RE: Bank pen test

From: Craig Wright (cwright@bdosyd.com.au)
Date: Wed Mar 08 2006 - 03:45:02 EST


Just to procrastinate from what I should be doing...
 
Jon Stated..."In terms of media value, its pretty much infinite. A bank or other
financial organization will tend to do whatever it can to avoid any kind
of negative press, especially as it relates to integrity/confidentiality
breaches, as long as the cure wouldn't bankrupt them too."
 
The issue is that the public have short memories.
 
Citibank have been compromised a number of times. The "recent" ATM etc issue with Citibank (and they are an example - one of many so nothing personal against Citibank) is an example that goes back to 2002.
See http://cryptome.org/citi-ban.htm
 
In addition Citibank have stopped a large number of merchants and ATMs due to "suffering a series of fraudulent cash withdrawals ".
 
>From the "Big 4" Australian Banks, there have been numerous phishing scams, card issues and the list goes on. Many of the banks only just updated the links from DES shared key in Dec 05 and only as they had to by law (some have missed this date and are in breach).
 
Westpac (http://www.westpac.com.au) has created a click pad for online banking to defeat trojans, but has developoed this in Java script and the algorithim is in the clear (and still at the moment is this way). There are higher end alternatives - but if you have a $25,000 transfer limit...
 
The "spin" is also mostly FUD. NAB and Westpac have both come out stating that "numerous Asian customers have had their fingers cut off because of biometrics" as a justification to why they would not consider this. This does not explain ALL the other forms and infact any "good" biometric will detect a dead finger. Further, people get kidnapped for their pins, does this mean that we all forget security?
 
So I put less value into the publicity cost (as percieved by banks) than you. It costs less to hire a PR firm and "spin" than to fix many issues.
 
Regards
Craig

        -----Original Message-----
        From: Jon Gucinski [mailto:Jgucinski@midwestbank.com]
        Sent: Wed 8/03/2006 8:46 AM
        To: pen-test@securityfocus.com
        Cc:
        Subject: RE: Bank pen test
        
        
         

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:38 EDT