lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 3 Apr 2014 02:13:52 -0400
From: Jeffrey Walton <noloader@...il.com>
To: Eric Rand <eric.rand@...wnhatsecurity.com>
Cc: Full Disclosure List <fulldisclosure@...lists.org>
Subject: Re: [FD] Bank of the West security contact?

On Wed, Apr 2, 2014 at 4:42 PM, Eric Rand
<eric.rand@...wnhatsecurity.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> BoA has no incentive to switch, as the customers have not demanded
> more secure ATMs, and it's cheaper to have 'hacking insurance' to
> cover any losses than it would be to replace all their ATMs.
Sad, but true. I doubt they have the hacking insurance, though.

There's a reason US banks suffer losses at a rate of 600x that of a
German bank. For the discussion, see Gutmann's Engineering Security,
page 542 (www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf‎).

I'm amazed that the losses get passed onto shared holders, and then
executives give themselves a bonus for a job well done.

Jeff

> On 04/02/2014 01:30 PM, Sholes, Joshua wrote:
>> And how fast would those ATM manufacturers switch to a Linux or
>> other offering if, say, Bank of America said "We won't buy an ATM
>> with an easily skimmable reader or with an insecure OS on it?"
>>
>> Diebold, for example, has a market cap of less than $3B.  BoA is
>> sitting around $182B.  With that much leverage, the big banks have
>> NO excuse to just accept whatever crap the vendors shovel out the
>> door.

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists