Slashdot Mirror
Internet Banking Security Hole
A reader writes: "The Observer newspaper (the Sunday edition of The Guardian) in the UK is reporting what looks like a major security problem with Internet bank accounts run by Fiserv. The U.S. company says it runs more than 200 million accounts on-line, looking after more than £15bn of customers' money. The guy who discovered the problem, Ralph Dressel, showed The Observer three sample printouts giving account details of customers at the Amalgamated Bank of Chicago, the Bank of Oklahoma and the Sovereign Bank in Connecticut. As well as seeing account details, Dressel claims he could have changed PIN numbers or transferred money to his own account."
Tell me what makes you so afraid
Of all those people you say you hate
But I do agree with you that even after the banks clean up their security loopholes there still needs to be some second factor authentication (big buzz word there) like a smart card reader.
Since most online banking takes place from the home, it would be cool if the banks could use GPS (global positioning system) to verify the users location (they are at home or at their office) before allowing any transactions to take place. Simply attach a GPS sensor to the client's machine and send some of the raw GPS data to the bank for authentication in conjunction with the username and password.
-----------------
The U.S. company says it runs more than 200 million accounts on-line, looking after more than £15bn of customers' money.
Wait a minute here... divide the number of users into the money that's only an average of $75 per user. Apparently no one trusted these guys BEFORE the hole was discovered, nevermind after.
-----
In the banking case, yes, I agree. Companies can't be trusted to publicly admit to their own weakness (see also: Firestone tire debacle).
I guess my analogy was not completely on target, then, because I was thinking of the security "tests" on things that people have no business testing. I often leave my car unlocked, windows rolled down when I go get groceries, and even when parked in front of my apt. These locations are fairly safe and there's nothing of value in the car. And if someone really wants to steal my car, a locked door won't stop them. So I don't need someone trying my car doors and telling me it's unlocked. Likewise, I don't necessarily want someone checking the "doors" of my website.
But getting back to your point; if my website was "Password.com: Keeper of your Vital Info", then perhaps it would be in public's best interest for people to try and (non-maliciously) break in.
-----
D. Fischer
ShoutingMan.com
I disagree. I've worked for a few banks, in some cases with direct responsibility for security. Let me tell you honestly:
Most places don't even bother with such rudimentary tools such as ssh to protect logins and passwords. At once place, I recommended that we implement ssh and no one knew what it was! Finally after months and months, it was approved for a few systems only, but other holes in the systems weren't fixed.
Often systems are put in production with all default services running because "the firewall will take care of that." Usually, they're never patched (or maybe once during the big Y2K scare.) The coding of online applications is usually pathetic with default passwords, no input checking, etc.
These companies need a wake-up call badly. Lots of bad publicity is a good start. I think it would actually be good if a few grey hats ripped some of these banks off for a few hundred million (not from customer accounts) and explained why they did it.
There should be some sort of government or other standard that the banks must adhere to, perhaps required simply to operate. If they screw up, they should be fined, and this can be used to pay down the debt, or social programs or something.
What we need is an open infrastructure supporting real anonymous e-cash. Once we have this the banks will all be out of business.
Okay here are the problems with that: I used to have a 10 digit pin number - out of a possible 14. I travel quite often, and in Germany three years ago I had my ATM card eaten because the machine would not accept my pin number (only had room for a six digit number).
The other problem with A-Z is that you are assuming that English words == French words == Japanese words == etc.
My friend had this problem when he had to translate his pin word from English to French only to have it be rejected.
In both cases the solution was the same, a four digit pin number.
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
Good detective skills, but... The URL to login to these places also has an .exe file extension in it - not unheard of, but seems more Windows-ish. The header info could simply be meant to throw casual hackers off the scent.
We will probably never know, unless someone at site-secure.com actually spills the beans.
creation science book
C'mon, 200 000 000 accounts, 15 billion in managed assets. That's about 75$ per account.
Doesn't look as if I'd buy shares from those bozos.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
Not having done so for a while, i'm not sure, but i'm fairly willing to bet that if you went in and left a cash deposit for the car you were renting, you could take it off the lot without leaving a credit card. Likewise, you might even be able to do it if you leave a deposit equivalent to the insurance deductable on the car. The rental agencies just don't want to be giving new cars out to people in exchange for $200 (a 3 or 4 day rental fee).
Cash isnt' useless...
If they were stupid enough to use Micorosft products for secure transactions, they deserve to be cracked.
After all the thousands of breeches in MS security, it seems that the business community would get a clue.
photosMy Photostream
I accept your point. Large companies do tend to behave like that. However, this was a German citizen, working for a Scandinavian/European bank in the Isle of Man. The Isle of Man has it's own legal system, separate from English law. I'm pretty sure that (although it is part of Great Britain) it is not part of the EU. I don't think this chap had much to fear from an American corporation.
Still, my other points I think stand. In order for digital money to have value, someone has to give it value, be that the US government or somebody else. Frankly, I don't see how it would be possible to make that possible unless that authority controlled it entirely (i.e. you would have an "account" with them).
Having played with the Cybercash MCK, they have(had?) a little issue as well.
Go on, do a search for +link:mck-cgi on altavista. Follow a link. eg:
http://www.madamealexander.com /special/get_copy.html
Buy something and proceed to secure form.
Change URL to http://www.whatever.com/mck-cgi/conf/merchant_conf
If they web designer is a little careless, you'll see something like this. If you know what you're doing, you can now play around with the user's merchant credit card account.
Note: I'm not just explaining this maliciously. I detailed this issue to Cybercash 6 months ago (twice) and they didn't even bother replying (a 'thank you' would have sufficed). Perhaps now this is in the open they'll deal with it? All they had to do was change their install program to ensure this data doesn't appear in the public domain.
