Bank Of Montreal Online Security

78 views
Skip to first unread message

mrto...@gmail.com

unread,
Oct 26, 2012, 3:07:58 PM10/26/12
to securit...@securityfocus.com
It's come to my attention that the Bank Of Montreal online security is shockingly lax. First of all regardless of your password length, it only cares about the first six characters. Even more insane is it doesn't matter what case of the letters are, it will allow you access all the same.

On top of this, theres a bug in the iPhone app which will not allow you to unsave your card number.

Its a good thing they guarantee 100% of your money against fraudulent transfers, because its only a matter of time.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Trey Keifer

unread,
Oct 29, 2012, 10:05:49 AM10/29/12
to mrto...@gmail.com, securit...@securityfocus.com
Have you sent an email to the secu...@bmo.com address first?


--
Trey Keifer – President/CEO
WireHarbor Security, Inc.
http://www.wireharbor.com/
4064 N. Lincoln Ave, #431
Chicago, IL. 60618
Office: 847.239.5626 ext. 101
Fax: 847.239.5624
Follow us on Twitter: twitter.com/wireharbor
"Like" us on Facebook: facebook.com/wireharbor

hank...@gmail.com

unread,
Oct 29, 2012, 12:26:33 PM10/29/12
to securit...@securityfocus.com
I take it that your money is not invested with the bank. Perhaps you might have thought about publishing this in an open forum if it was?

Alexander A. Kelner

unread,
Oct 29, 2012, 4:19:34 PM10/29/12
to securit...@securityfocus.com

> From: listb...@securityfocus.com [mailto:listb...@securityfocus.com] On
> Behalf Of mrto...@gmail.com
> Sent: Friday, October 26, 2012 2:08 PM
> To: securit...@securityfocus.com
> Subject: Bank Of Montreal Online Security
>
> It's come to my attention that the Bank Of Montreal online security is
> shockingly lax. First of all regardless of your password length, it only
> cares about the first six characters. Even more insane is it doesn't matter
> what case of the letters are, it will allow you access all the same.
>
> On top of this, theres a bug in the iPhone app which will not allow you to
> unsave your card number.
>
> Its a good thing they guarantee 100% of your money against fraudulent
> transfers, because its only a matter of time.

Hello.

IMHO "shockingly laxity" is not as obvious as it may appear at first
approach.

Six chars give us about (26+10)^6=2 billions of possible passwords.
If their server is smart enough to allow as low as 1 authentication attempt
per second for the same account then you will spend some hundreds years
trying to brute force it.

BUT! The short password can be easy memorized, when the long password must
be recorded somewhere (sometimes in very inappropriate place), and then may
be stolen. Which password length is more secure - that is a question.



>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate In this guide we
> examine the importance of Apache-SSL and who needs an SSL certificate. We
> look at how SSL works, how it benefits your company and how your customers
> can tell if a site is secure. You will find out how to test, purchase,
> install and use a thawte Digital Certificate on your Apache web server.
> Throughout, best practices for set-up are highlighted to help you ensure
> efficient ongoing management of your encryption keys and digital
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
> d1
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------
>
>


---
Alexander A. Kelner
Senior engineer
CT Network Operation Center
RosTelecom - Bryansk

Alexander Meesters

unread,
Oct 30, 2012, 7:55:47 AM10/30/12
to Alexander A. Kelner, securit...@securityfocus.com
i dont think brute-force is the issue here, most likely a attack on such a system would be by sql-injection, once they have the credentials its easy enough to utilize rainbow tables in order to get a useable password.

although its unlikely a bank would use a unsave hashing algorithm like md5 or sha1, the rainbow tables available today for those algorithms are up to 12 characters in length.

IMHO they, and for that matter, everybody are far better off using pass-phrases, for example:"i do not like waffles", or "my 2 grand kids are awesome!"
its both easy memorable and though to crack, and far exceeds any available rainbow table out there!

just my 2 cents,

Alex

Davin Enigl

unread,
Oct 30, 2012, 10:50:08 AM10/30/12
to securit...@securityfocus.com
" . . .Bank Of Montreal online security is shockingly lax. First of all
regardless of your password length, it only cares about the first six
characters. Even more insane is it doesn't matter what case of the
letters are, it will allow you access all the same."

This is "old news".

1. This is not a secret. All (yes all) banks using old UNIX systems do
this. It's the normal limitations of those UNIX systems. Although I
admit most use 8 characters, which is better than 6. There is also
usually a three-password error lock out to discourage guessing -- a
saving grace. But yes, there is not case-sensitivity and passwords are
truncated to 6-9 characters. Example: Wells Fargo also does the same
thing the last I checked.

2. I'm surprised people on this list do not know this.

3. Bank password procedures *should* not be a secret. They should be
published by the bank. This also applies to every on-line sysetm that
use passwords.

4. Fix the system if you think it needs fixing.

5. Hiding flaws ensures it will *not* be fixed any time soon. I am glad
someone is disclosing this, but experienced security people already know
this.

6. Delay in fixing flaws virtually ensures that hackers will find it
first. Look at the U.S. government: 70+ agencies has data loss. How much
was encrypted? O%.

7. How about hashing passwords with user-specific-salt and then again
with corporate-server salt? How many do this? It's supposed to be Best
Practice, yet . . . Example: IEEE didn't (did you see their breach)- yet
they CLAIMED they were observing best practice -- Wrong!

--Davin Enigl

Davin Enigl

unread,
Oct 30, 2012, 11:04:38 AM10/30/12
to securit...@securityfocus.com


On 10/30/2012 04:55 AM, Alexander Meesters wrote:
> i dont think brute-force is the issue here, most likely a attack on such a system would be by sql-injection, once they have the credentials its easy enough to utilize rainbow tables in order to get a useable password.
>
> although its unlikely a bank would use a unsave hashing algorithm like md5 or sha1, the rainbow tables available today for those algorithms are up to 12 characters in length.
>
> IMHO they, and for that matter, everybody are far better off using pass-phrases, for example:"i do not like waffles", or "my 2 grand kids are awesome!"
> its both easy memorable and though to crack, and far exceeds any available rainbow table out there!

I worked for the last five years on the NSA/NIST SHA-3 hash project. I
assure you, if you do not double-salt your password hashed (even SHA-3)
--- then you are inviting rainbow pre-imaging.

Double salt, now! Corporate salt and individual user salt. Both. See how
to stop password cracking at: http://crackstation.net/ This is the
best site I've ever seen of this subject.

Also, hackers only have to be right once. They are not stupid. They do
not "brute-force" anything. They APT -- or variations there-of.
http://en.wikipedia.org/wiki/Advanced_persistent_threat

--Davin Enigl

Davin Enigl

unread,
Oct 30, 2012, 1:35:23 PM10/30/12
to securit...@securityfocus.com

On 10/30/2012 04:55 AM, Alexander Meesters wrote:
> IMHO they, and for that matter, everybody are far better off using pass-phrases,

True, but even better is the (now common) use of a OTP "Yubikey" (or
some token like that eBay & Paypal "football" time-limited OTC) as a
second factor. Plus, for years Bank of America has used "SafePass" one
time password generator cards.

Related to this is Bank of America's "ShopSafe" Visa numbers that are
user-limited as to expiration date, limited amount of money and only
used at one website. I've used these for years -- they work in the most
unusual applications besides the web too.

The US has only now (March 2012) started insentives to adopt Pin and
Chip credit cards (to avoid the failed PCI-DSS.)

Dave Kleiman

unread,
Oct 31, 2012, 10:26:30 AM10/31/12
to securit...@securityfocus.com
Alexander,

>>> Which password length is more secure - that is a question.<<<

If you used the above statement, just as you typed it, as your password (passphrase), would it not both much stronger than 6 characters and very easy to remember?


