Bank accounts in online security scare

**kr5kernel** · November 8th, 2004, 06:23 PM

I recently did the ACH programming for direct deposit at work, and bank transactions are suprisingly simple, (at least what I was doing) but in the same regards you could see why banks would be getting more attention for attacks. Direct deposit is nothing more than uploading a text file over https. You would think there would be more security checks involved, IE encrypting the file before hand.

***RoadClosed*** · November 8th, 2004, 06:39 PM

Sometime there is confusion of where the transaction of ACH is actually taking place. The upload could be the result or request for ACH transfer not the actual transaction. It depends. HTTPS is an acceptable encryption tunnel. There is no need to encrypt the text, then encrypt the tunnel then decrypt the tunnel, then decrypt the text. Sending the request via encrypted HTTPS is acceptable. There will be other countermeasures in place to make sure the direct deposit baseline isn't breached. For instance an acount getting 100,000.00 when it's normally 1,00.00. Human error is the enemy as well.

**kr5kernel** · November 8th, 2004, 06:44 PM

oh for sure, and believe you me, when our first deposit was made, andI was faxed a confirmation, and the result was about $9,000 less than it was supposed to be, the human error function hit home. I am just saying, it seemed very simple in the way transactions took place. There is a phone system tied into the uploading in which to warn the bank of an incoming control, but if you think about a disgruntled employee, superman 3 style taking a little bit off the top of each account and making the grand total match the same....

***AngelicKnight*** · November 9th, 2004, 04:10 PM

Ok then, so what's the answer for the typical user? If the banks can't secure us, how do we secure ourselves?

What I do is rely on close monitoring. I check my online bank account DAILY, and usually two or three times a day. That means that a penny doesn't leave or come into the account without me seeing it, and then I immediately compare it to my own figures. As soon as I see ANYTHING even remotely questionable, I contact the bank immediately and inquire about it.

But are there any additional measures we can take?

**kr5kernel** · November 9th, 2004, 06:27 PM

I think what we have to do is exactly what we are doing. If you think about it, Is a bank more likely to get held up at gunpoint, or held up electronically? That would be an interesting stat, with the progression of technology, are we leaning away from physical violence only to embrace cyber violence. If I ever want to go back to school for my phd, maybe that would make a good dissertation.

I think by the fact that you check constantly, you are doing all you can do, and the banks can only value you that much more as a customer who takes time out of his day to ensure his and the banks security.

***RoadClosed*** · November 9th, 2004, 10:11 PM

Electronically you are lucky to siphone off a few thousand with no one catching it. You don't just access the core accounting system. You access a copy. Then you have to spend time exploring the systems and looking for entries without triping safequards. OR...

You pull up in a car, go inside, slip on a mask and leave with 15k in about 3 minutes.

Either way your chances of getting caught are similar.

**SittingDuck** · November 10th, 2004, 10:15 AM

held up electronically?

sounds like DDoS to me

SittingDuck

***MURACU*** · November 10th, 2004, 01:23 PM

It is very hard to get into any system now days without leaving some sort of trace. That goes even for working from the inside. What is worst is that it is normally the most stupid things that will get someone caught. Here is a real life example.

A while back in the company where I was working over a weekend 10 laptops were stolen from the different offices and workspaces in the building. All the laptops had anti theft cables attached and to get into the building you needed to have a badge. After a little checking we worked out what had happened. The person that had taken the laptops was the head of a departement. He had written a macro that was simulating him sending typed commands to the mainframes so he could say he was at his computer at the time of the thefts even if he was in the building at the time. He also had the help of the security gaurd who was on that day. The gaurd left the doors to hte stairwells open while he was doing his rounds so our friend had access to all the different floors in the building with out useing his badge.
An almost perfect situation. It almost was except my office was also protected by a badge. He didnt try to get in to my office but he did walk in the corridor out side it about five times which was unfortunate as I was two floors lower in the building than he was and the badge reader on my office was exceptionally sensitive, probably even neurotic

. In any case it picked up his badge passing by and he is now shareing a cell with the security gaurd.

***RoadClosed*** · November 10th, 2004, 04:24 PM

Doh!. That is a sensitive card reader. That is why I said it's about the same chance of gettting caught. When you walk into a bank you leave and ID. Your build, skin color, clothes, gait, height, verbal or handwritten traits, etc. Electronically you leave what was accessed, how it was accessed, and more important where it went. You just can't send money into thin air. There is a trace and if they are fast enough they can stop it. This depends on interfaces of course and small dollar amounts cannot be recovered and fall into loss reserves required by the GOV.

Thread: Bank accounts in online security scare

Thread Tools

Display

Posting Permissions