[4252] in WWW Security List Archive
Re: Sceptic about (Funds Transfer w/o PIN)
daemon@ATHENA.MIT.EDU (Geoffrey Leeming)
Wed Feb 5 19:20:08 1997
To: jay@homecom.com
From: Geoffrey Leeming <geoffrey@indiciis.com>
Cc: WWW-SECURITY@ns2.rutgers.edu
Date: Tue, 4 Feb 1997 15:39:05 +0100
Errors-To: owner-www-security@ns2.rutgers.edu
At 05:32 PM 3/2/97 +0100, Jay Heiser wrote:
>This story on hacking Quicken with ActiveX presents a few probs for me:
>
>Under what circumstances could such an ActiveX applet be hidden on a
>server that Quicken users are likely to access?
Unless you run Quicken on a different machine to your internet account, any
WWW page you access, whether or not it has anything to do with Quicken,
could contain such an applet.
>How long would it be
>there before being accessed & disabled? How quickly could the money
>arrive at the hacker's account? CheckFree takes a minimum of 5 business
>days. This exploit would have to remain undetected for 5+ days in order
>to succeed. Is that likely?
Transfer time is entirely dependent on the application (i.e. 5 days in the
case of CheckFree). It's entirely possible that such an exploit could
remain undetected for that time, depending on exactly how much attention
people pay to the details of their transactions.
Exploits have remained undetected for much longer, viz the case of the
(non-IT based) fraud at a New York bank in the 60s(?) or thereabouts, where
a fraud was discovered to have been running for a matter of YEARS, as one
employee regularly used the manual pay-check printing back-up service to
print out a whole batch of extra paychecks. As he junked all the rest and
only re-used his own paycheck, the amount was too small to notice, so the
fraud lasted for a long time. If the attack was for a small sum and
contained a vaguely reasonable sounding payee and/or description, (such as
Electricity bill, interest payment, or something inocuous like that), a lot
of people would just skim past it without registering it.
>I'm using CheckFree with Quicken. It won't let you xfer money (i.e.,
>write a virtual check) w/o setting up an account.
The exploit doesn't need to set up a new account: it merely adds a new
transaction to the pending transactions on YOUR account. Then it waits for
you to log in to your bank, enter your PIN/TAN, and hey presto! the
fraudulent transaction is authorised by you.
>Normally, I also
>review outgoing transactions before I upload.
That's the best way to defeat such attacks.
However, I note you didn't say that you ALWAYS review transactions...
>A request to add a new
>account would stick out like a wart. Quicken also summarizes the type &
>number of xfers when you tell it to upload transactions. Is it possible
>to hide a request to create a new account such that it wouldn't be
>indicated in the dialogue box as a pending transaction? Even if you
>didn't review outgoing transactions like I do, you would see that you
>were creating a new account.
See above - don't need to create a new account. Would be a little
pointless, because there wouldn't be a matching account at the bank.
>You would see the transaction when you balanced your checkbook.
True. *IF* you balance your checkbook
>In
>answer to the question "who checks every entry on their statements?"
>Virtually everyone! I'll bet 90% of the people using Quicken for their
>checking accts reconcile it regularly. Its so easy to do, its silly not
>to.
I wouldn't put too much money on that. A lot of people wouldn't bother -
they'd expect Quicken to take care of all that administrative stuff for
them: that's why they bought it.
A lot of people can't even be bothered to put useful passwords on their
computer accounts, hence the success of cracking programs. Balancing
checkbooks is a lot more effort than remembering a single password.
>If you're not balancing your checkbook, you have no reasonable
>expectation of accuracy. If you're not following what your bank or
>CheckFree or your insurance company or your ISP or your cleaning service
>is regularly withdrawing from your bank & credit card accounts, then you
>shouldn't worry about obscure hacker attacks either.
Hmmmm.... people don't want to have to go to all that effort. That's why
they spend money on security.
>More hype. This works in a laboratory, but in practice, there are much,
>much easier ways to steal money.
I think the point of the TV program was that it was entirely possible in
practice: the Risk digest mentioned that the Chaos Club had demonstrated the
attack, not just talked about it.
I wouldn't say that there are that many easier ways of stealing money.
Combine this exploit with the following skills:
* simple WWW hacking to put your ActiveX applet on popular sites unconnected
with yourself
* knowledge of money-laundering techniques (not that hard to pick up, and
taught to every accountant as a matter of course :-)
And you have an automated attack that can hit a wide audience for relatively
little effort.
Granted, the attacker might have to keep opening new accounts at dodgier and
dodgier banks as the traced accounts get closed down, but that's alway possible.
The other point is that many banks (allegedly) have a limit, below which
it's not worth pursuing a fraud. I.e. if someone defrauds them to the tune
of $10, it's certainly not worth spending the money investigating it: they
might as well just write it off. If the ActiveX-based attack goes for
amounts below this limit, it has a better chance of passing unnoticed for a
while.
Geoffrey Leeming 0171 592 3007 - Office Direct Dial
Consultant 0171 836 0567 - Fax
Indicii Salus Ltd. 0956 844 168 - Mobile