Respectfully,

Dave Kleiman - http://www.ComputerForensicsLLC.com - http://www.computerforensicsexpertwitnesses.com

4371 Northlake Blvd #314
Palm Beach Gardens, FL 33410
561.310.8801

Scott Herbert

unread,
Oct 31, 2012, 2:15:24 PM10/31/12
to securit...@securityfocus.com
> The US has only now (March 2012) started insentives to adopt Pin and Chip
> credit cards (to avoid the failed PCI-DSS.)

Chip and Pin can be broken by a MiM attack[1], but it's still a lot better the
single factor auth being rolled out by UK banks in the form of NFC cards
[2][3]

[1]
http://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf
[2]
http://www.barclays.co.uk/Helpsupport/Barclayscontactlessdebitcards/P1242561764200
[3]
http://www.gizmodo.co.uk/2012/03/barclays-debit-cards-details-can-be-nicked-with-an-nfc-mobile-bump/

Alexander A. Kelner

unread,
Oct 31, 2012, 4:49:23 PM10/31/12
to securit...@securityfocus.com, security-basics-return-5...@securityfocus.com
On Wed, 31 Oct 2012, Dave Kleiman wrote:

> Date: Wed, 31 Oct 2012 09:26:30 -0500
> From: Dave Kleiman <da...@davekleiman.com>
> To: "securit...@securityfocus.com" <securit...@securityfocus.com>
> Subject: RE: Bank Of Montreal Online Security
> Resent-Date: Wed, 31 Oct 2012 09:07:10 -0700 (PDT)
> Resent-From:
> security-basics-return-58248-a.kelner=noc.b...@securityfocus.com
>
> Alexander,
>
> >>> Which password length is more secure - that is a question.<<<
>
> If you used the above statement, just as you typed it, as your password
> (passphrase), would it not both much stronger than 6 characters and very
> easy to remember?
>

Hi Dave!

Yes, it's very easy to remember, but I think this method for password
setting is not as strong as it may appears :-)

The phrase "Which password length is more secure - that is a question"
contains not 58 "random chars", but 11 only, because each word must be
considered as a single symbol in the vocabulary, say for brute force attack.

There is a strong corelation between the chars inside of the words if these
words are taken from our lexicon. So, these characters should not be
considered independent. Yes, this password is long but it is not too random,
and so it is not too secure.

Moreover there may be found efficient heuristics when you try to attack
passwords like human speech sentences due to existing correlation between
words inside of such sentences and due to quite deterministic structure of
sentences.

If you bring some order (the way for easy memorizing) into your password
you decrease it's strength.

Well, and now try to type above phrase in invisible mode and don't make
mistake :-)

Though, IMHO six chars passwords are too short. I like at least 8 :-)

Globalart4u Enquiries

unread,
Nov 1, 2012, 3:58:15 AM11/1/12
to Scott Herbert, securit...@securityfocus.com
What do European banks use the same chip and pin system as the UK or
something else?


Tallat


www.promomat.biz
www.tartanrock.com
www.yuckyslugsandsnails.co.uk



-----Original Message-----
From: listb...@securityfocus.com [mailto:listb...@securityfocus.com] On
Behalf Of Scott Herbert
Sent: Wednesday, October 31, 2012 6:15 PM
To:
Subject: RE: Bank Of Montreal Online Security

Alexander Meesters

unread,
Nov 1, 2012, 9:53:16 AM11/1/12
to Alexander A. Kelner, securit...@securityfocus.com, security-basics-return-58248-a kelner=noc brsi ru
Well, i believe that if you use proper punctuation it would be near to impossible, cause a automated dictionary attack does not know proper grammar, for example:
> And then william sayed:"I really hate cake!"
plus a dictionary attack also has a lot of problems with dialects and slang, so in order for a dictionary attack to be successful they must use a tool that uses some kind of AI.
At least that is what i believe, please correct me if i'm wrong, my experience with dictionary attacks are not that great.

