Re: My bank uses Windows? Is "Check 21" safe?

Anonymous via the Cypherpunks Tonga Remailer <>
wrote:

> When I walk through the lobby of my bank, I see Windows screen savers
> running on some computers and Windows menu screens on others. I know
> my bank has never heard of MacIntosh or Linux. I hesitate to think
> how many spybots and viruses might lurk in those machines.

None, if the IT staff know what they're doing - and at large banks they
usually do.

I've worked in the IT department of a bank a few years ago, and NO PC
was allowed to connect to the Internet. Everybody who wanted to look
something up on the web had to go to special PCs (or get a second PC
for his workplace) that were hooked to a completely separate network.
Incoming email was filtered and stripped of anything that might be
dangerous, and if you got caught sneaking a CD or Floppy in that hadn't
been scanned by the IT department you could get fired. Yes, you heard
right - everybody who wanted to put a CD in his machine HAD to take it
to the IT department first, who checked it with 3 different scanners,
and everybody did that because otherwise they'd be thrown out.

Many banks also use Lotus Notes as their email system, which is crap to
use but much safer than Outlook.

Another point: While the PC itself runs Windows, the bank applications
(account management etc.) usually run on a mainframe - on the PC itself
there's only a terminal client (either 3270, 5250 or a special
application designed for that bank).

Juergen Nieveler
--
Combat will occur on the ground between two adjoining maps.

Juergen Nieveler

On 9 Oct 2004 14:35:26 GMT, Juergen Nieveler
<> wrote:

>Anonymous via the Cypherpunks Tonga Remailer <>
>wrote:
>
>> When I walk through the lobby of my bank, I see Windows screen savers
>> running on some computers and Windows menu screens on others. I know
>> my bank has never heard of MacIntosh or Linux. I hesitate to think
>> how many spybots and viruses might lurk in those machines.
>
>None, if the IT staff know what they're doing - and at large banks they
>usually do.
>
>I've worked in the IT department of a bank a few years ago, and NO PC
>was allowed to connect to the Internet. Everybody who wanted to look
>something up on the web had to go to special PCs (or get a second PC
>for his workplace) that were hooked to a completely separate network.
>Incoming email was filtered and stripped of anything that might be
>dangerous, and if you got caught sneaking a CD or Floppy in that hadn't
>been scanned by the IT department you could get fired. Yes, you heard
>right - everybody who wanted to put a CD in his machine HAD to take it
>to the IT department first, who checked it with 3 different scanners,
>and everybody did that because otherwise they'd be thrown out.
>
>Many banks also use Lotus Notes as their email system, which is crap to
>use but much safer than Outlook.
>
>Another point: While the PC itself runs Windows, the bank applications
>(account management etc.) usually run on a mainframe - on the PC itself
>there's only a terminal client (either 3270, 5250 or a special
>application designed for that bank).
>
>Juergen Nieveler

That ties in with my experience of banks, some of which ordered
PC's without floppy disk drives so there was no chance they were
compromised. I'd be worried if I saw a bank with Macs.
--
Jim Watt
http://www.gibnet.com

Jim Watt

On 9 Oct 2004 14:35:26 GMT, Juergen Nieveler wrote:
>>Anonymous via the Cypherpunks Tonga Remailer
>
>> When I walk through the lobby of my bank, I see Windows screen savers
>> running on some computers and Windows menu screens on others. I know
>> my bank has never heard of MacIntosh or Linux. I hesitate to think
>> how many spybots and viruses might lurk in those machines.

What I thought was poor security, is the screen facing the window out
which you see appartments and other buildings.

> None, if the IT staff know what they're doing - and at large banks they
> usually do.

With all the outsourcing, how would you know. What is worse web pages
with doubleclick in the pages. Double click gets cracked/infected
then where are you at.

> I've worked in the IT department of a bank a few years ago, and NO PC
> was allowed to connect to the Internet.

Not, today. Some allow the account manager to get out.
In one. the person had to supply id/password.
Another bank did not require the password.

Bit Twister

Jim Watt <_way> wrote:

>I'd be worried if I saw a bank with Macs.

Macs are for the graphics quality and are usually tied into the
surveillance system. Therefore not a part ot he tech systems, but the
human ones.

Celtic Leroy

Jim Watt <_way> wrote:

> That ties in with my experience of banks, some of which ordered
> PC's without floppy disk drives so there was no chance they were
> compromised. I'd be worried if I saw a bank with Macs.

At one company I worked at years ago (before CD-ROMs became normal part
of PCs - yes, that long ago), we ordered a batch of floppy-drive-locks
- they were inserted into the floppy drive and could only be removed
with a special key, which only the IT departmend had.

It cut down the rate of virus infections enormously


Juergen Nieveler
--
When they hate Rivera it will mean condor will win.

