[oclug] A credit/debit card reader for the home ??

[Bill Strosberg]

Greg wrote:
> Canadian Bankers Association will doubtless argue that the word,
> "mislead", has changed radically in the last few decades, and no longer
> includes the notion, 'willfully fail to lead'.
>
> It is important to ask, where and how Defence Intelligence Inc. obtained
> its data.  Also, exactly what data it has, and whether that data infers
> strongly or weakly (or at all) the conclusions it asserts.
>
> It is prudent to assume that the Banks' security policies effectively
> cover (statistically) their needs and protect them (statistically) from
> outraged 'third parties'.
>
> OddSox wrote:
>   
>> While we're on the subject of bank security, this report out today 
>> looks a little troubling. The banks either have their heads in the 
>> sand, or they're deliberately misleading consumers about how serious 
>> this could be...
There has been a rush for a couple days for clients at the Royal Bank to 
exchange debit cards and change PINs.  I was in the bank yesterday and 
three out of five people in line were there because they had received a 
call from the bank's security group.  The cover story was that the card 
had been used in a location suspected of fraud - I didn't realize they 
had been referring to themselves!  I always cover my hand during PIN 
entry, and never let the mag stripe out of my sight during a 
transaction.  If someone insists they need to do something with my card 
that I can't see, I walk away from the transaction immediately.

Your PIN is never transmitted across the Internet during Canadian 
transactions - at worst a checksum is.

I work in the banking industry doing communication security work, and 
all the people I've met on the infosec side are good.  The networks are 
segregated and transactional data isn't simply merged with other 
operational data.  The problem is people, as as long as people are using 
computers the best security policies, rules and procedures are useless.  
Anyone with a phone can social engineer anyone up to a bank president to 
tell them anything they want.  "Hi, it's Bill from branch tech support - 
I just talked to Joe Smith next door to you and he said you were off the 
phone.  I need you to do an important update on your computer - we've 
had a security breach in your branch and we are going to be coming out 
there tomorrow. I'll send you an email with the update link on it right 
now so you know it is from internal security and not someone else .... 
No, no, it's good you are asking to verify who I am ...  call Don 
Roberts at Branch Corporate Security and he'll vouch for me .... if you 
check your caller ID, you see I'm calling from corporate (spoofing a 
caller ID is hard isn't it?)".  Nine times out of ten, they'll do 
whatever they are told if you drop the right names and make the 
situation time critical.  Good social engineers pyramid knowledge from 
multiple reconnaissance calls into enough credibility that they can 
convince anyone to do anything.

Defence Intelligence could easily capture data being sent "home" by a 
virus if they were passively monitoring an outside transit point or 
gateway.  I have no doubt they've done so and are reporting valid and 
legally obtained data.  It's not like it isn't common or difficult.  
I've done this for clients - passively proving cases where security 
policy was breached without touching a user's workstation.

I've had to deal with some cracked Windows boxes for clients recently 
and I watched outbound trojan/hack data on Wireshark.  I have to say 
working with Windows, even XP is the most miserable, frustrating thing I 
do to make money.  Getting a Windows box working after it has been 
compromised takes forever - wipe, O/S install, reboot, critical update, 
reboot, service pack update, reboot ... critical security update, reboot 
... on and on it goes.  I fixed one for a friend recently, but he 
doesn't get that just surfing with IE or reading mail with Outlook is 
dangerous.  Of course, he didn't keep it updated.  I keep telling him to 
buy a cheap "surfing/gaming/p0rn" computer and keep his CAD workstation 
unconnected.  It really isn't worth it to bother fixing a cracked box - 
you can buy a new one for less than the hourly cost of time it takes to 
fix it.  It's hard telling clients that a new box is cheaper than fixing 
the old. 

Don't be so quick to discount how seriously banks take security problems 
- if the losses go above a certain threshold, they get serious fast.

--
Bill