WeekEnd Feature: How safe is your cash??

by Ian Thompson, ComputerCops Staff Editor
January 17 2004

Information is power!
So far this week, I have received from my bank two invitations to use online banking (which included username and password in the same letter), an offer of 'saving waste' by having e-mail banking statements, and even one to have my transactions sent by text message to my mobile. None of these offers interests me, and to be honest I doubt they will ever convince me to use them. Which must be an unusual statement for someone who has been involved with computing for the past twenty years or so.

Stop whining
All of which makes me sound like an aging crone of near-Luddite attitude to these new ways of passing financial information around, which isn't strictly true. I mean, setting aside the fact that most computer users these days cut their online teeth before their adult set have grown, would I be involved here if I wanted to smash every PC in sight?

Okay, so the pro's amongst you working with ICT day-in, day-out will recognise the rhetorical question there. However, those of you familiar with Dilbert know that there are very few truly aware people in this world. Obviously you and I fall into that category, but it is surprising how far our affairs are handled by those who don't. There are a frightening number of incidents that highlight this.

So scare me...

Okay, here are a few points:
. People share computers at home and often at work
. Cell phones are stolen (and most are not secured)
. Wireless signals can be intercepted
. E-mail is mostly sent in plain text
. If it doesn't have a mouse or keyboard, it's not really a computer.

So that final one is a common misconception - I mean, what do folk think an ATM is? And it's not just bank customers that have difficulty with that...

And the problem is...
Windows, mostly. Or rather the widespread use of this operating system. You see, most bank ATM systems still run on IBM's OS/2, a veritable trooper of an OS that, far from curling up and dying in the face of Windows NT, quietly found markets and users that appreciated its strengths, security being one of these.

Not only is OS/2 a secure choice, it's rarely found on the average home user's PC. I have a copy of OS/2 Warp that one day may get more than just a curious glance, but I doubt it. There was a time, back in the late-eighties, when it looked good for this OS, and things may have turned out differently for it. However, its relative scarcity, even with computing professionals, means that there is also a lack of expertise in the hacking community. And because the really skilled black-hats are not writing their toolkits for it, you won't find any script-kiddies having a go at it either.

And the next contestant is...
Support for OS/2 is coming to an end. It's not a conspiracy, just normal business - after all, support for Windows 98 and NT4 was scheduled to be stopped, and Windows ME will be next. They only won a reprieve recently due to public global outcry. What is more important is what banks are choosing to replace OS/2 with in their ATM networks - Windows XP.

Various banks have announced the switch over the past year or so. No doubt the popularity of WinXP means that development costs are lower than with other OS's, including Linux variants.
You might think that all these switched-on technical folk that make ATMs would know the greater risk they faced with using the world's most prevalent OS, but that would be assuming they fell into the 'aware' category. For example, US ATM vendor Diebold had to add firewall software to their equipment following a couple of incidents where malicious software compromised WinXP-based ATM banking systems. In the words of St. Homer the Wise, D’oh!. I mean, that's one of the most basic security precautions that online users should take before connecting to any other computer! However, that's a different story...

Imagine that – key-logger software on the ATM, recording every button pressed. And packet filters sending transaction details out of the banking network via service connections. It used to be all in-house, but again 'cheapness' took its toll, firstly in buying standard packages and then in outsourcing the maintenance contracts. The potential for compromise has increased dramatically.
Electronic is not the only way...

Of course, some would say that risk of theft was increased the first time someone stuck a cash point on the outer wall of building. Others blame cash itself, but the fact is that theft is as old as creation - watch any wildlife show on TV. There are plenty of methods of gathering the required information to steal money electronically. Discarded transaction receipts carry most of the stuff, and when combined with a sneaky look over the shoulder of the ATM user, the final bit (the PIN) can be added. More sophisticated methods include the use of cameras from across the street (to grab the card details as it's inserted, and film the PIN being entered), all the way up to fitting a false front to the entire ATM to swipe the card and log the PIN. Both of these have been used in the city where I live.

What to do.
It is often said that a healthy dose of paranoia is a good thing. If you're not familiar with that idea, maybe you've not been within earshot of me when often I've said it. However, here are a few tips (not very 'computery' I'm afraid).
. Don't wave your bankcards around at the ATM.
. Shield the keypad from prying eyes (learning to type your PIN without needing to see the buttons helps).
. Never discard card receipts without shredding them. Never leave the ATM without the receipt in the first place.
. Be vigilant for odd devices fitted to areas that swipe your card (ATMs, bank doors and so on).
. Use encryption software to protect your accounts, if you work on them using a PC.
. Set your cell phone to high security if possible, on a wide range of connectivity options.
Don't be pushed into the latest thing purely because of the hype. Face facts - it takes a lot less effort these days to steal electronic data than it does to intercept the mail.
I'll be sticking with paper statements for a good while yet.




;D


by Ian Thompson ComputerCops Staff Editor



Ian Thompson is a Network Manager of a 500-PC, 5-server, 1700-user school network and is an ICT teacher at a UK high school near the city of Leeds. He has written articles for the Hutchinson Encyclopedia, plus many resources in support of teaching ICT in the UK schools' National Curriculum.

Copyright © Ian Thompson 2004