Your bank data may be at risk if you use an iPhone

classic Classic list List threaded Threaded
111 messages Options
1234 ... 6
Reply | Threaded
Open this post in threaded view
|

Your bank data may be at risk if you use an iPhone

Sailfish-4
REF: http://www.cnbc.com/id/101456532

[excerpt quote=\"
If you haven't updated your iPhone recently, your personal
information—and possibly your financial data—is at risk.
\" /]

uh, that's soft-peddling this a bit. Verily, even if one has updated
their iPhone recently doesn't mean that it previously exploited the
users bank account. It's best to keep a very close eye on one's account
just to be sure. In fact, it's probably wise NOT to trust any mobile
device with bank account access, imo.

--
Sailfish
Rare Mozilla Stuff: http://tinyurl.com/lcey2ex
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Your bank data may be at risk if you use an iPhone

PhillipJones-2
Sailfish wrote:

> REF: http://www.cnbc.com/id/101456532
>
> [excerpt quote=\"
> If you haven't updated your iPhone recently, your personal
> information—and possibly your financial data—is at risk.
> \" /]
>
> uh, that's soft-peddling this a bit. Verily, even if one has updated
> their iPhone recently doesn't mean that it previously exploited the
> users bank account. It's best to keep a very close eye on one's account
> just to be sure. In fact, it's probably wise NOT to trust any mobile
> device with bank account access, imo.
>
Read an article about this So Far it only with Bank of America Software
and has to do with the feature cashing checking by scanning both sides
of the check. Sometimes the software will say the check image is
accepted but the Bank does not and the bank removes the amount from your
account without your knowledge and does not let you know. Possibly
subject your account(s) to being over drawn and collecting over draft
fees, without you knowledge. Although I have some bank apps on my iPhone
  I only use them to check balances and not that often.

--
Phillip M. Jones, C.E.T.      "If it's Fixed, Don't Break it"
http://www.phillipmjones.net    mailto:[hidden email]
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Your bank data may be at risk if you use an iPhone

Ron Hunter
In reply to this post by Sailfish-4
On 2/28/2014 5:40 PM, Sailfish wrote:

> REF: http://www.cnbc.com/id/101456532
>
> [excerpt quote=\"
> If you haven't updated your iPhone recently, your personal
> information—and possibly your financial data—is at risk.
> \" /]
>
> uh, that's soft-peddling this a bit. Verily, even if one has updated
> their iPhone recently doesn't mean that it previously exploited the
> users bank account. It's best to keep a very close eye on one's account
> just to be sure. In fact, it's probably wise NOT to trust any mobile
> device with bank account access, imo.
>
I just depends on how paranoid you are, and if your bank has a policy of
correcting any online problem immediately.  And, yes, my iPhones are
updated.  Still, I have not read of a case 'in the wild' where this
exploit was actually used to cause someone damage.  Probably NSA used it
to capture a lot more data on iPhone users....

_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Your bank data may be at risk if you use an iPhone

Ron Hunter
In reply to this post by PhillipJones-2
On 2/28/2014 7:35 PM, PhillipJones wrote:

> Sailfish wrote:
>> REF: http://www.cnbc.com/id/101456532
>>
>> [excerpt quote=\"
>> If you haven't updated your iPhone recently, your personal
>> information—and possibly your financial data—is at risk.
>> \" /]
>>
>> uh, that's soft-peddling this a bit. Verily, even if one has updated
>> their iPhone recently doesn't mean that it previously exploited the
>> users bank account. It's best to keep a very close eye on one's account
>> just to be sure. In fact, it's probably wise NOT to trust any mobile
>> device with bank account access, imo.
>>
> Read an article about this So Far it only with Bank of America Software
> and has to do with the feature cashing checking by scanning both sides
> of the check. Sometimes the software will say the check image is
> accepted but the Bank does not and the bank removes the amount from your
> account without your knowledge and does not let you know. Possibly
> subject your account(s) to being over drawn and collecting over draft
> fees, without you knowledge. Although I have some bank apps on my iPhone
>   I only use them to check balances and not that often.
>
I use Bank of America, and I do deposits from my iPhone.  If the image
isn't good enough, the app rejects it, and you can't leave that screen.
  So someone is giving you bad information.  I have NEVER had a problem
with a deposit, but then I always check to see that it took, wouldn't
anyone?

