Intuit Recommends Internet Users Take Common-Sense Precautions When Browsing The Web With Activex-Enabled Browsers

By Using Simple Built-In Browser Security Features, Quicken and Other On-Line Banking Users are not at Risk from "Malicious" ActiveX Attacks, As Reported By A German Computer Club

MOUNTAIN VIEW, Calif., February 16, 1997 -- For its customers using Internet browsers that are ActiveX-enabled, Intuit today recommended a simple, common-sense approach in conjunction with the standard security measures built into such browsers to easily prevent potential tampering using ActiveX plug-ins.

The Philadelphia Inquirer reported today that a German computer club, in an effort to highlight potential risks associated with browsers using ActiveX controls on the Internet for financial transactions, simulated a scenario in which they created unauthorized fund transfers over the Internet using Web browsers with ActiveX "malicious controls."

The Inquirer article also stated, "The control could attack not only Quicken, but any on-line investment software or any other sensitive data a hacker decided to target." To play out the example, a user would have to ignore standard security warnings and/or change default settings.

The Chaos Computer Club "was apologetic that [it] had used Intuit's Quicken in the demonstration. But the club needed something that would get people's attention," a club spokesman said in the article. This scenario was presented only as a demonstration, and there have been no reports that any unauthorized or illegal transfers have actually occurred.

Intuit, however, takes all security issues seriously. In fact, a German version of Quicken with an encoded datafile is already planned for introduction. (The current U.S. version for Windows, shipping since October 1996, already has an encoded datafile.) In the unlikely event that an illegal transfer of funds occurs in the meantime, German customers have three days to notify their bank to stop the transaction.

"Intuit takes great precautions to help guard the safety of customers' financial information in Quicken. These measures, together with users' common-sense precautions against using unknown ActiveX controls or other downloaded software, provide a high level of security," Intuit Senior Vice President Eric Dunn said. "The Internet is just another arena for doing business, and the same way you need to guard your carbon when you use your credit card or check your ATM receipts, customers need to be responsible here, too."

Intuit warns that malicious software has the potential to harm PC users if they engage in certain risky actions such as overriding or ignoring browser security warning messages, in conjunction with bypassing Quicken's transmission approval for on-line activity.

Browsers supporting the ActiveX capability, such as Microsoft's Internet Explorer, are set up by default to warn users against accepting ActiveX controls which have not been digitally signed.

The U.S. versions of Quicken are not susceptible to this type of unauthorized transfers between accounts. In the U.S., Quicken only allows users to transfer funds between preauthorized accounts in the same financial institution, such as transferring money between a user's savings and checking account at the same bank. Regarding on-line bill payments, there are a number of additional steps involved in U.S.-based bill payment which, together with the encoded datafile, make the insertion of unauthorized payments unlikely.

Additional information on security can be found on the Quicken Financial Network home page at http://www.qfn.com/banking/quicken/security.html.

FACT SHEET

Quicken On-line Banking Security Summary

Quicken includes built-in security to guard against on-line banking fraud:

  • Before each connection, Quicken displays a list of the instructions to be sent and customers can delete any instructions they do not recognize before going on-line.
  • Each transmission requires the customer to enter a PIN (personal identification number).
  • If a customer inadvertently sends an unauthorized transaction, s/he can see it in the Transmission Summary and can immediately notify the financial institution.
  • The U.S. version restricts transfers to preauthorized accounts and requires additional setup steps for on-line payments.
  • The current U.S. and Canadian versions of Quicken for Windows use an encoded datafile to further protect users. Intuit will be introducing versions of Quicken with the encoded datafile in Germany and France over the next few months.
  • All U.S. banking transmissions are protected by RSA and DES encryption.

For additional security, Intuit cautions all computer users to exercise the following safety measures whenever browsing the Web:

  • Only download information and components from sites you trust and use the security features built into ActiveX and your browsers for additional protection.
  • Only download or use ActiveX controls that have been digitally signed by a reputable software developer or publisher.
  • Take advantage of the built-in security features in many Internet browsers, such as Internet Explorer, that alert users to the installation of an unauthorized or unsigned ActiveX component.
  • Customers who are concerned about the safety of ActiveX controls should consider disabling the ActiveX capability in their browser or using a browser such as Netscape Navigator which does not support ActiveX.

Originale Pressemitteilung

zur ckzurück © 1996-2024 Lutz Donnerhacke @ IKS GmbH Jena Wednesday | 25.Dec.2024