[oclug] A credit/debit card reader for the home ??
oclug at strosberg.com
Wed Sep 30 14:26:00 EDT 2009
> Canadian Bankers Association will doubtless argue that the word,
> "mislead", has changed radically in the last few decades, and no longer
> includes the notion, 'willfully fail to lead'.
> It is important to ask, where and how Defence Intelligence Inc. obtained
> its data. Also, exactly what data it has, and whether that data infers
> strongly or weakly (or at all) the conclusions it asserts.
> It is prudent to assume that the Banks' security policies effectively
> cover (statistically) their needs and protect them (statistically) from
> outraged 'third parties'.
> OddSox wrote:
>> While we're on the subject of bank security, this report out today
>> looks a little troubling. The banks either have their heads in the
>> sand, or they're deliberately misleading consumers about how serious
>> this could be...
There has been a rush for a couple days for clients at the Royal Bank to
exchange debit cards and change PINs. I was in the bank yesterday and
three out of five people in line were there because they had received a
call from the bank's security group. The cover story was that the card
had been used in a location suspected of fraud - I didn't realize they
had been referring to themselves! I always cover my hand during PIN
entry, and never let the mag stripe out of my sight during a
transaction. If someone insists they need to do something with my card
that I can't see, I walk away from the transaction immediately.
Your PIN is never transmitted across the Internet during Canadian
transactions - at worst a checksum is.
I work in the banking industry doing communication security work, and
all the people I've met on the infosec side are good. The networks are
segregated and transactional data isn't simply merged with other
operational data. The problem is people, as as long as people are using
computers the best security policies, rules and procedures are useless.
Anyone with a phone can social engineer anyone up to a bank president to
tell them anything they want. "Hi, it's Bill from branch tech support -
I just talked to Joe Smith next door to you and he said you were off the
phone. I need you to do an important update on your computer - we've
had a security breach in your branch and we are going to be coming out
there tomorrow. I'll send you an email with the update link on it right
now so you know it is from internal security and not someone else ....
No, no, it's good you are asking to verify who I am ... call Don
Roberts at Branch Corporate Security and he'll vouch for me .... if you
check your caller ID, you see I'm calling from corporate (spoofing a
caller ID is hard isn't it?)". Nine times out of ten, they'll do
whatever they are told if you drop the right names and make the
situation time critical. Good social engineers pyramid knowledge from
multiple reconnaissance calls into enough credibility that they can
convince anyone to do anything.
Defence Intelligence could easily capture data being sent "home" by a
virus if they were passively monitoring an outside transit point or
gateway. I have no doubt they've done so and are reporting valid and
legally obtained data. It's not like it isn't common or difficult.
I've done this for clients - passively proving cases where security
policy was breached without touching a user's workstation.
I've had to deal with some cracked Windows boxes for clients recently
and I watched outbound trojan/hack data on Wireshark. I have to say
working with Windows, even XP is the most miserable, frustrating thing I
do to make money. Getting a Windows box working after it has been
compromised takes forever - wipe, O/S install, reboot, critical update,
reboot, service pack update, reboot ... critical security update, reboot
... on and on it goes. I fixed one for a friend recently, but he
doesn't get that just surfing with IE or reading mail with Outlook is
dangerous. Of course, he didn't keep it updated. I keep telling him to
buy a cheap "surfing/gaming/p0rn" computer and keep his CAD workstation
unconnected. It really isn't worth it to bother fixing a cracked box -
you can buy a new one for less than the hourly cost of time it takes to
fix it. It's hard telling clients that a new box is cheaper than fixing
Don't be so quick to discount how seriously banks take security problems
- if the losses go above a certain threshold, they get serious fast.
More information about the OCLUG