(yet another reason) why to avoid ActiveX like the plague... (FwI

Ian Smith (iansmith@cc.gatech.edu)
Tue, 4 Feb 1997 14:54:22 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Gary Noel Boone: "Next Monday's papers."
Previous message: Mark Guzdial: "Newton Division being Sold?!?"

>----------------Begin Forwarded Message----------------<

Date: Mon, 3 Feb 1997 13:28:16 -0800
From: xsm!john@suntalk.Canada
Subject: (yet another reason) why to avoid ActiveX like the plague...
To: suntalk!torcl-cpu1!susan@Eng

I thought I'd let you decide how to distribute this (if at all...) This is
almost as good as the 'Exploder' page...

(This is from the RISKS mailing list/newsgroup.)

-- John Oram ( ph: (604) 435-4876 Systems Engineer )) fax: (604) 435-4297 XSM Systems (A Sun ISO) C|~~| john@xsm.com Vancouver, BC, Canada `--' john.oram@canada.sun.com

=-=-=-=-=-=-=-=

Date: 1 Feb 1997 05:12:02 GMT From: weberwu@tfh-berlin.de (Debora Weber-Wulff) Subject: Electronic Funds Transfer without stealing PIN/TAN

The Berlin newspaper "Tagespiegel" reports on 29 Jan 97 about a television show broadcast the previous evening on which hackers from the Chaos Computer Club demonstrated how to electronically transfer funds without needing a PIN (Personal Identification Number) or TAN (Transaction Number).

Apparently it suffices for the victim to visit a site which downloads an ActiveX application, which automatically starts and checks to see if Quicken, a popular financial software package that also offers electronic funds transfer, is on the machine. If so, Quicken is given a transfer order which is saved by Quicken in its pile of pending transfer orders. The next time the victim sends off the pending transfer orders to the bank (and enters in a valid PIN and TAN for that!) all the orders (= 1 transaction) are executed -> money is transferred without the victim noticing!

The newspaper quotes various officials at Microsoft et al expressing disbelief/outrage/"we're working on it". We discussed this briefly in class looking for a way to avoid the problem. Demanding a TAN for each transfer is not a solution, for one, the banks only send you 50 at a time, and many small companies pay their bills in bunches. Having to enter a TAN for each transaction would be quite time-consuming. Our only solution would be to forbid browsers from executing any ActiveX component without express authorization, but that rather circumvents part of what ActiveX is intended for.

A small consolation: the transfer is trackable, that is, it can be determined at the bank to which account the money went. Some banks even include this information on the statement, but who checks every entry on their statements...

Debora Weber-Wulff, Technische Fachhochschule Berlin, Luxemburger Str. 10, 13353 Berlin GERMANY weberwu@tfh-berlin.de <http://www.tfh-berlin.de/~weberwu/>

[Now you can get a TAN even in the dead of winter! PGN]

=-=-=-=-=-=-=-=-=-=-=

----- End Included Message -----

>----------------End Forwarded Message----------------<

---- iansmith@cc.gatech.edu

Next message: Gary Noel Boone: "Next Monday's papers."
Previous message: Mark Guzdial: "Newton Division being Sold?!?"