_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Your bank data may be at risk if you use an iPhone

Sailfish-4
In reply to this post by Ron Hunter
My bloviated meandering follows what Ron Hunter graced us with on
2/28/2014 5:41 PM:

> On 2/28/2014 5:40 PM, Sailfish wrote:
>> REF: http://www.cnbc.com/id/101456532
>>
>> [excerpt quote=\"
>> If you haven't updated your iPhone recently, your personal
>> information—and possibly your financial data—is at risk.
>> \" /]
>>
>> uh, that's soft-peddling this a bit. Verily, even if one has updated
>> their iPhone recently doesn't mean that it previously exploited the
>> users bank account. It's best to keep a very close eye on one's account
>> just to be sure. In fact, it's probably wise NOT to trust any mobile
>> device with bank account access, imo.
>>
> I just depends on how paranoid you are, and if your bank has a policy of
> correcting any online problem immediately.  And, yes, my iPhones are
> updated.  Still, I have not read of a case 'in the wild' where this
> exploit was actually used to cause someone damage.  Probably NSA used it
> to capture a lot more data on iPhone users....
>
Use at your on risk, I always say.

--
Sailfish
Rare Mozilla Stuff: http://tinyurl.com/lcey2ex
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Your bank data may be at risk if you use an iPhone

David E. Ross-3
In reply to this post by Sailfish-4
On 2/28/2014 3:40 PM, Sailfish wrote:

> REF: http://www.cnbc.com/id/101456532
>
> [excerpt quote=\"
> If you haven't updated your iPhone recently, your personal
> information—and possibly your financial data—is at risk.
> \" /]
>
> uh, that's soft-peddling this a bit. Verily, even if one has updated
> their iPhone recently doesn't mean that it previously exploited the
> users bank account. It's best to keep a very close eye on one's account
> just to be sure. In fact, it's probably wise NOT to trust any mobile
> device with bank account access, imo.
>

I'm safe.  I do not own a smart or dump cell phone.

--

David E. Ross
<http://www.rossde.com/>

On occasion, I filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because of spam, flames, and trolling from that source.
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Your bank data may be at risk if you use an iPhone

»Q«
In reply to this post by Sailfish-4
In <news:[hidden email]>,
Sailfish <[hidden email]> wrote:

> REF: http://www.cnbc.com/id/101456532
>
> [excerpt quote=\"
> If you haven't updated your iPhone recently, your personal
> information—and possibly your financial data—is at risk.
> \" /]
>
> uh, that's soft-peddling this a bit. Verily, even if one has updated
> their iPhone recently doesn't mean that it previously exploited the
> users bank account. It's best to keep a very close eye on one's
> account just to be sure. In fact, it's probably wise NOT to trust any
> mobile device with bank account access, imo.

Has it been fixed for Mac OS yet?  According to Steve Bellovin, it
hadn't been as of the 24th.

If you didn't chase the links from Schneier's blog yesterday (or if
they weren't there yet when you read Scheier), you might want to read
Bellovin's blog posts.  There's some interesting informed speculation
about how the vulnerability may have come to be and how it might best
have been used by attackers.

<https://www.cs.columbia.edu/~smb/blog/2014-02/2014-02-23.html>

<https://www.cs.columbia.edu/~smb/blog/2014-02/2014-02-24.html>
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Your bank data may be at risk if you use an iPhone

Sailfish-4
My bloviated meandering follows what »Q« graced us with on 2/28/2014
7:32 PM:

> In <news:[hidden email]>,
> Sailfish <[hidden email]> wrote:
>
>> REF: http://www.cnbc.com/id/101456532
>>
>> [excerpt quote=\"
>> If you haven't updated your iPhone recently, your personal
>> information—and possibly your financial data—is at risk.
>> \" /]
>>
>> uh, that's soft-peddling this a bit. Verily, even if one has updated
>> their iPhone recently doesn't mean that it previously exploited the
>> users bank account. It's best to keep a very close eye on one's
>> account just to be sure. In fact, it's probably wise NOT to trust any
>> mobile device with bank account access, imo.
>
> Has it been fixed for Mac OS yet?  According to Steve Bellovin, it
> hadn't been as of the 24th.
>
> If you didn't chase the links from Schneier's blog yesterday (or if
> they weren't there yet when you read Scheier), you might want to read
> Bellovin's blog posts.  There's some interesting informed speculation
> about how the vulnerability may have come to be and how it might best
> have been used by attackers.
>
> <https://www.cs.columbia.edu/~smb/blog/2014-02/2014-02-23.html>
>
> <https://www.cs.columbia.edu/~smb/blog/2014-02/2014-02-24.html>

I'm not too surprised that it wasn't detected during all the various
testing phases (unit, regression, stress, security, system, &c) since in
any moderately complex piece of software, no amount of testing can
exercise all avenues of software branches; along with detecting a
problem even if the branch was taken. I'm unfamiliar with Apple's
testing methodology but most testing doesn't involve looking at the
source code. This is done by the module's code owner and by a peer
review during code turn-in, i.e., prior to the formal testing phase.
Even there, something like this could be overlooked (note: a simple look
at the number of regression bugs that occur within Fx is proof of that.)

However, that doesn't mean that it wasn't intentionally inserted,
either. Assuming Apple has implemented a code-ownership methodology
(i.e., changes to each source code module can only be turned-in by the
person who owns it) then it would seem that they'd be able to determine
who made the change and possibly investigate it further from there,
i.e., determining not only "who" made the change but also "when" it was
made and even "why" it was made. What that might reveal would be
interesting to know.

--
Sailfish
Rare Mozilla Stuff: http://tinyurl.com/lcey2ex
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Your bank data may be at risk if you use an iPhone

Ron Hunter
In reply to this post by Sailfish-4
On 2/28/2014 8:00 PM, Sailfish wrote:

> My bloviated meandering follows what Ron Hunter graced us with on
> 2/28/2014 5:41 PM:
>> On 2/28/2014 5:40 PM, Sailfish wrote:
>>> REF: http://www.cnbc.com/id/101456532
>>>
>>> [excerpt quote=\"
>>> If you haven't updated your iPhone recently, your personal
>>> information—and possibly your financial data—is at risk.
>>> \" /]
>>>
>>> uh, that's soft-peddling this a bit. Verily, even if one has updated
>>> their iPhone recently doesn't mean that it previously exploited the
>>> users bank account. It's best to keep a very close eye on one's account
>>> just to be sure. In fact, it's probably wise NOT to trust any mobile
>>> device with bank account access, imo.
>>>
>> I just depends on how paranoid you are, and if your bank has a policy
>> of correcting any online problem immediately.  And, yes, my iPhones
>> are updated.  Still, I have not read of a case 'in the wild' where
>> this exploit was actually used to cause someone damage.  Probably NSA
>> used it to capture a lot more data on iPhone users....
>>
> Use at your on risk, I always say.
>
There is no risk.  It works, or it doesn't, and if it doesn't, then I
can try again, or present the check at the bank.
Deposit process is pretty straight forward.  Check next day to verify.
Sounds like someone didn't complete the process, and then didn't check
to verify the deposit later.  A person has to take some responsibility
in these 'do it yourself' scenarios.
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Your bank data may be at risk if you use an iPhone

Ron Hunter
In reply to this post by David E. Ross-3
On 2/28/2014 9:02 PM, David E. Ross wrote:

> On 2/28/2014 3:40 PM, Sailfish wrote:
>> REF: http://www.cnbc.com/id/101456532
>>
>> [excerpt quote=\"
>> If you haven't updated your iPhone recently, your personal
>> information—and possibly your financial data—is at risk.
>> \" /]
>>
>> uh, that's soft-peddling this a bit. Verily, even if one has updated
>> their iPhone recently doesn't mean that it previously exploited the
>> users bank account. It's best to keep a very close eye on one's account
>> just to be sure. In fact, it's probably wise NOT to trust any mobile
>> device with bank account access, imo.
>>
>
> I'm safe.  I do not own a smart or dump cell phone.
>
What is a 'dump' cell phone?  Grin.
Creative typos, improving the use of language around the world.

_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Your bank data may be at risk if you use an iPhone

Ron Hunter
In reply to this post by Sailfish-4
On 2/28/2014 11:49 PM, Sailfish wrote:

> My bloviated meandering follows what »Q« graced us with on 2/28/2014
> 7:32 PM:
>> In <news:[hidden email]>,
>> Sailfish <[hidden email]> wrote:
>>
>>> REF: http://www.cnbc.com/id/101456532
>>>
>>> [excerpt quote=\"
>>> If you haven't updated your iPhone recently, your personal
>>> information—and possibly your financial data—is at risk.
>>> \" /]
>>>
>>> uh, that's soft-peddling this a bit. Verily, even if one has updated
>>> their iPhone recently doesn't mean that it previously exploited the
>>> users bank account. It's best to keep a very close eye on one's
>>> account just to be sure. In fact, it's probably wise NOT to trust any
>>> mobile device with bank account access, imo.
>>
>> Has it been fixed for Mac OS yet?  According to Steve Bellovin, it
>> hadn't been as of the 24th.
>>
>> If you didn't chase the links from Schneier's blog yesterday (or if
>> they weren't there yet when you read Scheier), you might want to read
>> Bellovin's blog posts.  There's some interesting informed speculation
>> about how the vulnerability may have come to be and how it might best
>> have been used by attackers.
>>
>> <https://www.cs.columbia.edu/~smb/blog/2014-02/2014-02-23.html>
>>
>> <https://www.cs.columbia.edu/~smb/blog/2014-02/2014-02-24.html>
>
> I'm not too surprised that it wasn't detected during all the various
> testing phases (unit, regression, stress, security, system, &c) since in
> any moderately complex piece of software, no amount of testing can
> exercise all avenues of software branches; along with detecting a
> problem even if the branch was taken. I'm unfamiliar with Apple's
> testing methodology but most testing doesn't involve looking at the
> source code. This is done by the module's code owner and by a peer
> review during code turn-in, i.e., prior to the formal testing phase.
> Even there, something like this could be overlooked (note: a simple look
> at the number of regression bugs that occur within Fx is proof of that.)
>
> However, that doesn't mean that it wasn't intentionally inserted,
> either. Assuming Apple has implemented a code-ownership methodology
> (i.e., changes to each source code module can only be turned-in by the
> person who owns it) then it would seem that they'd be able to determine
> who made the change and possibly investigate it further from there,
> i.e., determining not only "who" made the change but also "when" it was
> made and even "why" it was made. What that might reveal would be
> interesting to know.
>
It is quite easy to delete a line when making changes.  If that line
contains a branch to a packaged subroutine, then that process will not
be executed.  Things like that can, and do, happen by honest error.
Program development is still a human thing, and humans manage to find
ways to screw things up.  Always will.

_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Your bank data may be at risk if you use an iPhone

Jay Garcia
In reply to this post by Ron Hunter
On 01.03.2014 02:12, Ron Hunter wrote:

 --- Original Message ---

> On 2/28/2014 8:00 PM, Sailfish wrote:
>> My bloviated meandering follows what Ron Hunter graced us with on
>> 2/28/2014 5:41 PM:
>>> On 2/28/2014 5:40 PM, Sailfish wrote:
>>>> REF: http://www.cnbc.com/id/101456532
>>>>
>>>> [excerpt quote=\"
>>>> If you haven't updated your iPhone recently, your personal
>>>> information—and possibly your financial data—is at risk.
>>>> \" /]
>>>>
>>>> uh, that's soft-peddling this a bit. Verily, even if one has updated
>>>> their iPhone recently doesn't mean that it previously exploited the
>>>> users bank account. It's best to keep a very close eye on one's account
>>>> just to be sure. In fact, it's probably wise NOT to trust any mobile
>>>> device with bank account access, imo.
>>>>
>>> I just depends on how paranoid you are, and if your bank has a policy
>>> of correcting any online problem immediately.  And, yes, my iPhones
>>> are updated.  Still, I have not read of a case 'in the wild' where
>>> this exploit was actually used to cause someone damage.  Probably NSA
>>> used it to capture a lot more data on iPhone users....
>>>
>> Use at your on risk, I always say.
>>
> There is no risk.  It works, or it doesn't, and if it doesn't, then I
> can try again, or present the check at the bank.
> Deposit process is pretty straight forward.  Check next day to verify.
> Sounds like someone didn't complete the process, and then didn't check
> to verify the deposit later.  A person has to take some responsibility
> in these 'do it yourself' scenarios.

If there is a security hole then there is risk involved, doesn't matter
IF it has been exploited or not.

--
Jay Garcia - www.ufaq.org - Netscape - Firefox - SeaMonkey - Thunderbird
Mozilla Contribute Coordinator Team - www.mozilla.org/contribute/
Mozilla Mozillian Member - www.mozillians.org
Mozilla Contributor Member - www.mozilla.org/credits/

_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Your bank data may be at risk if you use an iPhone

Ron Hunter
On 3/1/2014 7:33 AM, Jay Garcia wrote:

> On 01.03.2014 02:12, Ron Hunter wrote:
>
>   --- Original Message ---
>
>> On 2/28/2014 8:00 PM, Sailfish wrote:
>>> My bloviated meandering follows what Ron Hunter graced us with on
>>> 2/28/2014 5:41 PM:
>>>> On 2/28/2014 5:40 PM, Sailfish wrote:
>>>>> REF: http://www.cnbc.com/id/101456532
>>>>>
>>>>> [excerpt quote=\"
>>>>> If you haven't updated your iPhone recently, your personal
>>>>> information—and possibly your financial data—is at risk.
>>>>> \" /]
>>>>>
>>>>> uh, that's soft-peddling this a bit. Verily, even if one has updated
>>>>> their iPhone recently doesn't mean that it previously exploited the
>>>>> users bank account. It's best to keep a very close eye on one's account
>>>>> just to be sure. In fact, it's probably wise NOT to trust any mobile
>>>>> device with bank account access, imo.
>>>>>
>>>> I just depends on how paranoid you are, and if your bank has a policy
>>>> of correcting any online problem immediately.  And, yes, my iPhones
>>>> are updated.  Still, I have not read of a case 'in the wild' where
>>>> this exploit was actually used to cause someone damage.  Probably NSA
>>>> used it to capture a lot more data on iPhone users....
>>>>
>>> Use at your on risk, I always say.
>>>
>> There is no risk.  It works, or it doesn't, and if it doesn't, then I
>> can try again, or present the check at the bank.
>> Deposit process is pretty straight forward.  Check next day to verify.
>> Sounds like someone didn't complete the process, and then didn't check
>> to verify the deposit later.  A person has to take some responsibility
>> in these 'do it yourself' scenarios.
>
> If there is a security hole then there is risk involved, doesn't matter
> IF it has been exploited or not.
>
Of course it does!  There is a CHANCE that bridge you drove over to get
to work will collapse, but it hasn't, and it didn't when you came to
work, and I am quite sure you are happy that it didn't!
Nothing you do in this life is without risk.  Is the risk of depositing
a check from my kitchen counter (good light), more, or less, than
driving my car 10 miles to the bank and back in heavy traffic?  I will
go with the risk of the wireless deposit, every time, and reduce the
risk by checking to see that the deposit made it to the bank's computer.

_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Your bank data may be at risk if you use an iPhone

Jay Garcia
On 01.03.2014 07:52, Ron Hunter wrote:

 --- Original Message ---

> On 3/1/2014 7:33 AM, Jay Garcia wrote:
>> On 01.03.2014 02:12, Ron Hunter wrote:
>>
>>   --- Original Message ---
>>
>>> On 2/28/2014 8:00 PM, Sailfish wrote:
>>>> My bloviated meandering follows what Ron Hunter graced us with on
>>>> 2/28/2014 5:41 PM:
>>>>> On 2/28/2014 5:40 PM, Sailfish wrote:
>>>>>> REF: http://www.cnbc.com/id/101456532
>>>>>>
>>>>>> [excerpt quote=\"
>>>>>> If you haven't updated your iPhone recently, your personal
>>>>>> information—and possibly your financial data—is at risk.
>>>>>> \" /]
>>>>>>
>>>>>> uh, that's soft-peddling this a bit. Verily, even if one has updated
>>>>>> their iPhone recently doesn't mean that it previously exploited the
>>>>>> users bank account. It's best to keep a very close eye on one's
>>>>>> account
>>>>>> just to be sure. In fact, it's probably wise NOT to trust any mobile
>>>>>> device with bank account access, imo.
>>>>>>
>>>>> I just depends on how paranoid you are, and if your bank has a policy
>>>>> of correcting any online problem immediately.  And, yes, my iPhones
>>>>> are updated.  Still, I have not read of a case 'in the wild' where
>>>>> this exploit was actually used to cause someone damage.  Probably NSA
>>>>> used it to capture a lot more data on iPhone users....
>>>>>
>>>> Use at your on risk, I always say.
>>>>
>>> There is no risk.  It works, or it doesn't, and if it doesn't, then I
>>> can try again, or present the check at the bank.
>>> Deposit process is pretty straight forward.  Check next day to verify.
>>> Sounds like someone didn't complete the process, and then didn't check
>>> to verify the deposit later.  A person has to take some responsibility
>>> in these 'do it yourself' scenarios.
>>
>> If there is a security hole then there is risk involved, doesn't matter
>> IF it has been exploited or not.
>>
> Of course it does!  There is a CHANCE that bridge you drove over to get
> to work will collapse, but it hasn't, and it didn't when you came to
> work, and I am quite sure you are happy that it didn't!
> Nothing you do in this life is without risk.  Is the risk of depositing
> a check from my kitchen counter (good light), more, or less, than
> driving my car 10 miles to the bank and back in heavy traffic?  I will
> go with the risk of the wireless deposit, every time, and reduce the
> risk by checking to see that the deposit made it to the bank's computer.
>

You said "There is no risk" and that was what I was refuting. Unless you
meant something else.



