Re: My bank uses Windows? Is "Check 21" safe?

Discussion in 'Computer Security' started by Juergen Nieveler, Oct 9, 2004.

  1. Anonymous via the Cypherpunks Tonga Remailer <>
    wrote:

    > When I walk through the lobby of my bank, I see Windows screen savers
    > running on some computers and Windows menu screens on others. I know
    > my bank has never heard of MacIntosh or Linux. I hesitate to think
    > how many spybots and viruses might lurk in those machines.


    None, if the IT staff know what they're doing - and at large banks they
    usually do.

    I've worked in the IT department of a bank a few years ago, and NO PC
    was allowed to connect to the Internet. Everybody who wanted to look
    something up on the web had to go to special PCs (or get a second PC
    for his workplace) that were hooked to a completely separate network.
    Incoming email was filtered and stripped of anything that might be
    dangerous, and if you got caught sneaking a CD or Floppy in that hadn't
    been scanned by the IT department you could get fired. Yes, you heard
    right - everybody who wanted to put a CD in his machine HAD to take it
    to the IT department first, who checked it with 3 different scanners,
    and everybody did that because otherwise they'd be thrown out.

    Many banks also use Lotus Notes as their email system, which is crap to
    use but much safer than Outlook.

    Another point: While the PC itself runs Windows, the bank applications
    (account management etc.) usually run on a mainframe - on the PC itself
    there's only a terminal client (either 3270, 5250 or a special
    application designed for that bank).

    Juergen Nieveler
    --
    Combat will occur on the ground between two adjoining maps.
     
    Juergen Nieveler, Oct 9, 2004
    #1
    1. Advertising

  2. Juergen Nieveler

    Jim Watt Guest

    On 9 Oct 2004 14:35:26 GMT, Juergen Nieveler
    <> wrote:

    >Anonymous via the Cypherpunks Tonga Remailer <>
    >wrote:
    >
    >> When I walk through the lobby of my bank, I see Windows screen savers
    >> running on some computers and Windows menu screens on others. I know
    >> my bank has never heard of MacIntosh or Linux. I hesitate to think
    >> how many spybots and viruses might lurk in those machines.

    >
    >None, if the IT staff know what they're doing - and at large banks they
    >usually do.
    >
    >I've worked in the IT department of a bank a few years ago, and NO PC
    >was allowed to connect to the Internet. Everybody who wanted to look
    >something up on the web had to go to special PCs (or get a second PC
    >for his workplace) that were hooked to a completely separate network.
    >Incoming email was filtered and stripped of anything that might be
    >dangerous, and if you got caught sneaking a CD or Floppy in that hadn't
    >been scanned by the IT department you could get fired. Yes, you heard
    >right - everybody who wanted to put a CD in his machine HAD to take it
    >to the IT department first, who checked it with 3 different scanners,
    >and everybody did that because otherwise they'd be thrown out.
    >
    >Many banks also use Lotus Notes as their email system, which is crap to
    >use but much safer than Outlook.
    >
    >Another point: While the PC itself runs Windows, the bank applications
    >(account management etc.) usually run on a mainframe - on the PC itself
    >there's only a terminal client (either 3270, 5250 or a special
    >application designed for that bank).
    >
    >Juergen Nieveler


    That ties in with my experience of banks, some of which ordered
    PC's without floppy disk drives so there was no chance they were
    compromised. I'd be worried if I saw a bank with Macs.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Oct 9, 2004
    #2
    1. Advertising

  3. Juergen Nieveler

    Bit Twister Guest

    On 9 Oct 2004 14:35:26 GMT, Juergen Nieveler wrote:
    >>Anonymous via the Cypherpunks Tonga Remailer

    >
    >> When I walk through the lobby of my bank, I see Windows screen savers
    >> running on some computers and Windows menu screens on others. I know
    >> my bank has never heard of MacIntosh or Linux. I hesitate to think
    >> how many spybots and viruses might lurk in those machines.


    What I thought was poor security, is the screen facing the window out
    which you see appartments and other buildings.

    > None, if the IT staff know what they're doing - and at large banks they
    > usually do.


