Rss Feed
Tweeter button
Facebook button
Technorati button
Reddit button
Myspace button
Linkedin button
Webonews button
Delicious button
Digg button
Flickr button
Stumbleupon button
Newsvine button

Banks are clueless on online security

By , February 14, 2011 3:21 pm

During November I met Dave Collins from Software Promotions. I saw him presenting two talks on effective Adwords marketing and common mistakes you can make and how to avoid them. Articulate, well informed. So much so that I decided to hire Dave to do some work for Software Verification.

Dave wanted to be paid using direct bank transfer. Not a problem except that I have been really reluctant to do online banking because I’m concerned that no matter what steps you take there is always the potential for something nasty to be on your machine waiting to snatch you bank details etc. Maybe a tad a paranoid I agree, but that is how I work. But let us be clear on the risk, if you get hacked for online banking that is your entire account at risk, not the same thing as if your credit card details get comprimised. Its the sort of thing that could put you out of business. Hence my paranoia.

Live CD
Anyway I decided I would do it using a Linux live CD, that way the only risk is the Linux CD or a hacked bios. Unlikely to be a dodgy Linux CD as so many people get the same image. Having your machine’s bios hacked is also one of the more unlikely circumstancs to happen to you. An alternative scheme, which Joanna Rutkowska uses is to use virtual machines with snapshots and restore the VM snapshot on a regular basis.

Online Banking
Like most people I’ve banked with the same bank for years, both personally and for business. I started with Midlands bank but after some dreadful service when I was a student I moved to National Westminster Bank and have been with them ever since (except for a short spell living in Scotland where Natwest had no presence).

Given the nature of what banks do you would expect them to take security seriously. I did.

Account Number
So imagine my surprise when I found that the online banking account number for the new online banking for the business was DD-MM-YY-xxxx, where xxxx is a random value. Further investigation turns up that xxxx is actually the count of the number of people that have the same birthday. So if xxxx is 0185 then you are the 186 person with that birthday.

So what is the problem with the above? Given that so many security systems ask you for your date of birth when you need to talk to a human I’m astonished to find the date of birth as the first 6 digits of the account number. When I asked about this the answer given by the staff member was “Only you know your date of birth.”. Yes, I’m not kidding. She was sincere in that opinion. She didn’t seem to realise that, even without the Internet, social media, etc, your date of birth is available in many places.

What on earth is wrong with account numbers that start at 0 and increment by one for each new customer? Completely arbitrary, unguessable and does not leak any information (birth date). I guess something as simple as that is too complicated.

Conclusion
Anyway, that is enough for me, If you can’t get something as simple as an account number right what else are you going to get wrong?

Share

DLL Version Finder

By , February 2, 2011 1:17 pm

Sometimes you need to find all locations of a particular DLL on your machine and then check the version numbers. Use Windows Search then right click and choose Properties then over to the version tab. A bit tedious to say the least, even more so with the unfriendly search dialog present on Vista and Windows 7 (how do they go from a usable search dialog to one that confuses someone with 30 years computing history behind them?).

The solution is DLL Version Finder. I got tired of searching for particular DLLs several times a year and wrote DLL Version Finder.

DLL Version Finder will find all DLLs on your system and display their version number and the architecture of the operating system (64, 32, 16 – yes there are some 16 bit DLLs on your system, you’ll be surprised). I’ve included some helpful options to restrict the search to a particular folder or operating system architecture and to allow filtering by DLL name.

DLL Version Finder

I hope you find this tool useful and that using it saves you some time.

Share

Panorama Theme by Themocracy