--
Jay Garcia - www.ufaq.org - Netscape - Firefox - SeaMonkey - Thunderbird
Mozilla Contribute Coordinator Team - www.mozilla.org/contribute/
Mozilla Mozillian Member - www.mozillians.org
Mozilla Contributor Member - www.mozilla.org/credits/

_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Your bank data may be at risk if you use an iPhone

»Q«
In reply to this post by Ron Hunter
In <news:[hidden email]>,
Ron Hunter <[hidden email]> wrote:

> > On 01.03.2014 02:12, Ron Hunter wrote:

> >>> My bloviated meandering follows what Ron Hunter graced us with on
> >>> 2/28/2014 5:41 PM:

> >>>>> REF: http://www.cnbc.com/id/101456532

> >> There is no risk.  

There's always a risk.

> Nothing you do in this life is without risk.

There is no risk.  ;)

> I will go with the risk of the wireless deposit, every time, and
> reduce the risk by checking to see that the deposit made it to the
> bank's computer.

For this vulnerability, checking to see whether the deposit went
through doesn't mitigate the problem.  It enables a man-in-the-middle
to see your banking data, including passwords.  There's not a way to
check whether you've already been compromised.
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Your bank data may be at risk if you use an iPhone

»Q«
In reply to this post by »Q«
In <news:[hidden email]>,
»Q« <[hidden email]> wrote:

> In <news:[hidden email]>,
> Sailfish <[hidden email]> wrote:
>
> > REF: http://www.cnbc.com/id/101456532

> Has it been fixed for Mac OS yet?  According to Steve Bellovin, it
> hadn't been as of the 24th.

Apparently, it has, as of the 25th.
<http://recode.net/2014/02/25/apple-patches-nasty-gotofail-security-flaw-in-os-x/>

_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Your bank data may be at risk if you use an iPhone

Sailfish-4
In reply to this post by Ron Hunter
My bloviated meandering follows what Ron Hunter graced us with on
3/1/2014 12:12 AM:

> On 2/28/2014 8:00 PM, Sailfish wrote:
>> My bloviated meandering follows what Ron Hunter graced us with on
>> 2/28/2014 5:41 PM:
>>> On 2/28/2014 5:40 PM, Sailfish wrote:
>>>> REF: http://www.cnbc.com/id/101456532
>>>>
>>>> [excerpt quote=\"
>>>> If you haven't updated your iPhone recently, your personal
>>>> information—and possibly your financial data—is at risk.
>>>> \" /]
>>>>
>>>> uh, that's soft-peddling this a bit. Verily, even if one has updated
>>>> their iPhone recently doesn't mean that it previously exploited the
>>>> users bank account. It's best to keep a very close eye on one's account
>>>> just to be sure. In fact, it's probably wise NOT to trust any mobile
>>>> device with bank account access, imo.
>>>>
>>> I just depends on how paranoid you are, and if your bank has a policy
>>> of correcting any online problem immediately.  And, yes, my iPhones
>>> are updated.  Still, I have not read of a case 'in the wild' where
>>> this exploit was actually used to cause someone damage.  Probably NSA
>>> used it to capture a lot more data on iPhone users....
>>>
>> Use at your on risk, I always say.
>>
> There is no risk.  It works, or it doesn't, and if it doesn't, then I
> can try again, or present the check at the bank.
> Deposit process is pretty straight forward.  Check next day to verify.
> Sounds like someone didn't complete the process, and then didn't check
> to verify the deposit later.  A person has to take some responsibility
> in these 'do it yourself' scenarios.

As usual, it's clear that you have not even read the article that was
linked in the thread.

Whatevs.