    With all the outsourcing, how would you know. What is worse web pages
    with doubleclick in the pages. Double click gets cracked/infected
    then where are you at.

    > I've worked in the IT department of a bank a few years ago, and NO PC
    > was allowed to connect to the Internet.


    Not, today. Some allow the account manager to get out. :)
    In one. the person had to supply id/password.
    Another bank did not require the password.
     
    Bit Twister, Oct 9, 2004
    #3
  4. Juergen Nieveler

    Celtic Leroy Guest

    Jim Watt <_way> wrote:

    >I'd be worried if I saw a bank with Macs.


    Macs are for the graphics quality and are usually tied into the
    surveillance system. Therefore not a part ot he tech systems, but the
    human ones.
     
    Celtic Leroy, Oct 9, 2004
    #4
  5. Jim Watt <_way> wrote:

    > That ties in with my experience of banks, some of which ordered
    > PC's without floppy disk drives so there was no chance they were
    > compromised. I'd be worried if I saw a bank with Macs.


    At one company I worked at years ago (before CD-ROMs became normal part
    of PCs - yes, that long ago), we ordered a batch of floppy-drive-locks
    - they were inserted into the floppy drive and could only be removed
    with a special key, which only the IT departmend had.

    It cut down the rate of virus infections enormously :)


    Juergen Nieveler
    --
    When they hate Rivera it will mean condor will win.
     
    Juergen Nieveler, Oct 9, 2004
    #5
  6. Juergen Nieveler

    Bit Twister Guest

    On 9 Oct 2004 19:24:47 GMT, Juergen Nieveler wrote:
    >
    > At one company I worked at years ago (before CD-ROMs became normal part
    > of PCs - yes, that long ago), we ordered a batch of floppy-drive-locks
    > - they were inserted into the floppy drive and could only be removed
    > with a special key, which only the IT departmend had.
    >
    > It cut down the rate of virus infections enormously :)


    Saw an article where companies are putting epoxy in the usb ports. :)
    Pulling cd and diskette drives also.
     
    Bit Twister, Oct 9, 2004
    #6
  7. Juergen Nieveler

    Celtic Leroy Guest

    Bit Twister <> wrote:

    >On 9 Oct 2004 14:35:26 GMT, Juergen Nieveler wrote:
    >>>Anonymous via the Cypherpunks Tonga Remailer

    >>
    >>> When I walk through the lobby of my bank, I see Windows screen savers
    >>> running on some computers and Windows menu screens on others. I know
    >>> my bank has never heard of MacIntosh or Linux. I hesitate to think
    >>> how many spybots and viruses might lurk in those machines.

    >
    >What I thought was poor security, is the screen facing the window out
    >which you see appartments and other buildings.


    Visual surveillance would be mainly of the screens and keyboards, any
    view into a bank where you can gather that information, is potentialy
    a leak. But, the information you gather there is only good for
    identity, not access, to accounts. Access comes from the owner, and
    being able to obtain their passkeys.

    Nothing is more sacred then the account owner. Spoof him/her and you
    own the account. I would snip the remainder of this, but first I ask
    you to look at it and ask, 'What matters if access is gained by (your
    pretending to be) the Account Owner?'

    >> None, if the IT staff know what they're doing - and at large banks they
    >> usually do.

    >
    >With all the outsourcing, how would you know. What is worse web pages
    >with doubleclick in the pages. Double click gets cracked/infected
    >then where are you at.
    >
    >> I've worked in the IT department of a bank a few years ago, and NO PC
    >> was allowed to connect to the Internet.

    >
    >Not, today. Some allow the account manager to get out. :)
    >In one. the person had to supply id/password.
    >Another bank did not require the password.


    And, access to the Accounts is easiest through On-Line Banking.
     
    Celtic Leroy, Oct 9, 2004
    #7
  8. Juergen Nieveler

    Bit Twister Guest

    On Sat, 09 Oct 2004 19:45:18 GMT, Celtic Leroy wrote:
    >
    > Visual surveillance would be mainly of the screens and keyboards, any
    > view into a bank where you can gather that information, is potentialy
    > a leak.


    But screens facing windows. Poor security from the get go.

    > But, the information you gather there is only good for
    > identity, not access, to accounts. Access comes from the owner, and
    > being able to obtain their passkeys.


    True, except when new accounts are being entered. :(

    At one bank, I could not see the screen when the pin was entered to
    see if it was ****** or not. Another bank at lease had a box where I
    swiped the new card and entered my pin out of sight when creating a
    new account.
     
    Bit Twister, Oct 9, 2004
    #8
  9. Bit Twister <> wrote:

    >>> When I walk through the lobby of my bank, I see Windows screen savers
    >>> running on some computers and Windows menu screens on others. I know
    >>> my bank has never heard of MacIntosh or Linux. I hesitate to think
    >>> how many spybots and viruses might lurk in those machines.

    >
    > What I thought was poor security, is the screen facing the window out
    > which you see appartments and other buildings.


    THAT is indeed poor security :)

    >> None, if the IT staff know what they're doing - and at large banks they
    >> usually do.

    >
    > With all the outsourcing, how would you know.


    BTDT. Bank auditors are about the worst that can happen to you :)

    Yes, they DO worry about that kind of stuff, at least at bigger banks.

    > What is worse web pages
    > with doubleclick in the pages. Double click gets cracked/infected
    > then where are you at.


    Do you honestly think that such a PC will get a DIRECT connection to
    the Internet? At the very least they'll have a proxy with virus
    scanner, maybe even something that scans applets and JavaScript (Trend
    Micro produces some scanners for that sort of work, for example).

    >> I've worked in the IT department of a bank a few years ago, and NO PC
    >> was allowed to connect to the Internet.

    >
    > Not, today. Some allow the account manager to get out. :)
    > In one. the person had to supply id/password.


    See - proxy authentication :)

    > Another bank did not require the password.


    Doesn't mean they don't check. With MS ISA, for example, ID checking is
    done by Windows/IE, the user doesn't have to enter his ID twice.

    We use that at $Ork - the users who are allowed out can do so without
    any problem, those who aren't get presented a window asking for
    username and password (in case somebody who IS authorised is sitting
    next to them and just wants to show them something). Web traffic is
    filtered, however, so NOBODY can see a webpage if I don't want them to
    see that particular page.

    If I was really nasty, I could even redirect traffic so that every
    visit to whitehouse.gov is directed whitehouse.org, or goatse.cx :)))


    Juergen Nieveler
    --
    "There ought to be limits to freedom" George W. Bush at the Texas State
    House, May 21, 1999, referring to GWBush.com
     
    Juergen Nieveler, Oct 9, 2004
    #9
  10. Celtic Leroy <> wrote:

    > And, access to the Accounts is easiest through On-Line Banking.


    Indeed, I've long since given up on online banking through webbrowsers.
    Thankfully, my bank supports using regular homebanking applications
    (following the HBCI standard), so I can lean back and grin at the
    phishing attempts... I doubt that any phisher will find a way to put a
    money transfer order into the queue AND make me sign it with a chipcard
    and pin, entered on a tamper resistant reader :)

    Juergen Nieveler
    --
    Warning! Tagline thieves abound. See next message area for details!
     
    Juergen Nieveler, Oct 9, 2004
    #10
  11. Juergen Nieveler

    Bit Twister Guest

    On 9 Oct 2004 20:03:36 GMT, Juergen Nieveler wrote:

    >> What is worse web pages
    >> with doubleclick in the pages. Double click gets cracked/infected
    >> then where are you at.

    >
    > Do you honestly think that such a PC will get a DIRECT connection to
    > the Internet? At the very least they'll have a proxy with virus
    > scanner, maybe even something that scans applets and JavaScript (Trend
    > Micro produces some scanners for that sort of work, for example).


    Hehehe, any connection would be dangerous. malware scanners are pretty
    good after the malware has been caught, sig generated, and downloaded
    at the banks database. Bit of a window of opertunity there.

    Op was worried about ms in the bank.
    I have more worry about the web pages served from the banks ms servers.

