Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: limits of end-user "testing"
From: Andrew van der Stock (vanderajgreebo.net)
Date: Thu Nov 17 2005 - 06:17:03 CST
This is my day job. ;)
As a warning to anyone reading this who doesn't know any better,
Internet Banking sites are the most closely watched systems at most
banks, so whatever you do, do not tackle them in an effort to
determine if they are secure or not. Not only is tackling them for
impromptu penetration tests illegal in most countries, it's a really
The best way to determine if a site is secure is to ask the bank what
they will do:
a) if money is transferred using IB without your permission, say via
b) if money is transferred by others using faults in the software
If they are a good bank, they will be upfront and honest about how to
go about reporting such fraud and how to get all your money back.
Sometimes, they will limit your losses to $50, but most banks will
simply wear this as a good will gesture. Find out. As a consumer,
this is all you really need to know.
Generally, most banks are able to reverse transactions if the money
has not left their own bank. Once it hits SWIFT (International
payments) or the domestic payments systems, banks have less control
and some are reluctant to chase these funds. These are the bad
banks, and you should avoid them if they don't guarantee your money
back, even if you do the right thing by the bank.
Personally, I'd be looking for places that:
a) have two factor transaction signing (SMS or token based) to
prevent unauthorized transfers via phishing
b) have reasonable terms and conditions (such as notify us early, and
you'll pay only the first $50 or better)
c) if you have to use passwords to sign on with, the passwords should
be allowed to be really long (so you can use pass phrases) and you
can change them easily
I don't think two factor sign on authentication is much of a win
against phishing, but it's better than passwords when you have to use
potentially trojan'd or untrustworthy computers.
At the end of the day, banks know they have the potential to lose a
great deal of consumer trust through faults in these systems, and so
they usually pay a lot of attention to their design, implementation,
testing, and operational security. I know this is true all the Banks
I've worked at in Australia (and that's almost all of the majors and
two of the minors). Maybe because I know first hand how good they
are, I trust internet banking over any other channel as I believe it
to be the safest, lowest risk channel available to me.
On 17/11/2005, at 2:19 AM, Jeff Robertson wrote:
> People occasionally ask me if I can help them figure out if the online
> banking site they use is secure. I tell them not unless the bank
> hires me to
> do so.
> Is there *anything* that an end user can do in the way of checking
> for the
> Top 10 type of problems, that would be considered "fair use" (I know..
> copyright law term, not really applicable here) or "self-defense"
> than malicious?
> For purposes of simplicity and relevance to my current location,
> lets assume
> that both the user, the website, and the company that owns the site
> are all
> in the U.S.