Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases

["Dennis Henderson" <hendomatic () gmail com>]

On 6/28/07, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
> On Thu, 28 Jun 2007 07:44:32 CDT, Dennis Henderson said:
>
> > So tell me what steps do you take to make sure your online banking
> > experience is a safe one? If you don't do online banking, then please
> don't
> > comment further in this thread.
>
> Actually, I do quite a bit of it - recognizing that it's not 100% safe,
> but
> that there's tradeoffs.  My software and hardware config is such that
> there's
> reasonably low risk involved


Did you  have to take a week of training to get it to that reasonably safe
level? I doubt it. I know you're a very smart guy, but the skill it takes to
get XPSP2 IE7 to a fairly reasonable level to deal with the major current
threats is not that demanding.

You hit the nail on the head. Reasonably low risk. Not absolute low risk.
Security that keeps you on the edge of the bell curve.



- I'm quite frankly usually more worried about
> what that Applebee's employee is doing with my card while I'm paying for
> lunch.


So very true, but thats another story..



>                                 Is it so beneath you to provide positive
> > advice or commentary on *any* topic?
>
> OK. Here you go, I'll add a few just for you...




Don't visit *any* web site that includes material (banner ads, linked
> images,
> and so on) from a third-party site, or that could possibly have been
> compromised
> since your last visit.
>
> Employ methods to prevent unpatched holes in your favorite browser from
> being
> used to exploit your machine.
>
> Unfortunately, neither of these is something that is easily doable by
> Joe Sixpack.


Again, following some very simple instructions cat get you to fairly
reasonable security, not absolute security.

I agree with what you say above. Its almost impossible for ALL people to do
this not just Joe 6pack.

But the 80/20 rule can be a very effective fraud reduction driver. Once
you've covered those basics, the bleeding edge stuff that will bite the
remainders poses a far less aggregate threat on the entire population.


> Yes, it *helps*, but it certainly does *not* make the risk low enough that
> one
> should judge that it *must* have been the user's fault somehow, for
> actually
> using the machine for what the operating system vendor and the bank both
> advertised as a reasonably safe activity - using the computer to surf the
> web
> and do electronic business and financial transactions.


Well, I guess if it came to a court case, the Bank would hopefully have the
right to examine the computer to make sure that it was not comped when the
transaction occured. Probably folly anyway since a court case might not come
to trial for months.

Fortunately most banks are going to go that far yet as the phobia of
publicity far outweighs the fear of placing some cash in a loss column...

> 0days are still a minor vector compared to what's keeping the online
banking
> fraud cartels alive.

|Again, the fact that unpatched holes that people don't know about and can't
|easily defend themselves against may be 5% of the total doesn't mean that
|it's 0% and you can readily assign blame to the consumer.


Agreed.
It would have to be solved either by litigation or simply quietly refunding
the persons money. You can bet that most banks wont let it happen more than
twice.

Its just that today, those 0days are out there on the edge and don't
comprise the aggregate threat that we face. The recent .it website attacks
definitely got a lot of peoples attention as it might be signalling a change
in direction of the attack vector.

Well this thread is old enough to vote so its time to kill it...

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.