    Last time I looked, Bank One was running Microsoft-IIS/5.0
     
    Bit Twister, Oct 9, 2004
    #11
  12. Juergen Nieveler

    Leythos Guest

    In article <>,
    says...
    > Jim Watt <_way> wrote:
    >
    > > That ties in with my experience of banks, some of which ordered
    > > PC's without floppy disk drives so there was no chance they were
    > > compromised. I'd be worried if I saw a bank with Macs.

    >
    > At one company I worked at years ago (before CD-ROMs became normal part
    > of PCs - yes, that long ago), we ordered a batch of floppy-drive-locks
    > - they were inserted into the floppy drive and could only be removed
    > with a special key, which only the IT departmend had.
    >
    > It cut down the rate of virus infections enormously :)


    Yea, we use to disconnect the power cable and then lock the case. I
    remember those devices, they were great.

    I had a user insert a 5.25" floppy sideways one time - they had to force
    it into the drive and then could not get it out - it stuck on the R/W
    arm and bent it :)

    --
    --

    (Remove 999 to reply to me)
     
    Leythos, Oct 9, 2004
    #12
  13. Juergen Nieveler

    xmp Guest

    Bit Twister wrote:

    > What I thought was poor security, is the screen facing the window out
    > which you see appartments and other buildings.


    Many kiddies were Van Eck phreaking long before these goofballs jumped
    on the wardriving bandwagon.

    Those who ignorant of history, are doomed to repeat it.

    michael
     
    xmp, Oct 9, 2004
    #13
  14. Juergen Nieveler

    Bill Unruh Guest

    Juergen Nieveler <> writes:

    ]Bit Twister <> wrote:

    ]>>> When I walk through the lobby of my bank, I see Windows screen savers
    ]>>> running on some computers and Windows menu screens on others. I know
    ]>>> my bank has never heard of MacIntosh or Linux. I hesitate to think
    ]>>> how many spybots and viruses might lurk in those machines.
    ]>
    ]> What I thought was poor security, is the screen facing the window out
    ]> which you see appartments and other buildings.

    ]THAT is indeed poor security :)

    ]>> None, if the IT staff know what they're doing - and at large banks they
    ]>> usually do.
    ]>
    ]> With all the outsourcing, how would you know.

    ]BTDT. Bank auditors are about the worst that can happen to you :)

    Ross Anderson has almost made a career out of pointing out how bad banks
    are at security. What anyone else would hesitate to do, they do.
     
    Bill Unruh, Oct 10, 2004
    #14
  15. Juergen Nieveler

    Jim Watt Guest

    On Sat, 09 Oct 2004 19:09:35 GMT, Celtic Leroy
    <> wrote:

    >Jim Watt <_way> wrote:
    >
    >>I'd be worried if I saw a bank with Macs.

    >
    >Macs are for the graphics quality and are usually tied into the
    >surveillance system. Therefore not a part ot he tech systems, but the
    >human ones.


    Nonsense. the only Apple product around here are ipods
    used by teenagers.

    If anyone wanted to use a computer in a survellance system
    a PC is a standard item easily maintained, or better still use
    dedicated hardweare designed for the purpose

    http://www.tecton.co.uk/brochure.html
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Oct 10, 2004
    #15
  16. Juergen Nieveler

    Jim Watt Guest

    On Sat, 09 Oct 2004 19:34:32 GMT, Bit Twister
    <> wrote:

    >On 9 Oct 2004 19:24:47 GMT, Juergen Nieveler wrote:
    >>
    >> At one company I worked at years ago (before CD-ROMs became normal part
    >> of PCs - yes, that long ago), we ordered a batch of floppy-drive-locks
    >> - they were inserted into the floppy drive and could only be removed
    >> with a special key, which only the IT departmend had.
    >>
    >> It cut down the rate of virus infections enormously :)

    >
    >Saw an article where companies are putting epoxy in the usb ports. :)
    >Pulling cd and diskette drives also.


    We superglue the 110/240v switch on power supplies on PC going
    into the schools after they found out the fun that could be had with
    them.

    We also sold a number of the disk locks for floppies, however its
    easier to disconnect them in the box if the case has a secure lock

    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Oct 10, 2004
    #16
  17. Juergen Nieveler

    Celtic Leroy Guest

    Jim Watt <_way> wrote:

    >On Sat, 09 Oct 2004 19:09:35 GMT, Celtic Leroy
    ><> wrote:
    >
    >>Jim Watt <_way> wrote:
    >>
    >>>I'd be worried if I saw a bank with Macs.

