Comments on: GetCash from NatWest

By: Roger

Roger — Mon, 15 Oct 2012 09:16:37 +0000

@Richard I. Polis:
” … analysis shows where there are flaws to be found.”

This assumes that:
a) the architecture being analysed is an adequately realistic replica of reality; and
b) the system is simple enough that analysis can, in principle, discover the flaws.

I agree that analysis is a necessary ingredient, and usually the most cost-effective approach. But it is rarely adequate by itself. There are plenty of theoretically secure systems which in reality have yawning holes that you don’t notice until you start actually poking around: the firedoor propped open for the smokers; the password that scores high on a password meter but can be guessed by anyone who sits at his desk for 5 minutes; the Ardennes Forest.

I wouldn’t mind betting that GetCash scored high and dry on a static architecture that assumed that mobile phone security was the phone companies’ problem: “out of scope” for the bank. Thus blinded to a whole line of approach, they didn’t notice that GetCash can be defeated with mobile phone shennanigans that don’t involve violating the phone companies’ security policies.

By: Richard I. Polis

Richard I. Polis — Sun, 14 Oct 2012 18:21:54 +0000

Analysis of system architecture is ALWAYS more important than penetration testing. Testing shows what flaws the testers happened to find; analysis shows where there are flaws to be found. Given serious incentives (generally present in financial applications), it can be assumed that any flaws that exist will eventually be found, and not necessarily by friendlies.

By: Barry

Barry — Tue, 09 Oct 2012 16:08:54 +0000

NatWest have also recently written to customers telling them that paper statements will be provided quarterly rather than monthly from early 2013, making it even harder to keep on top of frauds such as this one.