20070507

A Sad Story

A few weeks ago, I was helping a friend shop for a used car. When my friend started asking questions about how to pay, they said they preferred a cashier's check, but if it was on the weekend and you couldn't get one, they would take a personal check if they could verify that your account had the funds to cover the check. The remainder of the conversation went something like this:

Me: So how do you verify?
Salesman: Oh - we can just verify it online?
Me: Wow! What service do you use to verify it? [I was shocked such a service might exist.]
Salesman: Oh - there's no service - you verify it for us.
Me: So how do you handle that?
Salesman: We just ask you to sign into your bank account and show us the balance.
At this point, I'm already shocked, but then it gets worse:
Me: So how many people refuse to do that for you? I mean, people turn you down on that offer, right?
Salesman: As long as I've worked here, I don't remember it happening once.
So, to buy a car on the weekend or after 3pm, I'm supposed to log in to my bank account from a public computer with at least one complete stranger watching over my shoulder, and probably with cameras all over the place?

There were a couple of attack vectors from this:
  • If the computer they want you to do this from is a "shared" computer - i.e., one somewhere central - not the salesperson's computer, walk in pretending to want to buy a car. At home, you set up your fictitious bank account and mention to the salesperson that they require uber-security - so you have to plug in your thumbdrive as another verification factor (or you're uber-paranoid and don't know your own password and put it on a password safe - they evidently don't know that the uber-paranoid wouldn't put their password safe on an untrusted computer anyhow, so it'd fly). Thumbdrive has the keylogger, and you just have it phone home. Since this machine is the only one used for verifying account balances, you'd get a pretty good frequency - particularly on weekends.
  • If you're asked to sign in from the salesperson's computer, you just find out the email address policy - how do they construct their addresses. Get as many business cards as you can while you're there, call numerous times getting a different employee name each time you call, divide it up - do you need service? Or to buy a car? Or just general information? You'll probably get a different name each time, assuming the place is big enough. Then email every address you got, include your trojan there. Any place that asks customers to sign onto their bank account on a public computer probably would never know you installed a trojan.
And then, (I alluded to it earlier) - what is their criteria for trusting the value? Do they check the URL? Or do they just look over your shoulder? Could I make up my own bank and host it at home? Or would they believe me if I printed off my account balance and brought it in?

2 comments:

  1. That is absolutely terrifying. Does it bother anyone that we live amongst people this foolish?

    Beyond the lack of security offered on the customer end, how do they know you aren't going to go home and transfer that money to another account or go to the ATM after you get the car and withdraw all the money.

    I would be surprised if they are business much longer with these practices.

    ReplyDelete
  2. @denny - I kinda' asked about the same sort of stuff. When I pushed him about how insecure this was, he assumed I meant from their perspective, not the customer. So he said they're able to verify the physical address, and if you get away with it, they can just go to that physical address and collect the car. I thought that was also a crock (how can they verify your physical address, let alone know for sure you're going to be there long enough for them to collect the car), but I didn't push it because, after all, my friend was there to buy a car. Getting us dragged out by security would not be conducive to that effort.

    ReplyDelete