Re: [linux-security] Re: Linux virus

[atluru () SERVER1 TORONTEL COM (Tim Atluru)]

(Message inbox:1)
Return-Path: 0xdeadbeef-request () substance abuse blackdown org
Return-Path: 0xdeadbeef-request () substance abuse blackdown org
Received: from shell.wisp.net (listadm () shell wisp net [198.67.33.248]) by server1.torontel.com (8.7.5/8.7.3) with 
ESMTP id LAA05669 for <atluru () server1 torontel com>; Thu, 6 Feb 1997 11:09:37 -0500
Received: (from listadm@localhost) by shell.wisp.net (8.8.5/8.7.5) id LAA26927; Thu, 6 Feb 1997 11:02:54 -0500
Resent-Date: Thu, 6 Feb 1997 11:02:54 -0500
Message-Id: <199702061602.LAA06818 () qnx com>
X-Authentication-Warning: qnx.com: localhost [127.0.0.1] didn't use HELO protocol
To: 0xdeadbeef () substance abuse blackdown org
Cc: gbbell () qnx com, barbara () qnx com
Subject: mmm, ActiveX...
Date: Thu, 06 Feb 1997 11:02:23 -0500
From: glen mccready <glen () qnx com>
Resent-Message-ID: <"vNG3b2.0.ha6.j2W-o"@shell>
Resent-From: 0xdeadbeef () substance abuse blackdown org
X-Mailing-List: <0xdeadbeef () substance abuse blackdown org> archive/latest/1495
X-Loop: 0xdeadbeef () substance abuse blackdown org
Precedence: list
Resent-Sender: 0xdeadbeef-request () substance abuse blackdown org


Forwarded-by: Keith Bostic <bostic () bsdi com>
Forwarded-by: Jason Thorpe <thorpej () nas nasa gov>
Forwarded-by: Chris LaFournaise <cjl () sequent com>

> From RISKS Digest Vol 18, Issue 80.

Date: 1 Feb 1997 05:12:02 GMT
From: weberwu () tfh-berlin de (Debora Weber-Wulff)
Subject: Electronic Funds Transfer without stealing PIN/TAN

The Berlin newspaper "Tagespiegel" reports on 29 Jan 97 about a television
show broadcast the previous evening on which hackers from the Chaos Computer
Club demonstrated how to electronically transfer funds without needing a PIN
(Personal Identification Number) or TAN (Transaction Number).

Apparently it suffices for the victim to visit a site which downloads an
ActiveX application, which automatically starts and checks to see if
Quicken, a popular financial software package that also offers electronic
funds transfer, is on the machine. If so, Quicken is given a transfer order
which is saved by Quicken in its pile of pending transfer orders. The next
time the victim sends off the pending transfer orders to the bank (and
enters in a valid PIN and TAN for that!)  all the orders (= 1 transaction)
are executed -> money is transferred without the victim noticing!

The newspaper quotes various officials at Microsoft et al expressing
disbelief/outrage/"we're working on it". We discussed this briefly in class
looking for a way to avoid the problem. Demanding a TAN for each transfer is
not a solution, for one, the banks only send you 50 at a time, and many
small companies pay their bills in bunches. Having to enter a TAN for each
transaction would be quite time-consuming. Our only solution would be to
forbid browsers from executing any ActiveX component without express
authorization, but that rather circumvents part of what ActiveX is intended
for.

A small consolation: the transfer is trackable, that is, it can be
determined at the bank to which account the money went. Some banks even
include this information on the statement, but who checks every entry on
their statements...

Debora Weber-Wulff, Technische Fachhochschule Berlin, Luxemburger Str. 10,
13353 Berlin GERMANY weberwu () tfh-berlin de <http://www.tfh-berlin.de/~weberwu/>