Alex


----- Oorspronkelijk bericht -----

Juan F. Campos - Computalleres.com

unread,
Nov 1, 2012, 10:57:10 AM11/1/12
to securit...@securityfocus.com
On 10/31/2012 02:49 PM, Alexander A. Kelner wrote:
> On Wed, 31 Oct 2012, Dave Kleiman wrote:
>
>> Date: Wed, 31 Oct 2012 09:26:30 -0500
>> From: Dave Kleiman <da...@davekleiman.com>
>> To: "securit...@securityfocus.com"
>> <securit...@securityfocus.com>
>> Subject: RE: Bank Of Montreal Online Security
>> Resent-Date: Wed, 31 Oct 2012 09:07:10 -0700 (PDT)
>> Resent-From:
>> security-basics-return-58248-a.kelner=noc.b...@securityfocus.com
>>
>> Alexander,
>>
>> >>> Which password length is more secure - that is a question.<<<
>>
>> If you used the above statement, just as you typed it, as your password
>> (passphrase), would it not both much stronger than 6 characters and very
>> easy to remember?
>>
>
> Hi Dave!
>
> Yes, it's very easy to remember, but I think this method for password
> setting is not as strong as it may appears :-)
>
> The phrase "Which password length is more secure - that is a question"
> contains not 58 "random chars", but 11 only, because each word must be
> considered as a single symbol in the vocabulary, say for brute force
> attack.

Yet it is possible to have a "single symbol" that is hard to
guess/crack. You can associate a phrase that include random chars and is
easy to remember.

Please take a look over here (Sophos - Choosing a Strong Password)
http://www.youtube.com/watch?v=VYzguTdOmmU

....

> If you bring some order (the way for easy memorizing) into your password
> you decrease it's strength.
>
> Well, and now try to type above phrase in invisible mode and don't make
> mistake :-)
>
> Though, IMHO six chars passwords are too short. I like at least 8 :-)
>

--
Best regards,

Juan F. Campos | PGP Key ID: 0xDB880578

Davin Enigl

unread,
Nov 1, 2012, 12:12:31 PM11/1/12
to securit...@securityfocus.com
After all the discussion such as this:

On 11/01/2012 06:53 AM, Alexander Meesters wrote:
> Yes, it's very easy to remember, but I think this method for password
> setting is not as strong as it may appears :-)
>
> The phrase "Which password length is more secure - that is a question"
> contains not 58 "random chars", but 11 only, because each word must be
> considered as a single symbol in the vocabulary, say for brute force attack.

Passwords are obsolete because of replay attack. Why not simply use one
of the many one-time-password tokens now available? If you want to add a
password in front of that in case the token is stolen, OK.

The bottom line continues to be use s, hash and double salt.

Better than that, use that long high-entropy password as a
pre-authentication password before either a static Yubikey for
two-factor authentication or a one-time-code Yubikey, best. Or something
similar to a Yubikey, that is time-based (eBay/PayPal).

Naked passwords are on LIFE-SUPPORT and dying fast.

Hough, Kenneth P

unread,
Nov 1, 2012, 12:24:05 PM11/1/12
to Alexander Meesters, Alexander A. Kelner, securit...@securityfocus.com, security-basics-return-58248-a kelner=noc brsi ru
Also substituting letters with symbols will help, for example:
> And then william sayed:"I really hate cake!"
Change the 'a' to @ and 's' to $
> And then willi@m $ayed:"I really hate cake!"

Alexander A. Kelner

unread,
Nov 1, 2012, 2:23:38 PM11/1/12
to Juan F. Campos - Computalleres.com, securit...@securityfocus.com, security-basics-return-5...@securityfocus.com
On Thu, 1 Nov 2012, Juan F. Campos - Computalleres.com wrote:

> Date: Thu, 01 Nov 2012 08:57:10 -0600
> From: Juan F. Campos - Computalleres.com <jfca...@computalleres.com>
> To: securit...@securityfocus.com
> Subject: Re: Bank Of Montreal Online Security
> Resent-Date: Thu, 1 Nov 2012 08:57:07 -0700 (PDT)
> Resent-From:
> security-basics-return-58253-a.kelner=noc.b...@securityfocus.com
IMHO it's more easy to remember 8 random chars then
perform lots of manipulations every time when you
need to restore your password :-)

