Another ActiveX hole (fwd)

Ray Arachelian ray at earthweb.com
Mon Feb 3 14:43:29 PST 1997 



-------+..........................................................+-------
 + ^ + :   Ray Arachelian   :    #include <std_disclaimer.h>      :../|\..
  \|/  :  ray at earthweb.com  :.....................................:./\|/\.
<--+-->:  ................  : My oppinions are my own and do not  :.\/|\/.
  /|\  :voice: 212-725-6550 : neccesairly represent those of my   :..\|/..
 + v + :....................: employer.                           :.......
.... http://www.sundernet.com ...personal.email sunder at sundernet.com .....

---------- Forwarded message ----------
Date: Mon, 03 Feb 1997 13:26:44 -0500
From: Andy Breen <abreen at earthweb.com>
To: yak at earthweb.com
Subject: Another ActiveX hole

hmmmmmmmmmmmmm....

------------------
DMK:  An application of covert channels. From RISKS Digest Vol 18, Issue 80.
  
Date: 1 Feb 1997 05:12:02 GMT
From: weberwu at tfh-berlin.de (Debora Weber-Wulff)
Subject: Electronic Funds Transfer without stealing PIN/TAN
  
The Berlin newspaper "Tagespiegel" reports on 29 Jan 97 about a television
show broadcast the previous evening on which hackers from the Chaos 
Computer Club demonstrated how to electronically transfer funds
without needing a PIN (Personal Identification Number) or TAN
(Transaction Number). 
   Apparently it suffices for the victim to visit a site which downloads an
ActiveX application, which automatically starts and checks to see if
Quicken, a popular financial software package that also offers electronic
funds transfer, is on the machine. If so, Quicken is given a transfer 
 order
      which is saved by Quicken in its pile of pending transfer orders. The next
      time the victim sends off the pending transfer orders to the bank (and
      enters in a valid PIN and TAN for that!)  all the orders (= 1 transaction)
      are executed - money is transferred without the victim noticing!
  
      The newspaper quotes various officials at Microsoft et al expressing
      disbelief/outrage/"we're working on it". We discussed this briefly in 
 class
      looking for a way to avoid the problem. Demanding a TAN for each transfer 
 is
      not a solution, for one, the banks only send you 50 at a time, and many
      small companies pay their bills in bunches. Having to enter a TAN for each
      transaction would be quite time-consuming. Our only solution would be to
      forbid browsers from executing any ActiveX component without express
      authorization, but that rather circumvents part of what ActiveX is 
 intended
      for.
  
      A small consolation: the transfer is trackable, that is, it can be
      determined at the bank to which account the money went. Some banks even
      include this information on the statement, but who checks every entry on
      their statements...
  
      Debora Weber-Wulff, Technische Fachhochschule Berlin, Luxemburger Str.
10, 
      13353 Berlin GERMANY weberwu at tfh-berlin.de 
 <http://www.tfh-berlin.de/~weberwu/

More information about the cypherpunks-legacy mailing list