Hi All,

A major project I have been involved with for that better part of 3 years is in the wind down phase. As such, I will be looking around for opportunities to offer my services in the coming weeks.

I am looking for opportunities to offer my services in solving organisational problems. Interests include beginning a new project or assisting BAU whereby I can get involved in resolving organisational systemic and endemic issues. At the crux of it, I like to solve problems.

It is the synchronicity of the business requiring problems to be solved and me having the experience and skill-set to resolve the issues that I am in search of. In these cases, fulfilment and job satisfaction are gained from achieving results, whilst at the same time, appreciation is sown and grown with the business, by helping remediate their operational and technical quagmires.

Any expressions of interest can please contact jordan [at] securitytechscience [dot] com.

Recently I have been contemplating what makes some people successful and others unsuccessful. I am not merely talking about a person’s position within an organisation – If I were, then this would be a very shallow definition of success – After all, if it were merely wealth, position or honours, then success is based only on our external world and this would be purely superficial. If you do not agree with this statement then think about the following examples:

·          An individual is hired within a large company three tiers from the top in a well-respected position. Leveraging psychological testing, previous employment and the interview, the person is now known as passive and is clearly inexperienced to fulfil the role. They get hired because the person who hired them, their boss, intentionally chose this person, as they want to remain unaccountable. The boss is content on leaving the company running as is until their retirement, and especially on the executive pay packet they are receiving. They also need a fall guy too remain in such a cushy position if things ever went pear shaped prior to their planned ejection.

·          An individual finally becomes appointed an executive manager of a company at the expense of friends and family. They materially achieve everything above and beyond what they set out to acquire, but they are left feeling alienated with a greater sense of void within when not stressed at wits end.

Would you consider the above people successful? The first initially thinks they are successful, but soon realises they are in too deep and cannot control their surroundings – The job title no long matters when they realise they are just a pawn - The other reaches their potential at the cost of quality of life.

Obviously the above examples are missing something fundamental to be good examples of success. Looking closely at it, each exemplifies the success of something external – either the company or an external party - but where is the success for the individual. Taking these examples more personally, this post is about asking the question of what makes you a success?

Read the rest of this entry »

This post is solely about what I perceive to be the biggest problem with outsourcing. It is not an anti-outsourcing article, but a source of information, you as an outsourcing director, project manager, busines owner, etc should be aware of and also have the right strategic arsenal to overcome…

The biggest problem: The biggest problem with outsourcing is the perception from organisational owners that they can outsource their systemic problems. This, I would state too be a stupid and most pernicious illusion. Unfortunately it is far more common situation than most security professionals would hope to see.

Who does this impact: Everyone. This includes, Business Process Outsourcing (BPO), Information Technology Outsourcing (ITO), Knowledge Process Outsourcing (KPO) and any other acronym you come up with to cut “internal” jobs in order to achieve strategic advantage, cost savings and process improvements.

Solutions:

Awareness – Have the project managers build information sessions early on in the process where the owners (ie, business and system) are made aware that they are not outsourcing their systemic issues. That is, any issues are still their issues, as they are still the owners. Have the owners sign up.

Register – Operational Risk should at this stage work closely with the businesses to document all known system risks and also audit the current process in order to discover the unknown issues. Again, have the owners sign up.

Maintain Control of your Controls- Do not outsource your controls. In fact, you can’t, this is an illusion too. At the end of the day it is still part of the company no matter which way you dice and slice it. Therefore, keep the management of security internal. Note, you can outsource specialised skills but make sure you segregate this task to a separate 3rd party and not the 3rd party you are already outsourced to.

Monitoring – Perform regular ongoing auditing, monitoring and remediation of issues. With the owners taking responsibility of the issues and a Solid Governance Model you greatly reduce the inherent risks.

Closing Comments: I guess the key point to take away is accountability. If no one within the organisation takes ownership of the issues, even with the advantages of cost savings and possible process improvements, how long before one of these internal systemic issues results in signifcant impact to the company (e.g., brand damage), and then not only do the savings go out the window, but worst case the organisation as well.

Reviewing a number of blogs, articles, etc., I noticed that there are a number of people in the security field who move from being skeptical, and at times cross over into being just plain cynical. I have also seen a post on slashdot where someone asked, “Are IT Security professionals less happy as there job teaches them to focus on the negative side of life?”. See http://ask.slashdot.org/askslashdot/08/08/24/1731228.shtml

This post is about addressing these issues, but could be expanded so as to be used for many more life situations, instead of IT Security. But of course, that choice is up to you…

In order to understand where the people above have gone off track, we need to have a clear(er) understanding of what a person is made up of (i.e., mind and body). I am of the understanding that the ancient and modern arts, sciences, religions, etc address enough about the mind body system to help people. The only constant is some people get it, the above ones have not, and this is not a rarity. Not surprising considering the pluralistic society in which we live in.

It’s not necessarily anybody’s fault – I don’t think we should see it in the light of right and wrong here – but just accept that we as humans are accountable for our own actions and deciding between being positive skepticism or negative cynicism is a choice, much like choosing to walk in the sun or walk in the shade. Other articles may discuss art, science experiments, religious beliefs, etc., but this article is about going straight to the source of the problem. You.

If you do not believe you are accountable for your own actions, or where you are in your life today, then you’re living in a delusional world. This post will mean nothing to you so you should probably just not bother reading beyond this point. If you agree you are accountable for your own actions, if you want to be alert and positive because you are aware the householder does not know at what hour the burglar will come then you should read on.

You may think that if it’s as easy as choosing to be positive instead of negative then I’ll just choose to be positive. People can say this and some just do it, but others end up going back to their old ways. Others who have been negative for a long period would most likely find it difficult to change their ways immediately and could employ a defense mechanism and say things like, it’s got nothing to do with me, or that just stupid, I know what I am doing, case closed. 

Now is the point where I have to call out that the following is going to get a little deep. The difference, I hope is that I do not want to be esoteric, so no haiku or parable. This is what I perceive to be simple logical steps that got me to this point. I am not pushing any “new age” idea, religion, because as I have said previously, the answers have already been provided in different formats. I just want to make it plain to you and put it in simple terms what I believe is known by many names such as “mind-body coordination”, “mind-body alignment”, etc., but are most likely all the same thing. When you read the below you could categorise parts as buddhist meditation, zen, taoism or say no that’s ki, chi or qi fundamentals. Preferably if you are going to make any judgement then call it psychology.  

At this junction, I think it is best if I just get to the point and give you the answer (as best as I understand it to be). As they say, a picture is worth a thousand words…

From the diagram, in short, mind moves the body. The mind (conscious/subconscious) directs intention, that guides your action, this leads to a bodily response that is interpreted by bodily senses, which the mind (conscious/subconscious) mind is aware of. 

As an easy example, let’s grab the coffee cup on the table. The mind says “grab the cup on the table”, the intention is generated by mind force guiding the arm to “grab the cup on the table”. Note that this is all non-physical or spiritual to this point. The arm reaches out and grabs the cup. The eyes see the cup has been grabbed and the fingers feel the cup in the hand and they relay this to the nervous system. Note that this section is physical to this point. Awareness of what just occurred is back in the non-physical realm.

If only life were so easy? I guess to name a few problems that occur in our daily lives just to illustrate why life can be complicated is in order. See how many you do…

1.  Instead of the mind generating an intention, the mind generates images known as your imagination. Freud would have called this Cathartic Energy. It occurs when your id or instinctual mind drives the idea like punching someone who has just made you angry, but your morals tell you otherwise. The energy has already been generated so must pass somewhere. As the super ego has blocked the intent, you instead imagine giving the guy one of your best beatings (using a Freudian world view).
2. The mind generates an intention but it is not a clear intention. As such, the body is guided down a different path than what was initially intended. Have you ever said to someone you love, “look, I know what I did, but that wasn’t my intention?”.
3. The mind generates a clear intention but you have bodily problems/limitations where you cannot physically achieve the desired response. Most people who dabble in sports would understand and relate to this one. That is, cannot drive like Tiger Woods or dunk like Michael Jordan.
4. The mind generates a clear intention but there is nerve damage and the response is misinterpreted and/or not interpreted at all by the body.

You may have noticed that each of the above points is a breakdown in the arrows within the diagram. From this point forward I will be focusing on point 2. If you can achieve point 2 then point 1 will eventually dissipate to occurring only rarely. Points 3 and 4 are physical issues that require either more training, acceptance of your genetic makeup or specialised medical assistance which I cannot help you with.

If you have made it this far, thank you. You are about to get to the interesting part so let’s begin with a question. If your mind has a desired intention, but after executing the action your awareness tells you something different from the original intention then which one is telling you the truth? Your Mind or your Awareness? Don’t cheat! Think about it…

For those who said Awareness, give yourselves a pat on the back. Not too much of a slap as you are only half right. The other half of the story is although awareness is more truthful than the mind, it is only a relative truth. To find the absolute truth is beyond the realm of this post as I am keeping the post only in the epistemological realm. 

For those who said Mind, I am sorry to say that your ego is lying to you. It wasn’t the bodies fault as it is guided by your intention. It wasn’t your intentions fault as it is generated by the mind. That’s right, that shadow lurking in the corner is your ego and she is a tricky little minx.

So what’s this got to do with “mind-body coordination” I hear you ask? Well, if you can align your mind, intention, body in order to achieve the desired action (as interpreted by your awareness), then you have achieved mind-body coordination/alignment. I do prefer this type of terminology as no-mind appears to me as a misnomer and/or misleading – It would be better to say ‘little idea’ with everything else empty (i.e., non cluttered mind).

So how would someone apply this in their daily life so as to remain positive (healthy skepticism) instead of negative (self centered cynicism)? My advice is to keep it simple. Ask yourself regularly, how am I feeling right now at this point in time. If you feel good and relaxed you’re on the right track. If not, it’s your mind that’s off track, so try again. Remember to keep saying to yourself there is always a better way. And when making decisions, don’t use your head, remember to ask yourself what does your gut tell you. Make sure to act on it and stop day dreaming. 

If you would like to take this further or improve honing your skill set, my suggestion is that you get yourself involved in something you enjoy doing and practice the above. I personally use the above in my martial arts training as I am involved in an intentional martial arts (i.e., internal/soft). I have found that on this path of discovery (which is still going), these things I learn in class spill out to my daily life. They make me a better person and hopefully it can do the same for you. Maybe you can discover like me how mind-body coordination just naturally results in selfless altruistic behaviour. Of course, as I am at a junior level, my ego trips me up every now and then more than I would like, but at least now I have the right tools to get back on the right path.  

Now, referring back to the SlashDot article listed above. Here is where the author is off track…

“(His job) constantly teaches him to focus on the negative side of life” – No, being negative or positive is a choice. By placing the fact you have chosen to be negative on your job (even if 99.9% of the population may do it) is a cop out. It is the mind projecting its negative intent onto an object. The object in this case being your job.

“As an auditor I search for errors that others have made and haughtily tell them” – Being haughty is a form of pride. Need I remind anyone of the seven deadly sins. Again, if you are choosing to be selfish instead of selfless, this is, at its basic layer choosing to be negative instead of positive.

“As a penetration tester I break systems that system engineers and administrators have laboriously built” – If the system admin was that laborious then I guess you wouldn’t really have broken in without some social engineering tactics. If you did, why would you be negative about this? You possibly found a new 0-day and could earn some extra money or help vendors code better systems by reporting it.

“I assume inside threats and have to be professionally suspicious.” – Really? Where is it written that we have to be professionally suspicious? If it’s on a security card somewhere, cool, where can I order one? I would say that it would be better to be cautious rather than distrustful. Wouldn’t you agree that as a security professional it is better to be on your guard?

“The security mindset surely helps me in my job” – Agree, me too.

“but is it good for me on the long run?” – In a 100 years when you are dead and buried what is it going to matter? Stop being so precious about yourself.

“What kind of influence has being an IT security professional had on your general attitude towards life?” – Me personally, I am stronger for it. You, I am not so sure about.

“What helps you stay out of pessimism and cynicism?” – Making the conscious choice of choosing to think and do positive things. Stop blaming everything else around you and begin by asking yourself what you maybe doing wrong.

“Is protecting existing things really as good as building new ones?” - All depends on what you are protecting and also what you are building.

“I always have to think about risks and identify all sorts of things that could go wrong.”  - That’s your job. There is no reason to be negative about it as it’s actually a pretty cool thing to get paid for.

I apologise in advance to the author of the Slashdot article if he takes offense to what I have written. But honestly, the truth hurts (when you are in the wrong), but you were the one who asked for a response. My advice is that if you are suffering in your current situation then you are thinking the wrong way. Changing your employer or your vocation won’t help you as this will not solve the core of the problem. You asked for help and if you understand what I am talking about in this post then the smartest thing you can do is laugh it off.

Note: Any “positive” comments on the above would be much appreciated as there could possibly be more arrows or more boxes in the above diagram, something that is incorrect, or requires further clarification…

Note: In the second paragraph, the person could be made up of more than mind-body, such as heart, soul, spirit, etc., but that is outside the scope of the above topic. Please keep all comments within the epistemological realm. 

I recently had a client inquire about some of the potential risks associated with using a 3rd party web analytics tool.

Businesses normally want to use these tools to report on the behavior of users who visit their site in order to improve customer experience and measure sales performance. All that is required is for the business to include an innocuous JavaScript tag (provided by the 3rd party) into each page they would like to measure. If the user allows javascript to be run, the script is run each time a user visits the website calling a more advanced script back on the 3rd party server.

For example, let’s say I provided a web analytics service and you used me as a 3rd party. I would provide you with the below script and then you would place the following tag on every page of your website…

<script src=http://www.securitytechsience.com/sts.js” type=”text/javascript”></script>

The sts.js script on my server would then run in the user’s browser every time a user visited your site . I would then provide you a log-in page that generates pretty reports for you to see how your user base is behaving.

Sounds great doesn’t it? Now for the risks…

NB: The below risks are applicable for companies that house more than just browser ware web applications.

Integrity of the script – Maybe the script is OK today but what about tomorrow?

How could you be assured that the 3rd party wouldn’t change it? What if the 3rd party server was hacked and replaced with malicious code by someone else? If a change were to occur how long before you would notice? If you did notice then what?

The above questions really hit home to three of the core functions of information security within any organisation…

1. Change control: If the 3rd party wanted to change the script then they should notify you and this would be input to your change control process.
2. Audit & Monitoring: The 3rd party should provide this, but you could just as easily write a script that does an hourly download of the script and compares it to your known good script.
3. Incident Response: If the script were to change without prior change control notification then there should be an incident response plan to follow.

Integrity of the 3rd Party

How could you be sure that the 3rd party uses a level of security practices that are aligned with your organisation? How could you be sure that if things did go wrong you were covered?

The above questions are concerned with a breadth of business units such as operational risk & compliance, legal as well as information security. They would include questions such as…

1. Is there a contract between the third party and the organisation?
2. Does the contract include x, y, z to cover the organisaion in the event of a, b, c?
3. Does the contract include a SAS70 or equivalent?
4. Does the contract in include a monetary figure?
5. Has privacy been considered?

In most (if not all) 3rd party contracts, the above questions favour the 3rd party and not you.

Confidentiality of the Data

How can your be certain that any confidential data remains secure? How is the data (both confidential and non-confidential) transferred?

Although you may be using SSL (ie, https), the 3rd party may not and the data is transferred via http. If this is the case, then any sensitive data passed is transferred across the Internet in the clear.

Even if you are using SSL and the 3rd party is using SSL (ie, https) as well, what if the javascript is requesting http GET requests? In that case, the URI and it’s parameters are passed over the Internet in clear text. For example,

GET https://www.example.com/cc_valid.js?credit_no=123412341234&date=31122008&ccv=123

And finally, do you really want an external script running anywhere near your customer’s sensitive information?

Problem

As you can see the above solution adds some considerable overhead if you want to implement it securely in order to protect your customers data and your company’s reputation. As a business the benefits that were promised at the beginning of sales pitch may not be sounding so great anymore and you may be leaning toward building a solution in-house. Although it is a secure solution, you soon find out it comes at a much higher cost. So is there an alternative solution?

Solution

I would recommend copying the 3rd party script on a local organisational server so that the control of the script is now with you. The company is now forced to contact you when they would like to update the script. You could go even further and ask that the reporting funcitonality is housed on your network. That is, you provide the box and they provide the application. If they won’t allow you to house the application you could always set up a B2B channel with the 3rd party in the cases where sensitive data may be transferred – This channel could be over a dedicated link or VPN using an IPSEC tunnel.

Hi All

Since I began this blog I always wanted to keep the original theme of my website instead of flicking over to the Word Press default theme when the user clicked on "Blog". Well, as you can see I’ve finally done it!

So if you ever wanted to know how to keep the same theme with your blog and your site’s css then read this blog

http://max.limpag.com/2006/09/01/how-to-convert-any-web-template-into-a-wordpress-theme/

All you need is:

• Style sheet – styles.css
• Index page – index.html
• Images directory – /images
• A screen shot of your home page

Have fun!

Data leakage is becoming more “buzz” like in the Information Security arena again after a slight dip since 2004. A little disappointing if you think about it because the definition of “Information Security” is the protection of information/data from threats such as leakage. Hence, this should be the first thing on the mind of an Information Security professional at all times. Much like a well-rehearsed slogan similar to the property slogan…

It is all about data, data, data!

Hopefully companies can begin to realise how important the above slogan is before they lose their confidential data and more importantly continually remember how important it is. Unfortunately that is one of the paradoxes of Information Security that I have described above and all information security professionals must struggle with over time.

That is, when there are good information security practices occurring within a company then nothing actually happens. It’s a good and bad thing for security – Good as there maybe no data breaches and bad as the business are wondering what they are spending their money on if nothing is occuring. After a while the business will begin to cut back on spending (and hence security practices) and do things cheaper and riskier. Then certain events occur such as what we saw in 2004 when data leakage and offshoring was a hot topic. The problems either get fixed with more spending and over time data leakage again goes off the radar. Today with new threats such as phishing (or more correctly identity theft and fraud) and huge data breaches hitting the press like TJX, data leakage is on the radar again and businesses are beginning to reinvest.

The paradox can be thought of much like a sine wave oscillating over time: The greater the cost the less probability of data leakage. The less the cost the greater the probability of data leakage.

NB: The y-axis has probability and cost inverted

Next I hope to post some economic strategies to help prevent data leakage.

I have attended many a conference on risk management and also gained a few certifications in the field. This involved reading a number of books (some more long winded than others) and redoing the multiple choice questions until I was satisfied I had learnt their version of what the ‘correct’ answer was…This process was a little disheartening as I have met some great risk managers who have no certifications and met some ‘below par’ risk managers who have more certifications than you can poke a stick at.I don’t wish to bring into question the certification bodies as I believe a central body is required and their intent is to provide the most relevant information to date. Yes, I will agree with most complaints that these certifications have their flaws, but I wouldn’t say that your are better off with no certification. I think these types of questions should be redirected to the individual, their past experiences and how well they can define what risk management means to them.

This post is my best attempt “risk management” definition that turns the above questioning onto me. That is, I will try to describe in the most succinct way what I believe risk management to be in an information security context. I will do this as if I were in an interview without citing a dictionary, wiki or Google – You will just have to trust that I don’t cheat ;-)

I perceive risk as driven by two related facets. That is, the likelihood of an event occurring in combination against the impact ‘it’ will cause if ‘it’ does eventuate. That is, the lower a likelihood of an event and the lower the impact the event will have, equates to a lower risk. And conversely, the higher the likelihood and impact, the higher the risk.

Note: The ‘it’ in the above sentence would be either a ‘vulnerability’ or ‘threat’. The eventuation would be defined as a ‘threat’ that successfully ‘exploits’ the ‘vulnerability’

Now, the most important piece of the equation is the “management”. I say it is the most important as a lot of security professionals sometimes forget that without the business then there is no need for risk management. Or more simply, without the business than there is no need for you (to protect it).

The management piece to me involves defining business objectives and performing a cost benefit analysis of the risk versus the business objective. Most of the times this is best performed with a key manager from the business who knows the businesses strategic goals and short term plans. After this step, the prioritisation of risk in combination with the information resource can be more accurately defined. Based on this information, recommendations such as counter measures or mitigating controls can than be incorporated.

From here it is up to the Business Owner and the Chief Information Security Officer to decide on whether the risk should be mitigated, which costs money, or whether it can be accepted/signed off which involves no additional cost but a wearing and tracking of the risk.

Lately I have had discussions with members of my team about the increase in phishing attacks as of late. In addition, when chatting with some clients and reading Bank web sites, I read advertisements such as secure code, improvements in security with 2 factor-auth, sophisticated fraud detection systems, early warning phishing scam alerts, etc. I always find it funny when companies advertise security because they always use buzz words like the above where you could read it as “so you also do unsecure coding then?, and sometimes you worsen your security with other products?, and their are unsophisticated fraud detection systems but you have the other one?, or the other guys bought the late warning detection system but not you?…

Anyways, most of the controls listed above are an attempt to mitigate against the increase in phishing that has been occurring at an impressive rate over the last number of years. In an attempt to protect the end user, the Banks are spending a lot of money on the above controls in an attempt to finally stop phishing and if you believe the advertising spinsters, cease Internet fraudulent activities altogether. The question I am asking today is, well, does it?

