This is Intuit's official response to the German ActiveX exploit.


2/10/97

Questions and Answers on German Unauthorized Transfer Issue


Q: What happened in Germany? 

A: The German media reported that computer hackers could transfer
   funds electronically without needing a PIN by inserting an
   unauthorized funds transfer into a German Quicken datafile when a user
   downloaded an ActiveX application from a website. They implied that
   the next time that the user connected online to send instructions, the
   unauthorized transactions would be sent as well.

   However, this is highly unlikely because of the automatic security
   features built into Quicken that would help to protect customers from
   such unauthorized transfers. Quicken prompts customers with a list of
   the transfers that will be sent and provides customers with the
   opportunity to delete any transactions they do not recognize before
   going online Even if an unauthorized transfer is sent, Quicken gives
   customers the ability to spot such transactions by providing a
   confirmation list of the instructions that have just been sent.
   Customers noticing an unauthorized transaction can then take steps to
   notify their financial institution.

   Furthermore, this situation can only occur if consumers override the
   security warning messages generated by the Internet Explorer web
   browser. The default security setting (high) for Internet Explorer
   alerts users to the installation of an unauthorized or unregistered
   ActiveX component. Netscape Navigator does not support the download
   and installation of ActiveX components.
   
   In addition, we have received no reports that any unauthorized
   transfers of this type have even been attempted.
   
   Intuit, like other software publishers, recommends that customers take
   advantage of  built-in security provisions to prevent inadvertent use
   of potentially malicious software.  In particular, Intuit recommends
   that customers only download or use ActiveX controls that have been
   digitally signed by a reputable software developer or publisher.
   Customers also have the option to completely turn off ActiveX support
   in their browsers.


Q: Can unauthorized funds transfers of this sort happen in the United States
   using Quicken?

A: No. The U.S. version of Quicken software is different from that
   used in Germany and has different capabilities. The U.S. version of
   Quicken only allows funds transfers to preauthorized customer accounts
   at the same financial institution.  Funds cannot be transferred to
   non-customer accounts or accounts at another financial institution.


Q: Can ActiveX be used as shown on the German television show to send
   unauthorized bill payments in the United States using Quicken?

A: In such a situation, it is highly unlikely that unauthorized bill
   payments could actually occur given security features built into both
   the Quicken software and  Internet browsers.  Although,  it might be
   possible for an external application to add a transaction to Quicken,
   online payments are only made to online payees in Quicken's payee
   list. In the situation described in Germany, the hackers did not
   create any unauthorized bill payments .
   
   In addition, even if an unauthorized payment were added to the Quicken
   datafile in the way described in the German situation, the customer
   would be able to see it before s/he goes online. Before each
   connection, Quicken prompts the user by displaying a list of
   instructions, giving customers the opportunity to review the
   instructions created and delete any instructions  they do not
   recognize.
   
   As a further safeguard, instructions sent online are confirmed in the
   Transmission Summary window that follows each online connection.
   Customers noticing an unauthorized transaction in the summary window
   can then take steps to notify their financial institution.
   
   Furthermore, it is important to note that such a situation can only
   occur if consumers override the security warning messages generated by
   the Internet Explorer web browser. The default security setting (high)
   for Internet Explorer alerts users to the installation of an
   unauthorized or unregistered ActiveX component. Netscape Navigator
   does not support the download and installation of ActiveX components.
   
   Intuit, like other software publishers, recommends that customers take
   advantage of the built-in security provisions to prevent inadvertent
   use of potentially malicious software In particular, Intuit recommends
   that customers only download or use ActiveX controls that  have been
   digitally signed by a reputable software developer or publisher.
   Customers also have the option to completely turn off ActiveX support
   in their browsers.


Q: What steps can consumers take to protect themselves from electronic fraud?

A: In working to guard against this particular situation: Customers
   should take the proper precautions when downloading from the Internet.

   Customers should only connect to sites that they trust and should use
   the security features built into ActiveX and their browsers for
   additional protection. The default security setting (high) for
   Internet Explorer alerts the user to the installation of an
   unauthorized or unregistered ActiveX component. Customers would have
   to override the warning messages displayed by Internet Explorer in
   order to encounter this situation. Customers also have the option to
   completely turn off ActiveX support in their browsers. Netscape does
   not support the download and installation of ActiveX components.
   Customers should always review the list of instructions that Quicken
   provides before going online. They should delete any instructions they
   do not want sent before going online.
   
   Additionally, customers should always review the Transmission Summary
   report that confirms the instructions they have just sent. If they
   notice any unauthorized transactions, they should notify their
   financial institution immediately.
   
   In general, customers should consider the following: Always keep PINs
   confidential. You should reveal your PIN only to those people
   authorized to use your services Change PINs  regularly to reduce the
   chance that others will learn your PIN and use it to access your
   accounts For additional security, you may wish to use a datafile
   password that prevents unauthorized access to your Quicken datafile.


Q: What should customers do if they ever suspect that an unauthorized
   transaction from Quicken has occurred?  

A: Customers should contact their financial institution to understand
   whether an unauthorized transaction has actually taken place. All
   transactions originating from Quicken are traceable.


Q: What measures does Intuit take to protect the security of online
   transactions? 

A: Protecting the security of customers' financial information is a
   top priority for the online banking and payment services available
   through Quicken. The U.S. versions of  Quicken use three levels of
   security to guard your data:
   
   RSA encryption: Online banking and online payment services take
   advantage of state-of-the-art encryption technology to protect the
   security of your financial information. (Encryption technology works
   by coding financial information into an unreadable format.)  To
   maximize the security of your data, all your online transactions are
   protected by RSA encryption and authentication tools licensed directly
   from RSA Data Security, Inc., a world leader in encryption technology.
   
   PIN: The online banking and payment services use Personal
   Identification Numbers (PINs) to protect your account. When you
   receive your online banking and online payment materials, you also
   receive a PIN that you can change. No one at Intuit or your financial
   institution has access to this PIN. Only you and those people you
   choose to tell know your PIN. As an additional measure of protection,
   keep your PIN confidential and change it regularly.
   
   Password: A password is a barrier against an unauthorized attempt to
   access a system of information. Quicken allows you to use a password
   feature to ensure that only people with the correct password have
   access to your financial information .  The Quicken file password
   feature restricts access to the financial information in your
   datafile. Once you have assigned a password to your datafile, only
   those people with the password will be able to access your account or
   transaction information.


Q: What about QuickBooks and BankNOW?

A: The answers given above apply for these products as well