LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Net banks with linux support

[ILUG] Net banks with linux support

Ole Tange ole at tange.dk
Sun Jul 17 12:37:45 IST 2005 

On Sat, 16 Jul 2005, Colm MacCarthaigh wrote:

> I think you've completely missed the point. The main risks involved with
> online banking are not your sessions being intercepted and deciphered,
> but rather are to do with the security surrounding the endpoints.
>
> The biggest risks surround your client machine and web-browser. These
> range from the phishing attacks, browser cache misbehaviour, the
> SSL-transparent unicode DNS problems, to boxes being trojaned, keystroke
> loggers and all sorts of really common things like that.

Earlier in my life I took part in security evaluating the internet
security of a bank. If most banks have similar security I would be very
surprised if someone was capable of altering hardware on the bank's
premises.

The client pc, however, is another matter. At a later time I did a
simulated attack. Assuming that it was possible to sneak in software on
the client pc (through a worm, a bad web page or the like) I could log
keystrokes and grab the key file. Using this information I made a money
transfer from another pc.

This weakness is still found in most Danish banks.

A notably exception is Jyske Bank, which sends one time passwords to the
user by mail. The one time passwords are 80 numbers on a piece of paper
the same size of your credit card. The list is like: 01.ag 1923, 02.ry
3658, 03.ir 2873. When you want to do something in the bank you are asked
for a one time password (eg. 02.ry). When most of your one time passwords
are used, a new list of one time passwords are sent to your physical
address.

Using this setup it is much harder to do an attack on the client. You
could do a man-in-the-middle, and do another transaction than the user
asked for. But you would have to falsify the electronic account statements
as well.

Further description of the attack is found at:
http://www.linux-kurser.dk/webbank-sikkerhed.html (in Danish only, sorry)


/Ole

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell