User negligence?

Unfortunately there are a lot, and growing number, of self-infected PCs
on the net. As the banks point out, this is not a breach of the bank's
security. Nor is it a breach of the ISP's security. The user infects
his PC with a trojan and then the criminal uses the PC to transfer money
from the user's account, with the user's own password.

http://www.iol.co.za/index.php?click_id=13&art_id=qw1059039360281B215&set_id=1

"The fact that hackers got access to bank customer's accounts was not due
to inadequate security at the bank, but due to "user negligence", an
e-commerce company said on Thursday.
[...]
"Consumers should be vigilant when opening emails. If they receive strange
emails, or emails from people or companies they do not know, it is better
not to open the mail - especially attachments. These intrusions were
clearly not a result of any vulnerability in Absa's Internet security."

Sean,

I humbly disagree. It is not user negligence, but rather neglgence on
behalf of the entity's systems team, or perhaps the entity's failure
to support their own systems team by hiring competent staff instead
of relying on people who play office politik or look nice in a suit
and tie. User's are not expected to be secure their machines, or
even barely know more than how to use a handful of applications.
In the bank's case hopefully they are supposed to be financial experts.

One can also blame the entity for basing their operations on a joke
operating system of course (tired argument).

Not calling it a breach of security is simply.. ridiculous. It is a
most flagrant breach of security if they can't even secure their own
internal networks and systems. Host level security should be the
easiest thing to accomplish given competent systems staff.

The entity should have had a team in place that protected systems,
disabled vulnerable services running on the joke operating system,
and that stayed on top of any threat no matter what day of the week
it happened to be.

Nothing like berating the obvious.

This is off topic and I'm not going to pursue this further on
this list.

Len

Sean Donelan said:

Right. The problem was that it was exactly that clueless *USER* machine that
got trojaned.

So for instance, if you are one of the people who got burned by the recent
Kinko key-sniffer hacks, and the hacker used the info to logon to your bank
account, in what way is the bank liable? What *realistic* steps is the bank
supposed to take? (Hint - what percentage of *security professionals* use an
S/Key or similar for remote logins?)

It a breach of security of the *USER'S* computer, not the *BANK'S*
computers.

How many people do you know have a full-time systems staff mainaining
their home PCs?

If they are lucky, they might have a clever teenager in the house which
helps their parents set the clock on the VCR and unpack the PC they bought
at Best Buy. If they aren't lucky, it was probably the same clever
teenager that downloaded the trojaned software on the parent's PC.

Is the Bank or ISP supposed to send suppport staff to each customer's
house to maintain host level security on customer's home PCs? The bank
didn't sell the customer the computer or the Microsoft software, didn't
install software on the home PC, and doesn't maintain the home PC.

Outlook, the exploding Pinto on the information superhighway.

Hi Sean,

I seem to have misunderstood you.. I assumed you were speaking
about an internal system (in the bank itself) I didn't read
the article you posted and without that I suppose I was in
the wrong context. Maybe.

Sean Donelan wrote:

{zap]

It a breach of security of the *USER'S* computer, not the *BANK'S*
computers.

See above.

How many people do you know have a full-time systems staff mainaining
their home PCs?

See above.

If they are lucky, they might have a clever teenager in the house which
helps their parents set the clock on the VCR and unpack the PC they bought
at Best Buy. If they aren't lucky, it was probably the same clever
teenager that downloaded the trojaned software on the parent's PC.
Is the Bank or ISP supposed to send suppport staff to each customer's
house to maintain host level security on customer's home PCs? The bank
didn't sell the customer the computer or the Microsoft software, didn't
install software on the home PC, and doesn't maintain the home PC.

See above.

Outlook, the exploding Pinto on the information superhighway.

Microsoft, Who wants to get owned today?

Len

PS Susan, I swear I won't do this again, please don't yell at me.

I think there is confusion here.

The banks are making the claim, that, if you the user, has an infected PC,
that is compromised by an 3lit3 h4x0r, and your password to your bank
account is compromised, then the bank is not responsible.

That is what you are saying, Sean?

I think there is confusion here.

Yep. No problem, I think we've cleared it up.

The banks are making the claim, that, if you the user, has an infected PC,
that is compromised by an 3lit3 h4x0r, and your password to your bank
account is compromised, then the bank is not responsible.

That is what you are saying, Sean?

I posted the dots, but failed to explicitly connect them.

People have been talking about DDOS, spammers and the underground economy.

Folks, its not underground any more. The criminals are using trojans
to steal real money from real people now.