>
> ....
>
>> If you bring some order (the way for easy memorizing) into your password
>> you decrease it's strength.
>>
>> Well, and now try to type above phrase in invisible mode and don't make
>> mistake :-)
>>
>> Though, IMHO six chars passwords are too short. I like at least 8 :-)
>>
>
> --
> Best regards,
>
> Juan F. Campos | PGP Key ID: 0xDB880578
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------
>
>


---
Alexander A. Kelner
Senior engineer
CT Network Operation Center
RosTelecom - Bryansk

Alexander A. Kelner

unread,
Nov 1, 2012, 2:31:24 PM11/1/12
to Hough, Kenneth P, Alexander Meesters, Alexander A. Kelner, securit...@securityfocus.com, security-basics-return-58248-a kelner=noc brsi ru
On Thu, 1 Nov 2012, Hough, Kenneth P wrote:

> Date: Thu, 01 Nov 2012 12:24:05 -0400
> From: "Hough, Kenneth P" <kenneth...@WPI.EDU>
> To: Alexander Meesters <a.mee...@sansyl.com>,
> Alexander A. Kelner <a.ke...@noc.brsi.ru>
> Cc: "securit...@securityfocus.com" <securit...@securityfocus.com>,
> security-basics-return-58248-a kelner=noc brsi ru
> <security-basics-return-58248-a.kelner=noc.b...@securityfocus.com>
> Subject: RE: Bank Of Montreal Online Security
>
> Also substituting letters with symbols will help, for example:
>> And then william sayed:"I really hate cake!"
> Change the 'a' to @ and 's' to $
>> And then willi@m $ayed:"I really hate cake!"

Guys, excuse me, but you are tricking yourself.
Hackers know all this and much more, when cracks your passwords.

Michael Peppard

unread,
Nov 1, 2012, 4:36:55 PM11/1/12
to securit...@securityfocus.com
Take 'old o' the Wings o' the Mornin', An' flop round the earth till
you're dead

Good luck cracking that password. Kipling's Widow at Windsor for those
that don't recognize it.

Davin Enigl

unread,
Nov 2, 2012, 1:09:14 AM11/2/12
to securit...@securityfocus.com
You are fooling yourself guys. If it's published (as below), it's in a
database and crackable. Better: use OTP tokens. There will be no re-play
attacks possible.

Besides, keyloggers capture your static passwords no matter what you
come up with. Use an OTP like Yubikey. I's 44-63 random characters long
and different every time. Static passwords are obsolete.

On 11/01/2012 01:36 PM, Michael Peppard wrote:
> Take 'old o' the Wings o' the Mornin', An' flop round the earth till
> you're dead
>
> Good luck cracking that password. Kipling's Widow at Windsor for those
> that don't recognize it.

Mike Vella

unread,
Nov 2, 2012, 6:01:36 AM11/2/12
to Davin Enigl, securit...@securityfocus.com
HI, been following this interesting discussion.
I believe 2 factor authentication is a must for this type of thing. PCi
compliance?
Why leave yourself open to any type of attacks when it can easily be
avoided.

-----Original Message-----
From: listb...@securityfocus.com [mailto:listb...@securityfocus.com] On
Behalf Of Davin Enigl
Sent: 02 November 2012 05:09
To: securit...@securityfocus.com
Subject: Re: Bank Of Montreal Online Security

The contents of this e-mail and any attachments are the property of Baker Ross Limited\Yellow Moon UK Ltd and are intended for the confidential use of the named recipient(s) only. They may be legally privileged and should not be communicated or relied upon by any person without our express written consent. If you are not the addressee please notify the sender immediately. Any files attached to this e-mail will have been checked with virus detection software before transmission. However you should carry out your own virus check before opening any attachment. Baker Ross Limited\Yellow Moon UK Ltd accepts no liability for any loss or damage which may be caused by software viruses. Baker Ross Limited\Yellow Moon UK Ltd may monitor email traffic data and also email content for the purposes of security and staff training.Baker Ross Ltd\Yellow Moon UK Ltd cannot guarantee the accuracy or completeness of this email after it is sent from the originator over the internet and accepts no
responsibility for changes made after it was sent. Any opinion expressed in this email is personal to the author and may not necessarily reflect the opinions of Baker Ross Ltd\Yellow Moon UK Ltd.


