        ³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ³
                                +-+-+-+-+-+-+-+-+
         ÛÛÛÛÛÛÛÛÛ²²²²²±±±±±°°°ð|O|u|t|b|r|e|a|k|ð°°°±±±±±²²²²²ÛÛÛÛÛÛÛ
                                +-+-+-+-+-+-+-+-+
                            Issue #2 - Page 10 of 12 
        ³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ³ 


Online Banking Security Measures
================================
By:  Timeless


We live in the age of convenience. The Internet has warped time and space on
our tiny little confused planet (minds).

Entire projects are being developed in "Internet time" (1 year in human time
equals about 3 months in Internet time). However, perfection comes from the
ability of a human to be able to take the time to refine his own thoughts. To
quantify and to clarify and then to express and manifest. Internet time cuts
the refinement short, if we're humble enough to shun our own egos for a minute
we will see that we're not making perfection anymore. Yes, perfection - things
like carving hundreds and thousands of stones to make perfect cathedrals filled
with statues. Taking a life time to build something, like a pyramid.

So, anyway, humans decided to do some banking online because we're all to busy
making imperfection to actually go to the bank anymore. I like online banking.
In fact it's the only way I can get any banking done! Naturally, most people
choose their online banking provider based on how much they like the company
logo. Some people rate the online banking facilities based on how much they'd
trust it.

People have been working extremely hard to get online banking just right. I
mean hey, if that padlock in your browser window appears then it must be safe,
right? Yeah, right.

Well, much more goes into secure online banking. Allow me to elaborate on some
of the features we have implemented in Internet time!

Non-repudiation
===============
You already have a bank account, meaning the bank know who you are and where
you live. You want online banking, so you have to approach your bank with your
desires. That's part of the process which stops you posing as someone else.
They look at you, your ID, your photo, they smile, you sign something, they
compare your signature biometrically. Everyone's happy. You are in fact Joe
Bloggs. They send your membership information to your home address. If you
receive it then you didn't lie about your address. You also had to produce a
phone bill to prove you're the person who lives at that address. You then use
that piece of membership information along with some other knowledge that was
not included in the letter so that if anyone had picked up the letter it would
not be enough information to get into your account on the web. So when you log
on, it's the final step in a huge chain of events that go to prove that you,
Joe Bloggs, are who you claim to be. Non-repudiation means you can't deny that
you were the one, because there is too much evidence to prove that it was you.

Passwords
=========
Well, you've received your membership number and logon info in the post (that
paper stuff that feels crinkly or hard, and it cuts like Jason on Friday night
if you mess with it). It's time to do some banking! (did I just use the words
"Jason" and "banking" in the same paragraph? hehehe) Well they've talked to
people like me before, and they know you're going to need more non-repudiation
stuff than that. So they make you type in a pin code, password and your
granny's aunty's cat's pet food maker's street name. All good ideas. But
there's a bit of refinement missing here.

Enter the key logger. A key logger is usually a trojan (piece of software) or a
keyboard buffer (piece of hardware) that records your keypresses. If you're
unfortunate enough to have one of these in place without your knowledge then
absolutely everything above can be stolen from you and used by someone else
posing as you (yes, by some brave hacker from a call box in an empty field, in
the country, using a laptop, bouncing off about 60 billion open proxies on the
'Net).

So the banking crew made up anti-keylogging techniques. Like, asking for
letters 3 and 9 of your secret word (or any two random letters, different
combinations each time). This stops the chance logger from being able to
discover your entire secret word, and unless he is a guru hangman player, this
should thwarte a majority of attempts. However, if you're logged often enough,
eventually all the letters can be pieced together and the secret word can be
derived.

Enter the mouse! Okay, so the only sensible way to get around that little quirk
in our dream of perfection is to start using other devices, like the mouse. Use
the mouse to click on the buttons to type the secret word/pin number in. This
usually stops the keyloggers in their tracks. Nice work banking boys!

Oh dear, but all this is futile if we can simply see the packets of clear text
data whizzing by on the network. So the bank boys liked the idea of encrypting
the communications. This is where Secure Sockets Layer comes into it (yeah,
only now do they put a padlock on your web browser, hehe). Fairly good stuff,
hard to crack if you don't have the financial power to buy the computing power
to break the encryption power.

Okay, now things are looking pretty tight. Or are they? Enter subclassing or
hooking. Using these methods a trojan can watch what processes say to eachother
within a computer. If they knew what to look for they could pick out mouse
clicks, the captions of the buttons that the mouse clicked on, the keys that
were pressed, the password being sent from one object to another. This detail
could then be sent to another computer (where the hacker is) and he can simply
resume your web session without your knowledge. *sigh* perfection, we strive,
but always fail...

This is when the bank boys introduce "serialized browsing". You can't press
Back anymore. Each page has a serial number which must match what the server
expects to get next. If anyone else simultaneously uses the session then one of
the serial numbers becomes immediately invalid, and therefore the server will
cancel the whole session and alert the security boys ASAP.

Nice work! Utopia! Um, no wait a minute...

Some dude hacks into the web server via some recently-published web server
exploit. Manages to download the code that does the business! Passwords
included!!! Okay, no sweat, the boys at the bank will have now covered this
scenario. Simply by using a tiered model of programming. You can basically
steal the web side stuff and it doesn't help you one bit because the business
tier is what you really want to get at. The business tier uses different
security to that of the client tier (I use the word "client" loosely here
because it's the "web server tier" that gets connected to by your web browser -
I know there's a word for this, but I can't recall it right now). Even if you
can interface the business tier you still need to access the data tier which is
a further level abstracted from you.

I have left out tons more stuff, but it's late and I'm sobering up.

To sum it all up: obfuscation!

To seek perfection is to seek truth. Hiding things does not bring out the
truth. Security prevents perfection - even if we can do it faster than ever
before.

- Timeless

Greetz to the Outbreak Zine staff and to #hackerzlair on irc.dal.net