Firewalls can't stop it, ISPs can't stop it. Its a *HOST* security issue.

For most home users the choices are get Microsoft to fix its software, or
buy a Macintosh (hide Unix under the hood). For an extra $20 Dell will
pre-configure the system security settings for business purchasers; but
home users are still on their own.

The bank hands out ATM cards, but does not offer the customer the option
of logging in with SafeWord or SecureId or any other OTP. Given how
much the bank saves in labor, it could surely afford the card expense.
But it's easy to see why they don't, since it's the customer, not the
bank, that is taking the risk.

A sufficiently fancy trojan would notice when the user logged into the
bank using OTP and change the destination of a money transfer or add
an invisible transaction, but that's certainly quite a lot harder than
a simple keystroke logger.

Unfortunately there are a lot, and growing number, of self-infected PCs
on the net. As the banks point out, this is not a breach of the bank's
security. Nor is it a breach of the ISP's security. The user infects
his PC with a trojan and then the criminal uses the PC to transfer money
from the user's account, with the user's own password.

Banks use passwords for authentication? That's what scares me.

Personally, I find it terrifying that banks allow such weak authentication
as a password for financial transactions. To the best of my knowledge, all
banks around here use a smartcard based system. It might be a bit more
inconvenient, but the added security makes it well worth it, in my opinion.

It may not be a breach of the bank's security as such, but the measures they
take in order to protect their customers' money is in my opinion so low
that, IMHO, they are the ones guilty of negligence.

-Kandra

I think there is confusion here.

The banks are making the claim, that, if you the user, has an infected PC,
that is compromised by an 3lit3 h4x0r, and your password to your bank
account is compromised, then the bank is not responsible.

That is what you are saying, Sean?

  While the bank holds your money, it is responsible for its safety. This
includes making sure the money is only released to you or to those you
authorize. If an act of theft or fraud causes the bank to release that money
without your authorization, the bank can certainly be held responsible. This
is why they hold checks and even, from time to time, call people up to
confirm suspicious transactions. Generally banks have a blanket bond to
cover theft/fraud losses and this protection extends to their customers.

  I don't think it would be that difficult to show that there are significant
security flaws in the online banking system that the user is neither
responsible for nor capable of correcting. You could get a dozen security
experts to testify that a static password is not sufficient to protect a
system that can perform unretrievable funds transfers. If that's all the
bank's online scheme provides, this may negate the argument that the user's
negligence was the sole/primary cause of the loss.

  In most states, you have additional protections under state law.

  DS

Smartcard has become a marketing buzzword, and its difficult to figure out
what people are actually refering too.

In the US, almost no consumer computers include smartcard readers.
Companies like American Express do issue "smartcards", but their use
as smartcards in the US is extremely rare. Even minimal things like the
Verified by VISA program have gained little consumer acceptance. Big
projects like Secure Electronic Transaction (SET) failed.

Banks in the US offer one-time-password systems to their corporate
customers. I'm aware of one bank which offered OTP to consumers, but
signed up less than a dozen customers in three years.

SSL is the most successfull "security" feature implemented on the
Internet.

How many consumer ISP's offer OTPs to their ordinary customers (not
employees, not special government or corporate contracts)?

Smartcard has become a marketing buzzword, and its difficult to figure out
what people are actually refering too.

Sorry, wrong word. I was actually refering to SafeWord/SecureID/ActivCard
type solutions, not "ATM cards with a chip". Sorry for the confusion.

-Kandra

I don't think the average user has a smart card reader at home.

Everyone has accepted a very simple two-factor authentication system
for bank usage for a long time. Factor 1 is possession of the card.
This is relatively easy to forge. Factor 2 is the PIN. This is no
stronger than a password.

Most banks use smart cards for authenticating employees, with a password
required to access the smart card. This is not practical (at least today)
for home banking over the internet. Last I looked, the cost of the
cards and the readers exceeded what would be reasonable for the bank
to provide to all their customers. I don't think most home users understand
enough about security to think the smart card system would be worth the
price.

The real negligence in this case is the software company that released a
MUA that makes trojans so convenient to distribute. As someone else
stated earlier in this thread...

OUTLOOK: THe Exploding PINTO on the Information Superhighway.

This is _SO_ true.

Owen

In the UK, I have 3 or 4 online accounts with different banks.

