[oclug] A credit/debit card reader for the home ??

[Greg]

Bill Strosberg wrote [full text below] :

> Defence Intelligence could easily capture data being sent "home" by a
> virus if they were passively monitoring an outside transit point or
> gateway.  I have no doubt they've done so and are reporting valid and
> legally obtained data.  It's not like it isn't common or difficult.
> I've done this for clients - passively proving cases where security
> policy was breached without touching a user's workstation.

Are you saying DI's contracts with the banks lacked Non-Disclosure
clauses?  Or are you saying the banks hired it to engage in a phony
controversy?  Did the banks forget to control the data DI captured, or
did the banks hire DI to publish precisely the data and disputable
conclusions which it did?

> Don't be so quick to discount how seriously banks take security problems
> - if the losses go above a certain threshold, they get serious fast.

I was neither quick nor slow to discount the banks' seriousness.
I said we should assume they cover their own needs, not ours.

Greg wrote [in part] :

>> It is prudent to assume that the Banks' security policies effectively
>> cover (statistically) their needs and protect them (statistically) from
>> outraged 'third parties'.

I do not know anybody who disputes that banks take security seriously.
I do not think anybody should dispute that banks conduct cost/benefit
analyses... especially not the banks themselves.
Nor should anybody believe "customer" is a synonym for "owner".


Greg


Bill Strosberg wrote:
> Greg wrote:
> 
>> Canadian Bankers Association will doubtless argue that the word,
>> "mislead", has changed radically in the last few decades, and no longer
>> includes the notion, 'willfully fail to lead'.
>>
>> It is important to ask, where and how Defence Intelligence Inc. obtained
>> its data.  Also, exactly what data it has, and whether that data infers
>> strongly or weakly (or at all) the conclusions it asserts.
>>
>> It is prudent to assume that the Banks' security policies effectively
>> cover (statistically) their needs and protect them (statistically) from
>> outraged 'third parties'.
>>
>> OddSox wrote:
>>  
>>
>>> While we're on the subject of bank security, this report out today
>>> looks a little troubling. The banks either have their heads in the
>>> sand, or they're deliberately misleading consumers about how serious
>>> this could be...
> 
> There has been a rush for a couple days for clients at the Royal Bank to
> exchange debit cards and change PINs.  I was in the bank yesterday and
> three out of five people in line were there because they had received a
> call from the bank's security group.  The cover story was that the card
> had been used in a location suspected of fraud - I didn't realize they
> had been referring to themselves!  I always cover my hand during PIN
> entry, and never let the mag stripe out of my sight during a
> transaction.  If someone insists they need to do something with my card
> that I can't see, I walk away from the transaction immediately.
> 
> Your PIN is never transmitted across the Internet during Canadian
> transactions - at worst a checksum is.
> 
> I work in the banking industry doing communication security work, and
> all the people I've met on the infosec side are good.  The networks are
> segregated and transactional data isn't simply merged with other
> operational data.  The problem is people, as as long as people are using
> computers the best security policies, rules and procedures are useless. 
> Anyone with a phone can social engineer anyone up to a bank president to
> tell them anything they want.  "Hi, it's Bill from branch tech support -
> I just talked to Joe Smith next door to you and he said you were off the
> phone.  I need you to do an important update on your computer - we've
> had a security breach in your branch and we are going to be coming out
> there tomorrow. I'll send you an email with the update link on it right
> now so you know it is from internal security and not someone else ....
> No, no, it's good you are asking to verify who I am ...  call Don
> Roberts at Branch Corporate Security and he'll vouch for me .... if you
> check your caller ID, you see I'm calling from corporate (spoofing a
> caller ID is hard isn't it?)".  Nine times out of ten, they'll do
> whatever they are told if you drop the right names and make the
> situation time critical.  Good social engineers pyramid knowledge from
> multiple reconnaissance calls into enough credibility that they can
> convince anyone to do anything.
> 
> Defence Intelligence could easily capture data being sent "home" by a
> virus if they were passively monitoring an outside transit point or
> gateway.  I have no doubt they've done so and are reporting valid and
> legally obtained data.  It's not like it isn't common or difficult. 
> I've done this for clients - passively proving cases where security
> policy was breached without touching a user's workstation.
> 
> I've had to deal with some cracked Windows boxes for clients recently
> and I watched outbound trojan/hack data on Wireshark.  I have to say
> working with Windows, even XP is the most miserable, frustrating thing I
> do to make money.  Getting a Windows box working after it has been
> compromised takes forever - wipe, O/S install, reboot, critical update,
> reboot, service pack update, reboot ... critical security update, reboot
> ... on and on it goes.  I fixed one for a friend recently, but he
> doesn't get that just surfing with IE or reading mail with Outlook is
> dangerous.  Of course, he didn't keep it updated.  I keep telling him to
> buy a cheap "surfing/gaming/p0rn" computer and keep his CAD workstation
> unconnected.  It really isn't worth it to bother fixing a cracked box -
> you can buy a new one for less than the hourly cost of time it takes to
> fix it.  It's hard telling clients that a new box is cheaper than fixing
> the old.
> Don't be so quick to discount how seriously banks take security problems
> - if the losses go above a certain threshold, they get serious fast.
> 
> -- 
> Bill
> 
> 

-- 
Lots of people believe in freedom of choice,
especially the freedom of others to choose to do what they are told.