[4250] in WWW Security List Archive
Re: Sceptic about (Funds Transfer w/o PI
daemon@ATHENA.MIT.EDU (Jay Heiser)
Wed Feb 5 13:38:22 1997
Date: Wed, 05 Feb 1997 09:24:22 -0500
From: Jay Heiser <Jay@homecom.com>
Reply-To: jay@homecom.com
To: "Mirick, James R." <FBS/DEV01/JRMIRICK%First_Bank_System@mcimail.com>
CC: WWW SECURITY <WWW-SECURITY@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
Mirick, James R. wrote:
> I agree that there are ways to stop this particular attack, but I think
> the larger point is to "think and understand" from an attacker's point of
> view if you hope to ferret out such opportunities. Java and (especially)
> Active-X present new challenges and even if this one won't work so
> easily, others like it might. That's the value of the discussion. If
Good thing that someone like me was willing to say something politically
incorrect and launch the discussion......
> elements of this attack __could__ work, someone will elaborate it in a
> way that will make it work.
I agree that ActiveX has security probs.
>
> Also, our research shows that the majority of people don't in fact
> reconcile their bank statements, and a sizeable number don't even open
> the envelope! Perhaps this is different for people who are Quicken
> users, but they may fall prey to the theory that "the computer will keep
> things in order for me." If you don't believe people will do this (even
> intelligent, computer-literate ones) you should spend some time reading
> the comp.risks forum. So, as a banker, I need to structure a system that
> will protect these people as well as those who check / reconcile as they
> should.
I've had merchants bill my credit card twice. How do you protect me
from
that? I hand my credit card to low-paid restaurant staff and they
disappear
for minutes at a time. How do you protect me from being ripped off by
them?
I have dealings with two different financial institutions that have
recently
had to reissue large numbers of Gold cards because the numbers were used
by counterfeitors. The criminals got greedy and charged huge amounts
for
very specific things in an unusual part of the world. A single person
making
subtle use of counterfeited numbers wouldn't have been discovered as
quickly.
I believe that you protect me in two ways. 1) if I notice something
unusual AND REPORT IT, I'm only liable for the first $50. 2) if its
really
big & blatant, you have mechanisms which will notice the unusual
activity.
The onus has always been on the account holder to check their own
statement.
I know many people don't -- THAT IS A RISK THAT THEY HAVE MADE THE
DECISION
TO TAKE THEMSELVES. Banks make mistakes, credit card numbers get
ripped off,
stuff happens. Consumer beware. The Internet doesn't change that.
I'm not saying that ActiveX doesn't have the potential to put home
banking at
risk. I'm saying that I don't see the current risk as being as great as
that
already demonstrated with credit cards. The current system presents
many
risks, but we understand them and deal with them. The same thing will
happen
with the intersection of the Internet, home banking, and executable
content
web pages.
Don't misinterpret my response as being a rejection of research on this
issue.
Far from it. I'm just asking that we try and take a measured risk
analysis
approach to this. Internet security is becoming a popular emotional
issue, and its looking like passive restraint all over again. (Then
again, the
hype is good job security for those of us in the security biz......)
>
> Securely,
>
> Jim Mirick
> General Manager, FBS Interactive
> First Bank System, Minneapolis www.fbs.com
>
> ----------
> From: jay
> Sent: Monday, February 03, 1997 11:44 PM
> To: WWW SECURITY
> Cc: James R. Mirick
> Subject: Sceptic about (Funds Transfer w/o PIN)
>
> MCI Mail date/time: Mon Feb 03, 1997 11:37 pm CST
> Source date/time: Mon, 03 Feb 1997 11:32:27 -0500
> -------------------
>
> This story on hacking Quicken with ActiveX presents a few probs for me:
>
> Under what circumstances could such an ActiveX applet be hidden on a
> server that Quicken users are likely to access? How long would it be
> there before being accessed & disabled? How quickly could the money
> arrive at the hacker's account? CheckFree takes a minimum of 5 business
> days. This exploit would have to remain undetected for 5+ days in order
> to succeed. Is that likely?
>
> I'm using CheckFree with Quicken. It won't let you xfer money (i.e.,
> write a virtual check) w/o setting up an account. Normally, I also
> review outgoing transactions before I upload. A request to add a new
> account would stick out like a wart. Quicken also summarizes the type &
> number of xfers when you tell it to upload transactions. Is it possible
> to hide a request to create a new account such that it wouldn't be
> indicated in the dialogue box as a pending transaction? Even if you
> didn't review outgoing transactions like I do, you would see that you
> were creating a new account.
>
> You would see the transaction when you balanced your checkbook. In
> answer to the question "who checks every entry on their statements?"
> Virtually everyone! I'll bet 90% of the people using Quicken for their
> checking accts reconcile it regularly. Its so easy to do, its silly not
> to. If you're not balancing your checkbook, you have no reasonable
> expectation of accuracy. If you're not following what your bank or
> CheckFree or your insurance company or your ISP or your cleaning service
> is regularly withdrawing from your bank & credit card accounts, then you
> shouldn't worry about obscure hacker attacks either.
>
> More hype. This works in a laboratory, but in practice, there are much,
> much easier ways to steal money.
>
> --
> Jay Heiser, 703-610-6846, jay@homecom.com
> Homecom Internet Security Services
> http://www.homecom.com/services/hiss
> For company & industry news...subscribe to newsletter@homecom.com
>
> //BEGIN BINARY MAIL SEGMENT:
>
> Name: WINMAIL.DAT
> Part 1.2 Type: unspecified type (application/octet-stream)
> Encoding: x-uuencode
>
> //END BINARY MAIL SEGMENT
--
Jay Heiser, 703-610-6846, jay@homecom.com
Homecom Internet Security Services
http://www.homecom.com/services/hiss
For company & industry news...subscribe to newsletter@homecom.com
