GP*.!K%9 DX"$G(% $D!' </\O$AU!
M'4$P0 W0&]$@00(0FQ_Q.U1W), < U%U';#_(Q #H#" (;$>A!NQ-? P/\U
M\#Q -($I,37Q'+ ?8ANQGP6P-?4@T1M !:!M<!ZP]Q_A-&,C$&4= QD 0J%
MD>\+(!_A0Y('@"XB(#$")(+_.[0_P"W *N%#QS1R.[ =%/\GT"KS C Q0"W
M'] ",!Z O4BF+2W 2/$U$BNQ<RB _R2".9$S$1S 0,%103/Q&U![!W$X\6$P
M0!D 'U-(HBYY!1!S:P0@0Y$_H"<14_\XD2S@-:$]D@20'H :X"FP_PF ')13
M\"BP"' ;\1S ''#_/A$V"2DP+5 %D!N3$? [-MU4D7=.D52"&V!O6(%$0O<1
ML 60'T O/(E9HT814/2_-WT&8!W %@ M$3>,2@=P[P70/6!$X0J%1PGP3_$#
M($Y- ' ; %4B1D(%\$EO3G$U "BS"H5&/6 <T""^0CVB!K!6XAZ 7Q!N*; O
M0C &\!U!9#]W95 N9CYB)P!(H3>,"O0MP#$X@C "T6DM,30T#?!G#-!GXPM9
M,38*H%?E+5]J!PJ':+L,,%?61@-A.N=K#E?6#((@:AQ@:J]KO:\&8 (P;.]M
M^TT"(&0<8/E@T65B4_ *P#7P&3 >@) Q.3DW=% Q.F?PS4'@36[_:[U4;W$_
M;?L&5WDP!@!%0U522<Q4674_:[U#8W=?;?M[)T '@E(G$%\;>F]P=W6<8FI8
M$7P?;?M38TF@SQVA&O &X!ZQ*$8A@00@7E0U " )4$<0"\<L%"824XI9@]G
M$S,V:(?G%"(, 5?634,:X&!@ Q'[<T U("]2$H%0<Q%S@G0;FC-TD' B<'O@
M4U0*A?]4,@AP@T")'1Z &3"* XJ7B#(Z,G20+3 U9X#_"H5J"&H>"H4NP!U!
M'-%'T?^)X1' 'F!2HD3& _ ;8"B5?RD75*(E0 ?@5]%EH$K%.OTWC%4ADD0Q
M&X$H(#E0/Z#_(=*#0 0@,O,EY .1E 9",.<[<4PB)+!I9 VP0)$BH?\*A451
M*. %P!MC1,L< RW"3RA@')( T)AQ<S\G($C_.; ?D (@4L K\%$B+A$_P/\*
MA1NT/\!#D:#24J*>5%6AUB8P,C]"9)ZU<432G?'_F+0Z0RNQ;N8*P 403)$Z
M%;^2LB,CGE$(8 (PGK%#6H*_;* ;,C;!5*(N0 , ;3^@W2/"-1Z1 )!087,*
MA7-!\R<"D=-E> M0(" L,E$B_Q' 3)$<H18 , U@2&"6 +S5:%#DC4KJB-*
M-Z F'+&_)@"#0 F ,.(YU9VT/S>,_$DG(G"I4E+ IUB3LT3%WS#B+#(L$II"
M)()XA-*D@]DGP&DN2R!=YG<ZP5:"_R0 )H%@,5IS*("%$A'Q':"]4K%U'0 B
MDJ;$)Q%.!;#_ , H455"!T LH J%%@ D _TEL6<@(5+!A))A@@(@!""_H/4:
MX+BP%9!2@"<103CQ_Z-@!Y ;D41AFM UH2FQI-;_IL2?91S01.$EHRW#-;(
M(.\G$43&NG(EX6T P 40/R#W+Q0ZX"3A)@J%/Y4CT;4"_UDQ&\ #H"2"3H(N
M ARAO83_O!NOQ"X1(! PD3]1KKB:L?]6@KXY!0 LT+:S*;*_YB7SOQMCJT9,
M! J%"X P0&,U$<^?L4#D,$ '0&]G+Z$&X-YX5(11<KOMGK%%*O4D@?^IQIK
M+!*[+[PZ+<,:X#NP_QZ )(+ 91LVTFA94!OARQ/WH8/+FC=]6=8-&T&\.,7(
M_SV0&.�"%@)($%P%IS!N#V;S=@,/%NI-8 @-?!1Q;[OE/< B):-ZK1G $U
M\"EQIY)4/30]Z#\B"H56MQ3_G?'A,RNQ0<&QP#2!/\ %0/@Y,"4OQCM%L@1$
MQD.2_STS"H5:<Z&%,:$\F"X1%@#_S[ =X2A@L\.2 2RS1P/5LN\FP)(!-'$U
M\&XM4*ZW,.3])($G&^'LX=S%4J+=;-74_ZO3[.!24BR@8(#)**KQ6!'_V$&)
MX2/1GE$(< #0ZM/MZ_\"$"A0.;!2HI>#W6,]DP6P_PJ%IU@%L=UC"X E\(21
MC(&/2*( <#KQ]W5)4U#W5_YC*C <%*BF](=L,W7Z6+[ZG63HV0U /3S(D/U
MF*)0_\L1,$"7L0L1IJ8^<1NQQ@/_FV91 RP51]&#M)6178*F%?\>%:K1D\$E
M4#=]<Q "4L01_ZIV+%)*(R=P-,5'P1Z$-8'_*3!A@H- _Y,;Y:BP$;!=YO\(
M\BS#20(<9RS0-I&DDB<1[S?FCU=>5S7A2#U015$>@#(W&3 M-AD@#E X-/8V
M'H!NP4 DP%(P2*%ER?^>X ]C820IL'#278$ZTEU@!_KSJ;8N<'1P.B\ORV52
M#TDO^M5S+QTQJ;;^1DKA^(:B4,Y1G1#ALBFQ_R< %U E\ (14W":@1RA%Q*_
MFD%(\0\_-]>%GX:N,H>\%7[E?7[@ !Y , $! P 1$ ! <P
M@#P%#Z 2O % @P@#P%#Z 2O $> #T 0 4 !213H@ , #33]
%-P K?Q$
end
//END BINARY MAIL SEGMENT
