[4286] in WWW Security List Archive
Re: Sceptic about (Funds Transfer w/o PIN)
daemon@ATHENA.MIT.EDU (Robert Sheehy)
Fri Feb 7 14:56:10 1997
From: "Robert Sheehy" <rsheehy@ac4.jjc.cc.il.us>
To: skat@flask.com, WWW-SECURITY@ns2.rutgers.edu
Date: Fri, 7 Feb 1997 11:50:41 -0600
Errors-To: owner-www-security@ns2.rutgers.edu
Responding to the message of Thu, 6 Feb 1997 22:35:57 +0000 ()
from Shin Katsumata <skat@flask.com>:
>
> Why bother with certificates and Active-X, write a virus that insert the
> transaction into Quicken, better return on investment. I like blaming MS
> for the problems, but may be Intuit needs to fix this problem.
Fixing Quicken would just be taking care of the symtoms, not the actual
problem. Ok, so money could be transfered, you fix Quicken, then that
program would be ok, but the basic problem would still remain. How do you
keep it from formatting the hard drive? Gathering up personal information
from files stored on the hard drive?
How about if a keyboard character catcher is installed on the system by an
ActiveX program, and then the keyrecorder file is sent every so often to
someone (even through anon e-mail), then a fund transfer could be done WITH
the pin, if they could identify it! And then it wouldn't matter WHAT
program was used (a clone of quicken for example, slowin :). If both
quicken and slowin required a pin to be entered, the keyboard catcher would
get it.
Fixing the sympoms is not the answer. Quicken is not the problem, ActiveX
is. Also it seems to me that all the problems with ActiveX would also
translate into problems with Java, but so far it seems to have gone
unmentioned!
Rob
