Re: [PEN-TEST] Home-Banking PEN-TESTING

[Domenico De Vitto <dom () DEVITTO DEMON CO UK>]

This is country dependant, in the UK, even tho' we use the
same technology as the US, bank prosecute customers who say they
didn't make the transaction.

In reality, they are trying to hide the fact that the technology
(mag-stripe) is dated and going to be expensive to replace country-wide.

The worst case I've heard was of a _*Police Officer*_ getting convicted,
despite much evidence in his favor.  Unfortuately he called in an expert too
late in the trial to help him, the expert did find out that the bank
(Halifax Building Soc) did it's own software testing (by the design team!)
and didn't erase the ATM encryption keys when it was opened for servicing.
- That shouldn't be a problem usually, but the Halifax uses a 3rd party
company (read: any old joe) to service the machines!!! Doh!

It's a sad world, and unfortunately the big corporates can only be educated
by getting them lots of bad press...

Dom

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Pluto
Sent: 25 August 2000 17:18
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] Home-Banking PEN-TESTING


On Tue, 22 Aug 2000, Flynn, Gary wrote:

> > and I
> > expect the same thing applies i.e. the card holder agreement says if it
was
> > with your password/passphrase it is considered you
>
> Can anyone verify this? Up until this time, credit card companies

  In case of ATM cards in germany, yes.  We had _big_ legal cases where
customers had to prove they hadn't handed their pin out. Mostly they lost
and the bank went away with the customer paying the bill in full.

  Gruss

  Christoph Puppe
--
  /* Defcom Security GmbH     ||  Net:    www.defcom-sec.de      */
  /* Arndtstr. 34             ||  Tel:    +49-30-61650-0         */
  /* D-10965 Berlin           ||  Fax:    +49-30-61650-555       */