This is Intuit's official response to the German ActiveX exploit.

2/10/97

Questions and Answers on German Unauthorized Transfer Issue

Background:

A German computer club, in its effort to highlight potential risks associated with browsers using ActiveX controls on the Internet for financial transactions, simulated a scenario in which they created unauthorized fund transfers over the Internet using ActiveX-enabled Web browsers with "malicious controls". In the demonstration, unauthorized funds transfers were performed using Quicken (because of its popularity) in the club's effort to attract widespread attention to this potential issue.

The Philadelphia Inquirer reported on February 16, 1997, that , "The control could attack not only Quicken, but any on-line investment software or any other sensitive data a hacker decided to target." To play out the example, a user would have to ignore standard security warnings and/or change default settings.

For its customers using Internet browsers that are ActiveX-enabled, Intuit recommends a simple, common sense approach in conjunction with the standard security measures in ActiveX enabled browsers:

  • Only download information and components from sites you trust and use the security features built into ActiveX and your browsers for additional protection.
  • Only download or use ActiveX controls that have been digitally signed by a reputable software developer or publisher.
  • Take advantage of the built-in security features in many Internet browsers, such as Internet Explorer, that alert users to the installation of an unauthorized or unsigned ActiveX component.
  • Customers who are concerned about the safety of ActiveX controls should consider disabling the ActiveX capability in their browser or using a browser such as Netscape Navigator which does not support ActiveX.

Q: Who might be affected by the scenario proposed by the computer club?

A: Only users with ActiveX-enabled browsers could be affected, and, among those, only people who do not use common sense precautions, ignore standard security warnings and/or change default settings.

Q: What happened in Germany with the computer club demonstration?

A: The Chaos Computer Club created a demonstration situation in which funds could be transferred electronically without needing a PIN by inserting an unauthorized funds transfer into a German Quicken datafile when a user downloaded an ActiveX application from a website. The club implied that the next time the user connected online to send instructions, the unauthorized transactions would be sent as well.

However, this situation is highly unlikely because of the automatic security features built into Quicken that help to protect customers from such unauthorized transfers:

  • Quicken prompts customers with a list of the transfers that will be sent and provides customers with the opportunity to delete any transactions they do not recognize before going online.
  • Even if an unauthorized transfer is sent, Quicken gives customers the ability to spot such transactions by providing a confirmation list of the instructions that have just been sent. Customers noticing an unauthorized transaction can then take steps to notify their financial institution.

Furthermore, this situation cannot occur if customers take advantage of the built-in security features in many Internet browsers, such as Internet Explorer, that alert users to the installation of an unauthorized or unsigned ActiveX component. Customers who are concerned about the safety of ActiveX controls should consider disabling the ActiveX capability in their browser or using a browser such as Netscape Navigator which does not support ActiveX.

In addition, we have received no reports that any unauthorized transfers of this type have even been attempted.

Intuit, like other software publishers, recommends that customers use common sense and take advantage of built-in security provisions to prevent inadvertent use of potentially malicious software. In particular, Intuit recommends that customers only download or use ActiveX controls that have been digitally signed by a reputable software developer or publisher. Customers also have the option to completely turn off ActiveX support in their browsers.

Q: Why did the computer club use Quicken in this simulation?

A: The computer club wanted to alert people to the risks surrounding ActiveX. They chose Quicken for this illustration because of its widespread popularity. The Philadelphia Inquirer article reported that the Chaos Computer Club "was apologetic that [it] had used Intuit's Quicken in the demonstration. But the club needed something that would get people's attention," a club spokesman said. This scenario was presented only as a demonstration, and there have been no reports that any unauthorized or illegal transfers have actually occurred.

Q: Can ActiveX be used as described in the demonstration to send unauthorized bill payments or fund transfers in the United States using Quicken?

A:

1. With respect to transfers between accounts

  • No. In the U.S., Quicken only allows funds transfers to preauthorized customer accounts at the same financial institution

2. With respect to bill payment:

  • In such a situation, it is highly unlikely that unauthorized bill payments could actually occur given security features built into both the Quicken software and Internet browsers.
    • Online payments are only made to online payees in Quicken's payee list
    • Before each connection Quicken displays a list of the instructions to be sent. Customers can delete any instructions they do not recognize before going online.
    • If a customer inadvertently sends an unauthorized transaction, s/he would see it in the Transmission Summary window and would then be able to notify their financial institution.

3. Browsers have built-in security features. The default security setting (high) for Internet Explorer alerts users to the installation of an unauthorized or unregistered ActiveX component. Otherwise, customers should consider disabling the ActiveX capability in their browser or using a browser such as Netscape Navigator which does not support ActiveX.

Q: What steps can consumers take to protect themselves from electronic fraud?

A:

  • Only download information and components from sites you trust and use the security features built into ActiveX and your browsers for additional protection.
  • Only download or use ActiveX controls that have been digitally signed by a reputable software developer or publisher.
  • Take advantage of the built-in security features in many Internet browsers, such as Internet Explorer, that alert users to the installation of an unauthorized or unsigned ActiveX component.
  • Customers who are concerned about the safety of ActiveX controls should consider disabling the ActiveX capability in their browser or using a browser such as Netscape Navigator which does not support ActiveX.
  • Customers should always review the list of instructions that Quicken provides before going online. They should delete any instructions they do not want sent before going online.
  • Customers should always review the Transmission Summary report that confirms the instructions they have just sent. If they notice any unauthorized transactions, they should notify their financial institution immediately.

In general, customers should consider the following:

  • Always keep PINs confidential. They should reveal their PIN only to those people authorized to use their services
  • Change PINs regularly to reduce the chance that others will learn the PIN and use it to access their accounts
  • For additional security, customers may wish to use a datafile password that prevents unauthorized access to their Quicken datafile.

Q: What should customers do if they ever suspect that an unauthorized transaction from Quicken has occurred?

A: Customers should contact their financial institution to understand whether an unauthorized transaction has actually taken place. All transactions originating from Quicken are traceable by the customer's financial institution, just as there is verification of all banking transactions.

Q: What measures does Intuit take to protect the security of online transactions?

A: Protecting the security of customers' financial information is a top priority for the online banking and payment services available through Quicken. The U.S. versions of Quicken use three levels of security to guard your data:

  • RSA encryption: Online banking and online payment services take advantage of state-of-the-art encryption technology to protect the security of your financial information. (Encryption technology works by converting financial information into an unreadable format.)
  • PIN: The online banking and payment services use Personal Identification Numbers (PINs) to protect your account. As an additional measure of protection, keep your PIN confidential and change it regularly.
  • Password: A password is a barrier against an unauthorized attempt to access a system of information. The Quicken file password feature restricts access to the financial information in your datafile.

Q: What about QuickBooks and BankNOW?

A: The answers given above apply for these products as well

Q: What is ActiveX?

A: From the Microsoft web site: ActiveX is a set of technologies that enables software components to interact with one another in a networked environment, regardless of the language in which they were created.

zur ckzurück © 1996-2024 Lutz Donnerhacke @ IKS GmbH Jena Wednesday | 25.Dec.2024