Baker Ross Limited registered in England, registered number 1604275, VAT Reg No. GB 375 5220 52.
Yellow Moon UK Limited registered in England, registered number 4781729, VAT Reg No. GB 811 5660 50.

Mikhail A. Utin

unread,
Nov 2, 2012, 3:07:48 PM11/2/12
to securit...@securityfocus.com
Hello,
Frankly, considering usual number of a bank customers, which could be up to 10 million, using anything better than a user name and a password create a technical problem for IT, meaning finally money. Breaking in bank's accounts and stealing information is relativily rare. I do remember they replaced my credit cards twice during twenty years. I have accounts with 5 major banks, so see the statistics. I would believe that it is much cheaper for a bank fixing accounts, replacing cards, etc. than keeping on-line complex authentication system.
RBS Citizens uses as well an image associated with an account that adds some security value.
Regards

Mikhail utin, CISSP

____________________________________________________

-----Original Message-----
From: listb...@securityfocus.com [mailto:listb...@securityfocus.com] On Behalf Of Mike Vella
Sent: Friday, November 02, 2012 6:02 AM
To: 'Davin Enigl'; securit...@securityfocus.com
Subject: RE: Bank Of Montreal Online Security

HI, been following this interesting discussion.
I believe 2 factor authentication is a must for this type of thing. PCi compliance?
Why leave yourself open to any type of attacks when it can easily be avoided.


CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential
and privileged information for the use of the designated recipients named above. If you are
not the intended recipient, you are hereby notified that you have received this communication
in error and that any review, disclosure, dissemination, distribution or copying of it or its
contents is prohibited. If you have received this communication in error, please reply to the
sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication
and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy,
please visit our Internet web site at http://www.commonwealthcare.org.

Davin Enigl

unread,
Nov 2, 2012, 8:33:55 PM11/2/12
to securit...@securityfocus.com
On 11/02/2012 12:07 PM, Mikhail A. Utin wrote:
> Frankly, considering usual number of a bank customers,

which could be up to 10 million, using anything better

than a user name and a password create a technical

problem for IT, meaning finally money.

Wrong. Bank of America uses "SafePass": a one time password card
("liquid paper" window) that generates numbers, 12 (six at a time with a
press of a button), accounting for 10^12 random numbers -- to
authenticate users to their on-line accounts. So far it's been optional,
leaving users to chose it or not. The users pay a small one-time fee. I
think I paid $20USD. They have been doing thins for about five years.

PayPal and eBay have way way more than 10 million users and they do it
too, -- again for about five years so far.

Davin Enigl

unread,
Nov 2, 2012, 8:40:56 PM11/2/12
to securit...@securityfocus.com


On 11/02/2012 12:07 PM, Mikhail A. Utin wrote:
> Breaking in bank's accounts and stealing information is relativily rare.

Rare? Where have you been? Under a rock? 300 banks were hacked in one
day a few months ago. They are under daily attack.

I do remember they replaced my credit cards twice during twenty years.

My clients and I have not been so lucky. 16 million credit card numbers
were used to steal products through such avenues as the FedEx and UPS
package scams this year. I'd call that significant.