Juergen Nieveler

On 9 Oct 2004 19:24:47 GMT, Juergen Nieveler wrote:
>
> At one company I worked at years ago (before CD-ROMs became normal part
> of PCs - yes, that long ago), we ordered a batch of floppy-drive-locks
> - they were inserted into the floppy drive and could only be removed
> with a special key, which only the IT departmend had.
>
> It cut down the rate of virus infections enormously

Saw an article where companies are putting epoxy in the usb ports.
Pulling cd and diskette drives also.

Bit Twister

Bit Twister <> wrote:

>On 9 Oct 2004 14:35:26 GMT, Juergen Nieveler wrote:
>>>Anonymous via the Cypherpunks Tonga Remailer
>>
>>> When I walk through the lobby of my bank, I see Windows screen savers
>>> running on some computers and Windows menu screens on others. I know
>>> my bank has never heard of MacIntosh or Linux. I hesitate to think
>>> how many spybots and viruses might lurk in those machines.
>
>What I thought was poor security, is the screen facing the window out
>which you see appartments and other buildings.

Visual surveillance would be mainly of the screens and keyboards, any
view into a bank where you can gather that information, is potentialy
a leak. But, the information you gather there is only good for
identity, not access, to accounts. Access comes from the owner, and
being able to obtain their passkeys.

Nothing is more sacred then the account owner. Spoof him/her and you
own the account. I would snip the remainder of this, but first I ask
you to look at it and ask, 'What matters if access is gained by (your
pretending to be) the Account Owner?'

>> None, if the IT staff know what they're doing - and at large banks they
>> usually do.
>
>With all the outsourcing, how would you know. What is worse web pages
>with doubleclick in the pages. Double click gets cracked/infected
>then where are you at.
>
>> I've worked in the IT department of a bank a few years ago, and NO PC
>> was allowed to connect to the Internet.
>
>Not, today. Some allow the account manager to get out.
>In one. the person had to supply id/password.
>Another bank did not require the password.

And, access to the Accounts is easiest through On-Line Banking.

Celtic Leroy

On Sat, 09 Oct 2004 19:45:18 GMT, Celtic Leroy wrote:
>
> Visual surveillance would be mainly of the screens and keyboards, any
> view into a bank where you can gather that information, is potentialy
> a leak.

But screens facing windows. Poor security from the get go.

> But, the information you gather there is only good for
> identity, not access, to accounts. Access comes from the owner, and
> being able to obtain their passkeys.

True, except when new accounts are being entered.

At one bank, I could not see the screen when the pin was entered to
see if it was ****** or not. Another bank at lease had a box where I
swiped the new card and entered my pin out of sight when creating a
new account.

Bit Twister

Bit Twister <> wrote:

>>> When I walk through the lobby of my bank, I see Windows screen savers
>>> running on some computers and Windows menu screens on others. I know
>>> my bank has never heard of MacIntosh or Linux. I hesitate to think
>>> how many spybots and viruses might lurk in those machines.
>
> What I thought was poor security, is the screen facing the window out
> which you see appartments and other buildings.

THAT is indeed poor security

>> None, if the IT staff know what they're doing - and at large banks they
>> usually do.
>
> With all the outsourcing, how would you know.

BTDT. Bank auditors are about the worst that can happen to you

Yes, they DO worry about that kind of stuff, at least at bigger banks.

> What is worse web pages
> with doubleclick in the pages. Double click gets cracked/infected
> then where are you at.

Do you honestly think that such a PC will get a DIRECT connection to
the Internet? At the very least they'll have a proxy with virus
scanner, maybe even something that scans applets and JavaScript (Trend
Micro produces some scanners for that sort of work, for example).

>> I've worked in the IT department of a bank a few years ago, and NO PC
>> was allowed to connect to the Internet.
>
> Not, today. Some allow the account manager to get out.
> In one. the person had to supply id/password.

See - proxy authentication

> Another bank did not require the password.

Doesn't mean they don't check. With MS ISA, for example, ID checking is
done by Windows/IE, the user doesn't have to enter his ID twice.

We use that at $Ork - the users who are allowed out can do so without
any problem, those who aren't get presented a window asking for
username and password (in case somebody who IS authorised is sitting
next to them and just wants to show them something). Web traffic is
filtered, however, so NOBODY can see a webpage if I don't want them to
see that particular page.

If I was really nasty, I could even redirect traffic so that every
visit to whitehouse.gov is directed whitehouse.org, or goatse.cx ))


Juergen Nieveler
--
"There ought to be limits to freedom" George W. Bush at the Texas State
House, May 21, 1999, referring to GWBush.com

Juergen Nieveler

Celtic Leroy <> wrote:

> And, access to the Accounts is easiest through On-Line Banking.

Indeed, I've long since given up on online banking through webbrowsers.
Thankfully, my bank supports using regular homebanking applications
(following the HBCI standard), so I can lean back and grin at the
phishing attempts... I doubt that any phisher will find a way to put a
money transfer order into the queue AND make me sign it with a chipcard
and pin, entered on a tamper resistant reader

Juergen Nieveler
--
Warning! Tagline thieves abound. See next message area for details!

Juergen Nieveler