On Sat, 16 Jul 2005, Colm MacCarthaigh wrote:
> I think you've completely missed the point. The main risks involved with
> online banking are not your sessions being intercepted and deciphered,
> but rather are to do with the security surrounding the endpoints.
>> The biggest risks surround your client machine and web-browser. These
> range from the phishing attacks, browser cache misbehaviour, the
> SSL-transparent unicode DNS problems, to boxes being trojaned, keystroke
> loggers and all sorts of really common things like that.
Earlier in my life I took part in security evaluating the internet
security of a bank. If most banks have similar security I would be very
surprised if someone was capable of altering hardware on the bank's
The client pc, however, is another matter. At a later time I did a
simulated attack. Assuming that it was possible to sneak in software on
the client pc (through a worm, a bad web page or the like) I could log
keystrokes and grab the key file. Using this information I made a money
transfer from another pc.
This weakness is still found in most Danish banks.
A notably exception is Jyske Bank, which sends one time passwords to the
user by mail. The one time passwords are 80 numbers on a piece of paper
the same size of your credit card. The list is like: 01.ag 1923, 02.ry
3658, 03.ir 2873. When you want to do something in the bank you are asked
for a one time password (eg. 02.ry). When most of your one time passwords
are used, a new list of one time passwords are sent to your physical
Using this setup it is much harder to do an attack on the client. You
could do a man-in-the-middle, and do another transaction than the user
asked for. But you would have to falsify the electronic account statements
Further description of the attack is found at:
http://www.linux-kurser.dk/webbank-sikkerhed.html (in Danish only, sorry)
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!