Davin Enigl

unread,
Nov 3, 2012, 9:50:57 PM11/3/12
to securit...@securityfocus.com


On 11/02/2012 12:07 PM, Mikhail A. Utin wrote:
> Hello,
> Frankly, considering usual number of a bank customers, which could be up to 10 million, using anything better than a user name and a password create a technical problem for IT, meaning finally money. Breaking in bank's accounts and stealing information is relativily rare. I do remember they replaced my credit cards twice during twenty years. I have accounts with 5 major banks, so see the statistics. I would believe that it is much cheaper for a bank fixing accounts, replacing cards, etc. than keeping on-line complex authentication system.
> RBS Citizens uses as well an image associated with an account that adds some security value.
> Regards
>
> Mikhail utin, CISSP

Rare? You have got to be kidding. You are a CISSP?

--Fourteen Charges in Precision Cyberheist Case
(October 30, 31 & November 1, 2012)
Fourteen people have been charged in connection with a coordinated
cyberheist that netted thieves more than US $1 million through
cash-advance kiosks at casinos in Nevada and California. The scheme
exploited a flaw in Citibank's system that is supposed to prevent
checking accounts from being overdrawn and involved making a coordinated
series of withdrawals from accounts in a brief window of time.
Ringleader Ara Keshishyan faces up to 30 years in prison and a fine of
US $1 million. The others face prison sentences of up to five years and
US $250,000 fines.
http://www.zdnet.com/fbi-catches-gone-in-60-seconds-bank-fraudsters-7000006719/
http://www.informationweek.com/security/attacks/60-second-cash-kiosk-hackers-steal-1-mil/240012604?cid=InformationWeek-Twitter
http://arstechnica.com/security/2012/10/atm-heist-clears-1-million-exploiting-citigroup-e-payment-flaw/
https://www.fbi.gov/sandiego/press-releases/2012/fourteen-charged-in-million-dollar-gone-in-60-seconds-bank-fraud

Michael Peppard

unread,
Nov 6, 2012, 10:32:24 AM11/6/12
to securit...@securityfocus.com
What you are (biometrics)
What you know (Password)
What you have (a key)

This has to go both ways. You both have to have verification that you
are who you are, that you both know the same things and that your key is
unique to a unique lock. False security on any vector makes it easier to
break the rest, whether through old fashioned social engineering or
stolen cycles on a mainframe cracking keys.

All are equally important and vulnerable. At least use a unique and hard
to crack password, it's the only part end users directly control.

Any suggestion that -simply- having a good password is fine is just
silly and wasn't my intention. If the bank cares so little they won't
spend a tiny fraction of their profit on a good, well designed
authentication scheme... go to another bank.

On 11/01/2012 05:40 PM, Sav...@gmail.com wrote:
> Type it in blind; that would be difficult.
>
> ;)
>
> Glen Victor
>
> Sent from my HTC on the Now Network from Sprint!
>
> ----- Reply message -----
> From: "Michael Peppard" <mpep...@impole.com>
> Date: Thu, Nov 1, 2012 16:36
> Subject: Bank Of Montreal Online Security
> To: <securit...@securityfocus.com>
>
> Take 'old o' the Wings o' the Mornin', An' flop round the earth till
> you're dead
>
> Good luck cracking that password. Kipling's Widow at Windsor for those
> that don't recognize it.
>
> On 11/01/2012 02:31 PM, Alexander A. Kelner wrote:
> > On Thu, 1 Nov 2012, Hough, Kenneth P wrote:
> >
> >> Date: Thu, 01 Nov 2012 12:24:05 -0400
> >> From: "Hough, Kenneth P" <kenneth...@WPI.EDU>
> >> To: Alexander Meesters <a.mee...@sansyl.com>,
> >> Alexander A. Kelner <a.ke...@noc.brsi.ru>
> >> Cc: "securit...@securityfocus.com"
> >> <securit...@securityfocus.com>,
> >> security-basics-return-58248-a kelner=noc brsi ru
> >> <security-basics-return-58248-a.kelner=noc.b...@securityfocus.com>
> >> Subject: RE: Bank Of Montreal Online Security
> >>
> >> Also substituting letters with symbols will help, for example:
> >>> And then william sayed:"I really hate cake!"
> >> Change the 'a' to @ and 's' to $
> >>> And then willi@m $ayed:"I really hate cake!"
> >
> > Guys, excuse me, but you are tricking yourself.
> > Hackers know all this and much more, when cracks your passwords.
> >
> >>
> >>> <securit...@securityfocus.com>
> >>> Subject: RE: Bank Of Montreal Online Security
> >>> -----Original Message-----
> >>> From: listb...@securityfocus.com
> >>> [mailto:listb...@securityfocus.com] On Behalf Of Alexander A. Kelner
> >>> Sent: Monday, October 29, 2012 16:20
> >>> To: securit...@securityfocus.com
> >>> Subject: RE: Bank Of Montreal Online Security
> >>>
> >>>
> ------------------------------------------------------------------------
> >> Securing Apache Web Server with thawte Digital Certificate
> >> In this guide we examine the importance of Apache-SSL and who needs
> >> an SSL certificate. We look at how SSL works, how it benefits your
> >> company and how your customers can tell if a site is secure. You will
> >> find out how to test, purchase, install and use a thawte Digital
> >> Certificate on your Apache web server. Throughout, best practices for
> >> set-up are highlighted to help you ensure efficient ongoing
> >> management of your encryption keys and digital certificates.
> >>
> >>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
>
> >>
> >>
> ------------------------------------------------------------------------
> >>
> >>
> ------------------------------------------------------------------------
> >> Securing Apache Web Server with thawte Digital Certificate
> >> In this guide we examine the importance of Apache-SSL and who needs
> >> an SSL certificate. We look at how SSL works, how it benefits your
> >> company and how your customers can tell if a site is secure. You will
> >> find out how to test, purchase, install and use a thawte Digital
> >> Certificate on your Apache web server. Throughout, best practices for
> >> set-up are highlighted to help you ensure efficient ongoing
> >> management of your encryption keys and digital certificates.
> >>
> >>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
>
> >>
> >>
> ------------------------------------------------------------------------
> >>
> >>
> >
> >
> > ---
> > Alexander A. Kelner
> > Senior engineer
> > CT Network Operation Center
> > RosTelecom - Bryansk
> >

Ken Schaefer

unread,
Nov 23, 2012, 6:45:22 AM11/23/12
to Davin Enigl, securit...@securityfocus.com
I'd count one example as "rare" :)

In any case, the Citibank example cited isn't an attack by one party on another person's account. It is an attack against the bank's systems, but retrieving money from one's own account(s).

Ultimately the question comes down to cost/benefit. Whilst I agree that banks (and others) are under daily attack, that's not a justification for deploying and operating more complex security infrastructure.

Unless (("cost of implementation" < "cost of non-implementation") AND ("nothing better to spend IT budget on"==true)) then it's not going to happen. For some orgs the equation above works, and for others it doesn't.

Cheers
Ken

Nathan V

unread,
Nov 24, 2012, 1:12:56 AM11/24/12
to Ken Schaefer, Davin Enigl, securit...@securityfocus.com
Using anything other than OTP is asking for trouble. Even click-in
PINs and some MFA can be captured with ZeuS. As long as there is a
repeatable login there will be malware than can reply it to steal your
information.

How big of an issue it is for someone to get into your account is
lower impact if the data they can find once logged in isn't helpful.
For example; Logging into my bank account doesn't show full account
information or much that is very useful and I have the features that
would allow electronic transfer outbound disabled. I'd still prefer
to keep my privacy but at least someone won't be able to steal my
money. Currently there is no standards on what can or can't be shown
without better authorization and the differences have resulted in
breaches as we've seen but that is something the industry is slowly
improving on already.

Someone above mentioned PCI compliance. PCI compliance focuses on the
technical side of how the servers that process credit card information
are set up and how they communicate and store that data. IIRC the
only passwords that PCI actually cares about are for accessing those
systems directly, not end-user authentication. PCI will help you
prevent a massive breach but it doesn't specifically protect the
individual users if you have a crummy backend.
--
___________________________
Nathan V
Reply all
Reply to author
Forward
0 new messages