My main bank asks for a 10 digit "customer number", my date of birth, and
the 3 characters at random from my password. By not asking for the whole
password, this prevents simple replay style attacks. Asking for my DOB is
not really additional protection - it's extremely easy find (minus 5 points
for anyone who can't find it out within 2 minutes of searching on the 'net)

Another bank asks me for 5 different bits of information, but always the
same information everytime. Whilst this would seem more secure, it doesn't
prevent simple replay attacks.

Simon

I don't think the average user has a smart card reader at home.

They don't need readers.

The devices in question support a (supposedly secure challenge-
response system.

With some devices, the web site would display the challenge, the user
would enter that into their device, the device displays a response,
and the user uses that response as their passwd for that login.

With others, the passwd the device displays varies with time rather
than any input. The challenge in that case is implicitly the current
date/time of the login attempt.

The downside of course is that you have yet another small, losable
device to keep track of. (And to carry around if you want to login
while traveling.)

Security as always is a HARD problem. People just hate to bother
until the risk hits some magic barrier. Businesses of course have
fewer risk protection laws on their side, so adding secure features
for business customers will always be easier than adding them for
typical consumers. Especially in places like the US where the
consumer protection laws are so strong.

OTOH, any business in real competition for consumers will eat small
losses as part of their advertizing/marketing budget....

-JimC

Not only do they use password authentication, but they use a supposedly secure password policy that effectively renders the password completely insecure.

What do I mean? I mean that in my case, my bank requires that I change the password to my online account management website every 90 days.

For passwords which are used daily or several times a day, a 90 day change interval can make sense in many circumstances. But since I only login to my banking account once a month, that means that I have to change my password once out of every 3-4 times I use this account. I know how to create a secure password, but I can NOT create a new one every 3-4 uses and then remember, 30 days later, what the most recent password for this one account is. I have many reasons to suspect that my problem is one that most (perhaps all) of the bank's users have - the change interval is too frequent (as compared to use intervals) and so the password is not effectively memorized on an ongoing basis.

So, I end up having to do something INSECURE to remember the stupid password. Either I have to create an insecure and "easy to remember" password, or I have to write it down somehow. Now we are back to the root problem, that the user's computer/user's password is now "insecure" and it "isn't the bank's fault" when the user's password is discovered and used without the user's permission. Well, that's BS. The bank created a policy that can not be securely followed! There is more to maintaining a secure password than changing it frequently. The policy has to be on that can be effectively followed by most people!

It would be far more secure *in the real world* for the bank to only require that the password be changed once a year and to then have customers securely maintain that password in their heads instead of cached on the computer (a very common practice) or written down (usually on a piece of paper that then is found under the keyboard, another very common practice). But that would *appear* to be a less secure policy to anyone auditing the bank's password policy. It is obvious that the appearance of security is much more important than real security. That's why we can't take nail scissors on airplanes, it's deemed more important to have the appearance of security at the security checkpoint than it is to have actual *real* security on the airplane itself (better doors to the cockpit, better security procedures in the event of a hijack, etc.). We needlessly inconvenience users to create an *impression* that we are serious about security when we are actually accomplishing absolutely nothing.

sigh. I keep on not doing enough to remember the stupid password, and today I can't log-in to the bank account. Again. So now I have to have them reset the password.

Oh, BTW, this secure policy also has a password limitation of 8 characters, and it only requires 1 non-alpha character. So I can use a supposedly "secure" password - like bananas1 (and then change it to bananas2 90 days later) - but I can't use a password like 4s&7Yaofb4otC (well, *that* one isn't the most secure in the world, but you get the point), because it's too long, even though it's obviously much harder to crack. But that isn't deemed a "fault" in the bank's secure password policy.

jc

Hi, NANOGers.

] Folks, its not underground any more. The criminals are using trojans
] to steal real money from real people now.

Indeed, and for a while (circa five months by my observation) now.
It is no longer, and hasn't been for a while, about technology.
The technology - the Internet and the connected devices - has
become a conduit for profitable criminal activity on an ubiquitous
scale, pure and simple. Miscreants don't break into databases and
steal 8M credit cards at a pop so they can card shells and shoes.

] Firewalls can't stop it, ISPs can't stop it. Its a *HOST* security issue.

I'll slightly modify that statement; it is a *PEOPLE* issue.
People who write code. People who use systems and networks.
People who abuse all of the above for monetary gain.

Thanks,
Rob.

<babble>

I think people forget that we don't live in a utopian society. Some people expect computers to solve all the problems and expect that they can prevent crime in their own domain. We haven't eliminated physical crime at all so I don't see why people are surprised to find that a computer was used to commit a crime. Bank robberies take place all the time and you don't here much about them. Probably more similar is fraud which has taken place for a countless amount of time without the use of computers. Using computers is just another way to perpetuate it.