In short, the above controls will mitigate and protect the end user against phishing attacks as we define them today. The unfortunate truth for the end user and the Banks is that the attack itself will morph into something new to bypass the current controls and the “Phishing” definition will need to be updated by the security word nazis or a new word will need to be created that is a subset of Phishing.

You maybe asking yourself, ”hold on, they have two factor auth, that definitely stops phishing attacks doesn’t it?”.

The classic response I give most clients is yes and no. That is, yes, it may stop the majority of phishing attacks today, but tomorrow brings a brand new day and no it may not stop it then (in the example below, tomorrow is actually today…think about it).

You see, an attack is not static and the above controls are assuming that Phishing will remain the same and once these controls are in place everything should be ok….right? Well, at least that’s what the people who are implementing or selling these systems are telling their upper management and/or clients until the project wraps up. By then it will be time to work on the next big idea as the old anti phishing project just isn’t cutting it. And once again they can say, not our fault, those hackers are really really intelligent.

I guess people who work in the anti-phishing industry might be upset with the above statements, but to be honest, it is the same kind of statement I could be making about any other “anti” security  industry, such as the anti-virus industry. That is, malicious person/s (organisation) or anti virus company releases a virus -> business and end-users are frightened and buy anti-virus software to stop the virus -> anti virus company builds and distributes anti virus protection -> business and end-user feel safe and keep renewing contract -> anti virus company and malicious person/s makes money.

Ok, maybe you think I am being too terse and a bit harsh with my words and phishing is different…Well then, how about I finish with an example…

MPack is a nice/nasty (depending on your viewpoint) piece of malware that basically takes control of a server and vulnerable clients that try to talk to that server. For example, your favourite banking server and you (your pc). To go along with the Phishing theme as promised, let’s also add an infected server that is acting as a Phishing site for your favourite bank (see below).

Banking Site                  <—–>                  Phishing Site

       |——————-You——————-|

So here is the scenario…You get an email that your Bank is doing an upgrade to their Internet Banking site and you need to log in immediately for security reasons. You click on the link that takes you to the phishing site which hosts an Mpack kit – The email is actually spam from an organised crime unit. Either your patches are not up-to-date or the MPack server has an 0-day exploit and your machine is compromised. Malware is then download to your computer unbeknownst to you. Note: In the classic Phishing attack your user name and password are stolen by you submitting this to the Phishing site. In this attack, this is not necessary (do you see the phishing attack morphing?).

On a completely different day (or any time after your machine being owned), you decide to do some Internet Banking and login to your favourite banking site. The malware that current resides on your computer (that has been happily logging everything you do as well as acting as a part time warez server and/or pr0n site) notices the bank URL in your browser. A program is now launched (again unbeknownst to you) that sits within your browser (i.e., within the session so ssl certificates, cookies, etc don’t protect you). You happily type in your username and password as you are security savvy individual and can see the padlock on the screen and enter the site.

Note: This is where the malware becomes especially important in the attack. Instead of you seeing what the bank is actually displaying to you, the malware is intercepting this and displaying what it thinks you should see. Hence, it is up to the imagination of the programmer of the malware on which attack she would like to deploy. In this case, we are only going to use one simple example where you lose all the money in your account.

Note: The malware in your browser is analogous to a person’s brain suffering from schizophrenia and hence they have a distorted view of reality.

You now browse to your account transfers section to transfer funds from your account to your local gas company. The malware is actually displaying these things to you but instead has replaced the gas company with a mule account. You click transfer and then receive either a number of images to click on or even the new and ”secure” sms service to your phone with the pin that must be answered. You click the right combination of images or enter the pin on the phone and click pay. The malware happily intercepts these values and submits the money to the mule account.

Note: I guess if the sms contained the destination account number (or part thereof) and you really were paying attention you may catch that something is wrong. That is unless the malware is aware of this and intercepts the data and substitutes the mule account number to the gas account number on the screen. Anyway, depends on the Bank’s implementation of two factor authentication.

Hopefully enough said.

Happy Banking!