    >>
    >>Macs are for the graphics quality and are usually tied into the
    >>surveillance system. Therefore not a part ot he tech systems, but the
    >>human ones.

    >
    >Nonsense. the only Apple product around here are ipods
    >used by teenagers.
    >
    >If anyone wanted to use a computer in a survellance system
    >a PC is a standard item easily maintained, or better still use
    >dedicated hardweare designed for the purpose
    >

    You're probably right, I never worked anywhere that required really
    good security like a bank...just a small military weapons RDT&E
    facility. Security there only consists of full spectrum analog feeds
    from a few device managers (each monitoring a number of devices).
    Consisting of wave streams from ground movement to infrared optics in
    an area of about 2500 square miles. All of the gathering and storage
    of these feeds was done on Macs. The resulting data was available on
    the intranet.

    But yea, if all you want to do is record a few feeds around your 2500
    sqft. office spaces with web cameras, a PC will do fine.
     
    Celtic Leroy, Oct 11, 2004
    #17
  18. Juergen Nieveler

    xborg Guest

    I been in all sides of the security and banking industry. I recommend the
    you be very careful in managing your accounts and if you see anything odd
    reported right away.

    It is easier that your financial information be stolen form other places
    than from your bank, but still bank cybersecurity is not what it should be.
    Banks have to deal with software vendors and hardware vendors and they all
    basically have access to the banks information. If someone savvy gets access
    to the banks network, then it don't matter is the bank has Windows or Unix,
    the banks information is likely to be compromise, One important thing is
    that windows is friendlier that Unix and there for you need less technical
    skill to find what you are looking for.

    "Bit Twister" <> wrote in message
    news:...
    > On 9 Oct 2004 14:35:26 GMT, Juergen Nieveler wrote:
    > >>Anonymous via the Cypherpunks Tonga Remailer

    > >
    > >> When I walk through the lobby of my bank, I see Windows screen savers
    > >> running on some computers and Windows menu screens on others. I know
    > >> my bank has never heard of MacIntosh or Linux. I hesitate to think
    > >> how many spybots and viruses might lurk in those machines.

    >
    > What I thought was poor security, is the screen facing the window out
    > which you see appartments and other buildings.
    >
    > > None, if the IT staff know what they're doing - and at large banks they
    > > usually do.

    >
    > With all the outsourcing, how would you know. What is worse web pages
    > with doubleclick in the pages. Double click gets cracked/infected
    > then where are you at.
    >
    > > I've worked in the IT department of a bank a few years ago, and NO PC
    > > was allowed to connect to the Internet.

    >
    > Not, today. Some allow the account manager to get out. :)
    > In one. the person had to supply id/password.
    > Another bank did not require the password.
    >
     
    xborg, Oct 22, 2004
    #18
  19. Juergen Nieveler

    Bit Twister Guest

    On Fri, 22 Oct 2004 12:35:42 -0700, xborg wrote:
    > I been in all sides of the security and banking industry. I recommend the
    > you be very careful in managing your accounts


    I would second that.

    > and if you see anything odd reported right away.


    Some banks will let you set email alarms to notify you of activity.
    I get an email when $50 or more comes out of the account.
    Other banks have software watching withdrawls and anything out of the
    norm causes the fraud group to give you a call.

    I do run gnucash aganist each bank statement to verify nothing is amiss.
    Beats running a check register.

    > It is easier that your financial information be stolen form other places
    > than from your bank, but still bank cybersecurity is not what it should be.
    > Banks have to deal with software vendors and hardware vendors and they all
    > basically have access to the banks information.


    Yes, one bank I tried uses doubleclick.net tracking. Shot them an email
    indicating that was pretty _negligent_ of them. That keyword gets
    their attention. Asked, What would happen if doubleclick's servers
    were to be cracked or doubleclick were to outsource their work to
    china/india and that $60 a month employee sold account info for $50,000.