--
Sailfish
Rare Mozilla Stuff: http://tinyurl.com/lcey2ex
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Your bank data may be at risk if you use an iPhone

Ron Hunter
In reply to this post by Jay Garcia
On 3/1/2014 9:18 AM, Jay Garcia wrote:

> On 01.03.2014 07:52, Ron Hunter wrote:
>
>   --- Original Message ---
>
>> On 3/1/2014 7:33 AM, Jay Garcia wrote:
>>> On 01.03.2014 02:12, Ron Hunter wrote:
>>>
>>>    --- Original Message ---
>>>
>>>> On 2/28/2014 8:00 PM, Sailfish wrote:
>>>>> My bloviated meandering follows what Ron Hunter graced us with on
>>>>> 2/28/2014 5:41 PM:
>>>>>> On 2/28/2014 5:40 PM, Sailfish wrote:
>>>>>>> REF: http://www.cnbc.com/id/101456532
>>>>>>>
>>>>>>> [excerpt quote=\"
>>>>>>> If you haven't updated your iPhone recently, your personal
>>>>>>> information—and possibly your financial data—is at risk.
>>>>>>> \" /]
>>>>>>>
>>>>>>> uh, that's soft-peddling this a bit. Verily, even if one has updated
>>>>>>> their iPhone recently doesn't mean that it previously exploited the
>>>>>>> users bank account. It's best to keep a very close eye on one's
>>>>>>> account
>>>>>>> just to be sure. In fact, it's probably wise NOT to trust any mobile
>>>>>>> device with bank account access, imo.
>>>>>>>
>>>>>> I just depends on how paranoid you are, and if your bank has a policy
>>>>>> of correcting any online problem immediately.  And, yes, my iPhones
>>>>>> are updated.  Still, I have not read of a case 'in the wild' where
>>>>>> this exploit was actually used to cause someone damage.  Probably NSA
>>>>>> used it to capture a lot more data on iPhone users....
>>>>>>
>>>>> Use at your on risk, I always say.
>>>>>
>>>> There is no risk.  It works, or it doesn't, and if it doesn't, then I
>>>> can try again, or present the check at the bank.
>>>> Deposit process is pretty straight forward.  Check next day to verify.
>>>> Sounds like someone didn't complete the process, and then didn't check
>>>> to verify the deposit later.  A person has to take some responsibility
>>>> in these 'do it yourself' scenarios.
>>>
>>> If there is a security hole then there is risk involved, doesn't matter
>>> IF it has been exploited or not.
>>>
>> Of course it does!  There is a CHANCE that bridge you drove over to get
>> to work will collapse, but it hasn't, and it didn't when you came to
>> work, and I am quite sure you are happy that it didn't!
>> Nothing you do in this life is without risk.  Is the risk of depositing
>> a check from my kitchen counter (good light), more, or less, than
>> driving my car 10 miles to the bank and back in heavy traffic?  I will
>> go with the risk of the wireless deposit, every time, and reduce the
>> risk by checking to see that the deposit made it to the bank's computer.
>>
>
> You said "There is no risk" and that was what I was refuting. Unless you
> meant something else.
>
>
>
I mean that if the check doesn't upload successfully, then I can try
again, as I get a confirmation if it uploaded correctly, and if I can't
get it to work, I can still take the check to the bank, or an ATM
machine and deposit it that way.  That's about as close to 'no risk' as
it gets with banking.  Also, at BoA, the deposit will show up on my
account immediately, as 'pending'.

_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Your bank data may be at risk if you use an iPhone

Sailfish-4
In reply to this post by Ron Hunter
My bloviated meandering follows what Ron Hunter graced us with on
3/1/2014 12:21 AM:

> On 2/28/2014 11:49 PM, Sailfish wrote:
>> My bloviated meandering follows what »Q« graced us with on 2/28/2014
>> 7:32 PM:
>>> In <news:[hidden email]>,
>>> Sailfish <[hidden email]> wrote:
>>>
>>>> REF: http://www.cnbc.com/id/101456532
>>>>
>>>> [excerpt quote=\"
>>>> If you haven't updated your iPhone recently, your personal
>>>> information—and possibly your financial data—is at risk.
>>>> \" /]
>>>>
>>>> uh, that's soft-peddling this a bit. Verily, even if one has updated
>>>> their iPhone recently doesn't mean that it previously exploited the
>>>> users bank account. It's best to keep a very close eye on one's
>>>> account just to be sure. In fact, it's probably wise NOT to trust any
>>>> mobile device with bank account access, imo.
>>>
>>> Has it been fixed for Mac OS yet?  According to Steve Bellovin, it
>>> hadn't been as of the 24th.
>>>
>>> If you didn't chase the links from Schneier's blog yesterday (or if
>>> they weren't there yet when you read Scheier), you might want to read
>>> Bellovin's blog posts.  There's some interesting informed speculation
>>> about how the vulnerability may have come to be and how it might best
>>> have been used by attackers.
>>>
>>> <https://www.cs.columbia.edu/~smb/blog/2014-02/2014-02-23.html>
>>>
>>> <https://www.cs.columbia.edu/~smb/blog/2014-02/2014-02-24.html>
>>
>> I'm not too surprised that it wasn't detected during all the various
>> testing phases (unit, regression, stress, security, system, &c) since in
>> any moderately complex piece of software, no amount of testing can
>> exercise all avenues of software branches; along with detecting a
>> problem even if the branch was taken. I'm unfamiliar with Apple's
>> testing methodology but most testing doesn't involve looking at the
>> source code. This is done by the module's code owner and by a peer
>> review during code turn-in, i.e., prior to the formal testing phase.
>> Even there, something like this could be overlooked (note: a simple look
>> at the number of regression bugs that occur within Fx is proof of that.)
>>
>> However, that doesn't mean that it wasn't intentionally inserted,
>> either. Assuming Apple has implemented a code-ownership methodology
>> (i.e., changes to each source code module can only be turned-in by the
>> person who owns it) then it would seem that they'd be able to determine
>> who made the change and possibly investigate it further from there,
>> i.e., determining not only "who" made the change but also "when" it was
>> made and even "why" it was made. What that might reveal would be
>> interesting to know.
>>
> It is quite easy to delete a line when making changes.  If that line
> contains a branch to a packaged subroutine, then that process will not
> be executed.  Things like that can, and do, happen by honest error.
> Program development is still a human thing, and humans manage to find
> ways to screw things up.  Always will.
>
True, but that is what peer-level code review is meant to catch; albiet,
not a guarantee against it.

--
Sailfish
Rare Mozilla Stuff: http://tinyurl.com/lcey2ex
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: Your bank data may be at risk if you use an iPhone

Sailfish-4
In reply to this post by Ron Hunter
My bloviated meandering follows what Ron Hunter graced us with on
3/1/2014 5:52 AM:

> On 3/1/2014 7:33 AM, Jay Garcia wrote:
>> On 01.03.2014 02:12, Ron Hunter wrote:
>>
>>   --- Original Message ---
>>
>>> On 2/28/2014 8:00 PM, Sailfish wrote:
>>>> My bloviated meandering follows what Ron Hunter graced us with on
>>>> 2/28/2014 5:41 PM:
>>>>> On 2/28/2014 5:40 PM, Sailfish wrote:
>>>>>> REF: http://www.cnbc.com/id/101456532
>>>>>>
>>>>>> [excerpt quote=\"
>>>>>> If you haven't updated your iPhone recently, your personal
>>>>>> information—and possibly your financial data—is at risk.
>>>>>> \" /]
>>>>>>
>>>>>> uh, that's soft-peddling this a bit. Verily, even if one has updated
>>>>>> their iPhone recently doesn't mean that it previously exploited the
>>>>>> users bank account. It's best to keep a very close eye on one's
>>>>>> account
>>>>>> just to be sure. In fact, it's probably wise NOT to trust any mobile
>>>>>> device with bank account access, imo.
>>>>>>
>>>>> I just depends on how paranoid you are, and if your bank has a policy
>>>>> of correcting any online problem immediately.  And, yes, my iPhones
>>>>> are updated.  Still, I have not read of a case 'in the wild' where
>>>>> this exploit was actually used to cause someone damage.  Probably NSA
>>>>> used it to capture a lot more data on iPhone users....
>>>>>
>>>> Use at your on risk, I always say.
>>>>
>>> There is no risk.  It works, or it doesn't, and if it doesn't, then I
>>> can try again, or present the check at the bank.
>>> Deposit process is pretty straight forward.  Check next day to verify.
>>> Sounds like someone didn't complete the process, and then didn't check
>>> to verify the deposit later.  A person has to take some responsibility
>>> in these 'do it yourself' scenarios.
>>
>> If there is a security hole then there is risk involved, doesn't matter
>> IF it has been exploited or not.
>>
> Of course it does!  There is a CHANCE that bridge you drove over to get
> to work will collapse, but it hasn't, and it didn't when you came to
> work, and I am quite sure you are happy that it didn't!
> Nothing you do in this life is without risk.  Is the risk of depositing
> a check from my kitchen counter (good light), more, or less, than
> driving my car 10 miles to the bank and back in heavy traffic?  I will
> go with the risk of the wireless deposit, every time, and reduce the
> risk by checking to see that the deposit made it to the bank's computer.
>
Some risks are ... riskier than others. Taunting the hand of fate, for
example

--
Sailfish
Rare Mozilla Stuff: http://tinyurl.com/lcey2ex
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
1234 ... 6