User talk:Garygriswold

I am evaluating GnuCash for an automated orphan sponsorship project. A demonstration prototype of the "cloud' application can be found at www.sponsororphan.org. In the intended deployment of this application each supported orphanage would have a partner organization that would be responsible for many administrative tasks, including accounting. So, each of them would need an accounting system, and there would need to be the ability to rollup the individual "charity centers" (like profit center). If we had to develop the rollup up capability that would be OK.

My primary concern is about security in the open source environment. Because this application interfaces to bank accounts and holds account numbers and may transiently hold pins, there is reason to be concerned about how easy it would be for a hacker to perpetrate a man-in-the-middle attack in order to collect account numbers and their corresponding pins. For example, an attack might include adding some additional code to the place in the code where pin key strokes are entered.

Is the system architected in someway that would make this modification difficult? Are there any steps in testing that make sending the pins back to the hacker difficult? To suggest, that security is based upon the vigilence of those watching the code does not provide any longer term comfort, since the people involved can change.

Please let me know what you think, or point me to some existing discussions on this subject.

Sincerely yours,

Gary Griswold