    Received something to the effect they have info sharing aggreements
    with everyone they use. I fired back, BFD, they were still negligent
    because they could get webhit stats from their servers and doubleclick
    usage was like a locked outside backdoor on a bank vault. Just plain
    negligent.

    Also told them their webpages were broke because I block doublclick ip
    addies. They did modify their webpages but still used doubleclick on
    exit on the sign on page. Wrote one more email telling them why I
    moved my accounts elsewhere.

    > If someone savvy gets access to the banks network, then it don't
    > matter is the bank has Windows or Unix, the banks information is
    > likely to be compromise,


    True, but, better chance of that on MS os if Microsoft only releases
    patches once a month or only when a known exploit is found out on the
    internet.

    > One important thing is that windows is friendlier that Unix and


    With the first six months of this year showing a new virus every other
    hour on average I'll agree windows is more friendlier for the bad guys.

    > there for you need less technical skill to find what you are looking for.


    All the banks I use, work just fine with linux's firefox, thunderbird
    and mozilla. Last year or so, Mandrakelinux/Suse have gotten pretty
    user friendly except for the stinking winmodems setup.

    I do have a seperate account for creditcard and bank work. On logout,
    the account's files are deleted and restored from a tar file. I have a webpage
    with bank urls to pick from to keep me from mistyping the url and I
    never click on a url from an email which is yet another user account.
     
    Bit Twister, Oct 22, 2004
    #19
  20. "xborg" <> wrote:

    > It is easier that your financial information be stolen form other
    > places than from your bank, but still bank cybersecurity is not what
    > it should be.


    Depends on the bank, of course...

    > Banks have to deal with software vendors and hardware
    > vendors and they all basically have access to the banks information.


    Definately not, at least at good banks. They use compartmentalisation
    as a security measure just like Intelligence Agencies do... the cashier
    will know how much money he can give you, but isn't able to check your
    credit rating or check your house loan, for example. And no consultant
    gets to see it all, even of their own staff only very few people know
    the entire picture.

    > If someone savvy gets access to the banks network, then it don't
    > matter is the bank has Windows or Unix, the banks information is
    > likely to be compromise,


    Depends a lot on their systems, again. I've personally seen the network
    diagrams of a large bank computer center (actually, only the parts that
    we had to work on), and it was so compartmentalised you wouldn't
    believe it - there were firewalls between each department, and rulesets
    that were hell to analyse - for example "Port X is open from Net A to
    host C via Net B, but not directly from Net B". Firewalls were mixed,
    too - mostly Checkpoint and Cisco, naturally :)

    The Admin had a hell of a job - if he wanted to remote-control servers,
    he had to remember which net the particular server was in, connect to a
    PC (called "Admin-Hop") in a totally different network via something
    like PCAnywhere, then launch PCAnywhere THERE to connect to the actual
    server. All because the server was in a network that was only allowed
    to talk to machines in a specific other network, not anywhere else.

    Juergen Nieveler
    --
    When in doubt empty the magazine.
     
    Juergen Nieveler, Oct 22, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. mchiper

    Re: Bank of America or any Bank

    mchiper, Sep 6, 2003, in forum: Computer Security
    Replies:
    4
    Views:
    538
    Frode
    Sep 13, 2003
  2. Anonymous via the Cypherpunks Tonga Remailer

    Re: My bank uses Windows? Is "Check 21" safe?

    Anonymous via the Cypherpunks Tonga Remailer, Oct 9, 2004, in forum: Computer Security
    Replies:
    5
    Views:
    400
    Wolfgang S. Rupprecht
    Oct 12, 2004
  3. xmp
    Replies:
    0
    Views:
    368
  4. Leythos

    Re: My bank uses Windows? Is "Check 21" safe?

    Leythos, Oct 9, 2004, in forum: Computer Security
    Replies:
    5
    Views:
    401
    Michael J. Pelletier
    Dec 5, 2004
  5. Richard Pearrell

    salary at Chevy Chase Bank and PNC Bank

    Richard Pearrell, Jul 26, 2006, in forum: Computer Support
    Replies:
    2
    Views:
    968
    richard
    Jul 27, 2006
Loading...

Share This Page