[4255] in WWW Security List Archive
Re: Sceptic about (Funds Transfer w/o PIN)
daemon@ATHENA.MIT.EDU (Johannes Ullrich)
Wed Feb 5 21:43:37 1997
Date: Tue, 04 Feb 1997 09:58:09 -0500
To: WWW-SECURITY@ns2.rutgers.edu
From: Johannes Ullrich <jullrich@wizvax.net>
In-Reply-To: <32F6131B.2BA8@HomeCom.com>
Errors-To: owner-www-security@ns2.rutgers.edu
Just a few 'cultural' notes about the Quicken problem:
In Germany (unlike in the US), most transactions are done electronically.
It is unusual to send a check in the mail. Most of the time (lacking
electronic access to the account), you will fill out a electronic-transfer
form at your bank. Since all german banks are connected via an internal
network to a central clearing place, transfers take only a couple of days.
This kind of transaction is easily automated. All you have to do is fill
out the transaction form electronically. Most banks in Germany offer
electronic access through a somewhat ancient but rather secure online
service operated by the German Telecom. This service is based on a closed
network, comparable to Online Services. An Internet Gateway was added
lately, but I have not used this system for over a year and can't comment
on late updates.
To access your account information, you will need a PIN (or Password). In
addition, you will need a unique TAN (Transaction Number) for each
electronic transfer. Your bank will provide you with a list of TAN's. Every
TAN can be used only once. A rather cumbersome system that requires you to
keep the TAN list next to the terminal (= security problem).
At 11:32 AM 2/3/97 -0500, you wrote:
>This story on hacking Quicken with ActiveX presents a few probs for me:
>
>Under what circumstances could such an ActiveX applet be hidden on a
>server that Quicken users are likely to access? How long would it be
>there before being accessed & disabled? How quickly could the money
>arrive at the hacker's account? CheckFree takes a minimum of 5 business
>days. This exploit would have to remain undetected for 5+ days in order
>to succeed. Is that likely?
>
>I'm using CheckFree with Quicken. It won't let you xfer money (i.e.,
>write a virtual check) w/o setting up an account. Normally, I also
>review outgoing transactions before I upload. A request to add a new
>account would stick out like a wart. Quicken also summarizes the type &
>number of xfers when you tell it to upload transactions. Is it possible
>to hide a request to create a new account such that it wouldn't be
>indicated in the dialogue box as a pending transaction? Even if you
>didn't review outgoing transactions like I do, you would see that you
>were creating a new account.
>
>You would see the transaction when you balanced your checkbook. In
>answer to the question "who checks every entry on their statements?"
>Virtually everyone! I'll bet 90% of the people using Quicken for their
>checking accts reconcile it regularly. Its so easy to do, its silly not
>to. If you're not balancing your checkbook, you have no reasonable
>expectation of accuracy. If you're not following what your bank or
>CheckFree or your insurance company or your ISP or your cleaning service
>is regularly withdrawing from your bank & credit card accounts, then you
>shouldn't worry about obscure hacker attacks either.
>
>More hype. This works in a laboratory, but in practice, there are much,
>much easier ways to steal money.
>
>--
>Jay Heiser, 703-610-6846, jay@homecom.com
>Homecom Internet Security Services
>http://www.homecom.com/services/hiss
>For company & industry news...subscribe to newsletter@homecom.com
>
>
---- jullrich@xos.com ------- http://www.xos.com --------------
Johannes Ullrich
X-Ray Optical Systems, Inc. fax: (518) 442 5292
90 Fuller Rd. phone: (518) 442 3394
Albany, NY 12205 3362
