To add to this thread, I was driving through a well known Canadian Bank's (that has now merged with a well known other institution) drive thru ATM one day when the branch was closed. The office that was directly behind the ATM (with all window coverings open to allow complete viewing of the inside office) was that of the manager (nameplate on the open door).
The Manager's computer was on his/her desk and the monitor was facing out, in direct view of any one using the ATM machine. It thus would have also been in view of anyone who would stand outside the window, watch the manager type his/her password in on the keyboard (also plainly visible from the same vantage point). Now from experience I have noticed that most bank managers do not have extremely fast typing skills so one may have been able to just watch what keys were punched and "voila" one now has the password of the branch manager. If by chance the person had good and fast keyboarding skills, then all one would have to do is just video the typing in and look at such in slowmo to get the password. Now imagine one who would have the skills to "snoop" on you banking on the internet, can't you just imagine what this same person could do with the branch managers password. Forget yours! The banking industry may have done well to make the use of a browser that uses 128 bit encryption almost mandatory for internet banking, but without basic physical security precautions at the local branch where your account is held, "the gates are open" through another door. If one was really interested in your money and that of others, they would find the easiest way and the above poor example of computer location within an office is definitley one. Why try to break 128 bit encryption and just get one persons password to one account when doing the above gives one the "vault". D. Levenick IS Security Instructor/Practitioner ---- "Burton M. Strauss III" <[EMAIL PROTECTED]> wrote: > If all you had to worry about is > > "Many people would be able to view my transactions such as employees > from > the bank and IT personnel's. They would also have access to my account. > In > fact, anybody just by calling the bank > on the phone, with my personal details would be able to access my account > over the phone." > > then get over it. All of that is available today, without adding internet > banking into the mix. > > Don't believe me? With just somebody's account number, you can usually > call > the bank branch and ask "I have a check from xyz for $000, and wanted > to > make sure funds are available before I deposit it". They will usually > confirm it for you right over the phone, no ?s asked. They won't tell > you > how much is in the account, but they will say "yes funds are available" > or > "no". With a couple of calls (asking about a mythical $250, $500 and > then > $2500 check) to different branches of the bank, you can get a pretty > good > idea how much is on deposit. > > Most banks require you to have 128-bit security on your browser. Is > that > secure? Maybe - it's certainly beyond the ability of casual crackers > to > break. Three letter agencies? That may be a different story, but > for the > majority of us, we're probably not of interest to them (or more precisely > if > we are of interest to them, we have much bigger problems than internet > banking issues). > > Does "Internet" banking - whatever that means to your bank and software > provider - place confidential information in other places. Probably. > > Quicken and CheckFree (their service provider) have account and payee > information for anybody I've paid electronically. My transactions > route > through Quicken's software to the various banks, credit cards, etc. > Transactions route back from these companies through Quicken to my > PC. Does > this mean that Quicken and/or CheckFree have my account # and other > personal > information on their servers. Certainly. > > Is the in-flight transaction information encrypted? Yes. Is it secure > enough (say triple DES or something else with a real history and analysis > behind it)(i.e. not ROT-13)? ASK! > > Are legal protections in place? Maybe - depends on your country's > laws and > the specifics of the transaction (i.e. US law makes a distinction between > credit and debit card purchases). > > A lot of banks/credit card companies, etc. extend protection beyond > the > statutory requirements to make customers "feel good" about using their > products (XYZ bank's: "use our debit card and be 100% protected from > fraud")? Yes. Are these worth anything? Maybe... > > Would taking advantage of those protections be a pain if necessary? > Yes! > > Could somebody crack into the server and steal lists of accounts. > Sure. > And we've all seen news stories about it... And that's much easier > to do > than trying to intercept your transaction to the local water utility... > > Buying online almost certainly puts your credit card # in places that > could > be vulnerable. Mom&Pop storefronts go online via a few canned scripts, > never updated and don't realize how vulnerable they are... > > Banking online will also put banking information in places that could > be > vulnerable. The difference? Banks know that they are targets, and > have > long experience being targets. They have security officers, formal > policies, etc. Does that make banks more secure? Doubtful... Willy > Sutton > (http://www.fbi.gov/fbinbrief/historic/famcases/sutton/sutton.htm) > said it > best... (When asked why he robbed banks, Sutton simply replied, "Because > that's where the money is.") > > Suggestions: > > 1. READ the security policy posted by the bank, credit card, whatever > (e.g. > https://www.bankofamerica.com/signin/index.cfm?template=security_details.cfm > ) > > 2. READ the privacy policy (continuing to pick on BofA just because > I have > their page up: http://www.bankofamerica.com/privacy/) > > If you decide to go ahead - and I think you have to realistically look > at > the risks/rewards and make an informed and very personal decision. > > 3. Start small - just like people needed to make a few credit card > purchases > to get comfortable, sign up and put only ONE account on-line. > > 4. Get a separate credit card account and use ONLY that one online. > Some > credit card companies even issue "on-line only" cards that don't have > a mag > strip on the back, so they can't be used in stores. Keep the limit > small - > resist the temptation to have a $100,000 line of credit! > > 5. Monitor account usage - read your credit card/bank statement when > it > comes in and call if there is ANYTHING you don't understand or remember. > It > could be that the book store in the next town over has a funny name > or uses > a merchant processing service you don't understand. Or it could be > fraud - > that $19.95 - is it your ISP or an "online newsletter subscription" > you > never ordered??? > > Ultimately it's a personal decision. You'll have to balance some very > real > (and also unknown!) risks against the convenience and protections available. > > -----Burton > > > > > > -----Original Message----- > From: Jasmine Sim [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, April 10, 2002 1:23 AM > To: [EMAIL PROTECTED] > Subject: Security Issues on Internet Banking > > > > > Hi! > > I wish to get some views and expertise on the security > issues of using Internet Banking. > > As a user, I see the benefits of having the > convenience of being able to see my transactions > online and paying my monthly bills without physically > leaving my home. > > However, I know alot of people is still not be able to > accept this concept. And I do understand their > concerns on the security issue that is involved. I can > roughly visualise how many people would be involved > in the process. Many people would be able to view > my transactions such as employees from the bank > and IT personnels. They would also have access to > my account. In fact, anybody just by calling the bank > on the phone, with my personal details would be able > to access my account over the phone. The idea of > banking over the Internet is scary. > > One would like to think that it is safe to do my banking > on the Internet. However, is it? Is it safe for one to do > banking over the Internet? What are the security > issues involved? What are the measurements can > one take in order to improve the security while doing > internet banking? > > I was wondering if anybody would be able to provide > their expertise and explain the process for me. I > would also like to hear views or comments on the > idea of using Internet Banking. > > Thanks! > > Jasmine > >
