Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Bank pen test

from [Craig Wright] Network Security [Permanent Link]
Subject: RE: Bank pen test
Date: Wed, 8 Mar 2006 19:45:02 +1100 

Just to procrastinate from what I should be doing...
 
Jon Stated..."In terms of media value, its pretty much infinite.  A bank or 
other
financial organization will tend to do whatever it can to avoid any kind
of negative press, especially as it relates to integrity/confidentiality
breaches, as long as the cure wouldn't bankrupt them too."
 
The issue is that the public have short memories.
 
Citibank have been compromised a number of times. The "recent" ATM etc issue 
with Citibank (and they are an example - one of many so nothing personal 
against Citibank) is an example that goes back to 2002.
See http://cryptome.org/citi-ban.htm
 
In addition Citibank have stopped a large number of merchants and ATMs due to 
"suffering a series of fraudulent cash withdrawals ". 
 

From the "Big 4" Australian Banks, there have been numerous phishing scams, 
card issues and the list goes on. Many of the banks only just updated the 
links from DES shared key in Dec 05 and only as they had to by law (some have 
missed this date and are in breach).

 
Westpac (http://www.westpac.com.au) has created a click pad for online banking 
to defeat trojans, but has developoed this in Java script and the algorithim is 
in the clear (and still at the moment is this way). There are higher end 
alternatives - but if you have a $25,000 transfer limit...
 
The "spin" is also mostly FUD. NAB and Westpac have both come out stating that 
"numerous Asian customers have had their fingers cut off because of biometrics" 
as a justification to why they would not consider this. This does not explain 
ALL the other forms and infact any "good" biometric will detect a dead finger. 
Further, people get kidnapped for their pins, does this mean that we all forget 
security?
 
So I put less value into the publicity cost (as percieved by banks) than you. 
It costs less to hire a PR firm and "spin" than to fix many issues. 
 
Regards
Craig

        -----Original Message----- 
        From: Jon Gucinski [mailto:Jgucinski@midwestbank.com] 
        Sent: Wed 8/03/2006 8:46 AM 
        To: pen-test@securityfocus.com 
        Cc: 
        Subject: RE: Bank pen test
        
        
         


Liability limited by a scheme approved under Professional Standards Legislation 
in respect of matters arising within those States and Territories of Australia 
where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If 
you are not the intended recipient, you must not use or disclose the 
information. If you have received this email in error, please inform us 
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the 
email and destroy any printed copy.  

Any views expressed in this message are those of the individual sender. You may 
not rely on this message as advice unless it has been electronically signed by 
a Partner of BDO or it is subsequently confirmed by letter or fax signed by a 
Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments 
due to viruses, interference, interception, corruption or unauthorised access.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Vulnerability discovered on Lotus Domino server "admin4.nsf", jalvare7
Next by Date:  Re: Vulnerability discovered on Lotus Domino server "admin4.nsf", jalvare7
Previous by Thread:  RE: Bank pen test, Craig Wright
Next by Thread:  RE: Bank pen test, Craig Wright
Indexes:  [Date] [Thread] [Top] [All Lists]