I do agree with a lot of people in the fact that users of the tool must be informed of how to use it safely, just like anything the person is not 100% familiar with. It's somewhat common knowledge to not leave bank account numbers lying around for anyone to see. It's not as common for people who are unfamiliar with computers to know not to open unknown attachments, run anti-virus software, use a firewall, etc... Would the average driver know how to handle an 18 wheeler? They could probably get it going, but not safely. People must be educated about using computers, ESPECIALLY if it is in a situation where security is elevated because the company has something valuable to protect. A bank teller wouldn't likely let a client behind the counter, yet many would probably open an attachment sent via email without knowing what it is. I know the average end user probably isn't likely as aware about security using their PC in their home, but if banks and other institutions plan on making their services available online in some manner, perhaps they should at least send out occasional best security practices to protect people's information. I can also see that it's not REALLY their problem either so I could also go the other way on this. Just like a bank is not responsible for someone breaking into your house and stealing your checkbook.

</babble>

Just my 2�.

Vinny Abello
Network Engineer
Server Management
vinny@tellurian.com
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN

There are 10 kinds of people in the world. Those who understand binary and those that don't.

Forgive my typo... here = hear. My brain isn't functioning yet this morning and I am just typing what I "hear" in my head. It's a Sunday morning.

Hi, NANOGers.

] Folks, its not underground any more. The criminals are using trojans
] to steal real money from real people now.

Indeed, and for a while (circa five months by my observation) now.
It is no longer, and hasn't been for a while, about technology.
The technology - the Internet and the connected devices - has
become a conduit for profitable criminal activity on an ubiquitous
scale, pure and simple. Miscreants don't break into databases and
steal 8M credit cards at a pop so they can card shells and shoes.

] Firewalls can't stop it, ISPs can't stop it. Its a *HOST* security issue.

I'll slightly modify that statement; it is a *PEOPLE* issue.
People who write code. People who use systems and networks.
People who abuse all of the above for monetary gain.

<babble>

I think people forget that we don't live in a utopian society. Some people expect computers to solve all the problems and expect that they can prevent crime in their own domain. We haven't eliminated physical crime at all so I don't see why people are surprised to find that a computer was used to commit a crime. Bank robberies take place all the time and you don't here much about them. Probably more similar is fraud which has taken place for a countless amount of time without the use of computers. Using computers is just another way to perpetuate it.

I do agree with a lot of people in the fact that users of the tool must be informed of how to use it safely, just like anything the person is not 100% familiar with. It's somewhat common knowledge to not leave bank account numbers lying around for anyone to see. It's not as common for people who are unfamiliar with computers to know not to open unknown attachments, run anti-virus software, use a firewall, etc... Would the average driver know how to handle an 18 wheeler? They could probably get it going, but not safely. People must be educated about using computers, ESPECIALLY if it is in a situation where security is elevated because the company has something valuable to protect. A bank teller wouldn't likely let a client behind the counter, yet many would probably open an attachment sent via email without knowing what it is. I know the average end user probably isn't likely as aware about security using their PC in their home, but if banks and other institutions plan on making their services available online in some manner, perhaps they should at least send out occasional best security practices to protect people's information. I can also see that it's not REALLY their problem either so I could also go the other way on this. Just like a bank is not responsible for someone breaking into your house and stealing your checkbook.

</babble>

Just my 2�.

Vinny Abello
Network Engineer
Server Management
vinny@tellurian.com
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN

There are 10 kinds of people in the world. Those who understand binary and those that don't.

Vinny Abello
Network Engineer
Server Management
vinny@tellurian.com
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN

There are 10 kinds of people in the world. Those who understand binary and those that don't.

] Firewalls can't stop it, ISPs can't stop it. Its a *HOST* security issue.

I'll slightly modify that statement; it is a *PEOPLE* issue.
People who write code. People who use systems and networks.
People who abuse all of the above for monetary gain.

I think I agree. Hosts will be weak, especially when there's a dominant and
homogeneous platform (so, vulnerabilities are more compatible/portable than
they would be if we lived in a more heterogeneous world). But people, ahhh,
yes, people, will be even weaker.

I've been trying hard to stay out of the privacy/authenticity field, because
there's so much inertia to be overcome (patents, false starts, etc) but it
seems to me that computers and networks, with all their cryptogoo and mega-
computrons, should be able to make the average human's privacy better --
but so far they've only succeeded in making it worse.