<sigh>
If you write $5000 down in the place where the bank checks when your check is cashed, you have 5000 'real' dollars. (Incidentally, as any introductory economics class will tell you, money is a collective illusion we all participate in because it's much more conventient than barter.)
-_Quinn
Reality Maintenance Group, Silver City Construction Co., Ltd.
Your aging rustbucket is your car. It doesn't have anything to do with hundreds or thousands of other people. The analogy would not be to putting a note on your dashboard (and I would argue it's actually a note on their window, but whatever), but rather would be to contacting the manufacturer of the car.
Really, though, the critical thing is that the analogy between a car and a banking database does not work. A car is an individually owned product. A banking database is a service to thousands if not millions of people. A carjacking affects one person. The cracking of a computer database could affect millions.
I'll leave it to someone else to figure out an appropriate analogy. I'm too tired.
Jeff
To some extent, I agree with you, save for one point. In this particular instance, I personally would have done the same thing.
I think when the security problem is on something like online banking (where a great many people can be screwed thoroughly), more exposure is better. Send this info to everyplace that'll broadcast it for you. It's the only way that businesses and the government will see that security is a very real issue.
Quietly allowing a bank to fix patches like this obscures something very important from the general populus...online banking isn't safe yet, and should DEFINATELY be regulated.
I truly don't believe this particular person falls into your over-generalized 'leed kiddie' catagory, I call him civic-minded with his own political agenda.
Evidently so. After all, it's not like someone could send whatever data they liked.
There are two solutions, the easiest being to avoid storing plaintext passwords since you have absolutely no need to do so. This has been recognized as a good idea for something like 30 years...
A more complex but significantly more secure approach would be the use of a smart card card which would perform some sort of operation on a challenge sent by the bank and send back the result. Unfortunately, smart-cards aren't invulvnerable to attacks but a reasonably hardened system would be much more secure than the current approaches. Since companies like Visa manage to be quite profitable even with comparatively high theft rates, something like this should be quite acceptable.
"This is perhaps the equivalent of opening someone's unlocked car door to turn off their lights. Or perhaps, it's like picking their lock to get in and turn off the lights."
What about reaching under the car to find the magnetic spare-key holder, unlocking the door, and turning off the lights?
Money is never worthless. Currency often is.
668: Neighbour of the Beast
If you think about it, attaching a smartcard reader to the PC will not help.
The only way to deal with this threat is to attach a non-user-programmable smartcard with its own protected user-interface.
)9TSS
Here is an interesting article on security methods, from a user-interface design perspective. Maximum Security
:)
Here's a quote to whet your appetite:
Security in our nation's computer systems is in trouble, and the fault lies with an education system turning out security people unprepared to build real-world secure systems. As a result, many of our most secure-appearing systems sport all the impenetrability of a slice of Swiss Cheese.
(BTW: I recommend looking through AskTog and Alertbox if you deal at all with interface design, or want to know why today's interfaces suck so much sometimes
-----
D. Fischer
ShoutingMan.com
Oops. When I originally posted, other /.ers had already found fault the idea of an external auditing group, and I hadn't taken into account that as the threads expanded, those posts would be obscured.
In short, I meant that since there was agreement by other readers, there was no point rehashing discussing why it would or would not be good to have an external audit.
The 2 big points I liked from other posts were on this were 1) Too much liability for auditor. and 2) Govt.'s ineffectiveness (inability to move/change quickly, regulations, being out of touch with new tech, etc.) would make them an unreliable 'guarantee'.
"The girl makes Godot look punctual." -- Buffy
Just a thought... if you have fib[n]=.... shouldn't you have a 'n' somewhere in the expression?
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
They get around the "all debts public and private" arguement by requiring that you have the card before they will rent you the car; they allege that you can use cash to pay the debt once you have the car and have used it, but you won't get it off the lot without they see your credit card. Has to be in the drivers name, too. No third party cards. Don't know how they handle that for corporate...
Fwiw, I know 1st-hand this policy was not in place a few years ago, but it is now. Note that I cannot speak for regional or local rental companies...
0x0000
"The Internet is made of cats."
Choas would ensue.
Cute. :-) Seriously, though... There's agreement that a paid auditor group (esp. govt. controlled) would be foolish. If you also believe forcing banks to reward the finding holes, why not require (for consumer protection) that all sites dealing with financial data to hold cracking contents before offering their services?
Shoot, if business holds contests to crack water marks on new music formats, why not *make* business do the same for the sort of protection consumers actively desire?
"The girl makes Godot look punctual." -- Buffy
the problem isn't just Fiserv, it is the terrible software they chose to runGarbage in Garbage out
Best send them links to openBSD.
photosMy Photostream
Your figures are wrong. That should be £75. For us americans, that would equal a little over 50 dollars.
I don't know about American banks, but if it had been exploited against a British bank they would probably have pursued a fraud case against the person whose savings were stolen; that's what they did when someone claimed that a crook had been withdrawing money from their account with a forged ATM card a couple of years ago, since banks would never, ever, ever have a security flaw in their systems.
In America, our banking regulations require that a bank, upon notification of an unauthorized electronic transfer, provisionally credit the customer's account within 10 days, and conduct an investigation within 45 days, presumably to see if the individual is defrauding them. However, the law is clear that the bank is liable for any unauthorized transfer that they allow.
0x0000
"The Internet is made of cats."
Brian Peace
Economics comes to the rescue: we should force companies to take full responsibility for the losses and the suffering that their carelessness causes others. Any company that exposes private data should be penalized, whether or not any losses are actually incurred by an individual. And if that company becomes target of a computer crime, they should not be able to hide behind someone else's guilt: they should be subject to stiff penalties. That way, poor security is not going to be the most rational economic choice for a company.
Going after the "computer criminals" is not going to be a solution. The current approach is only effective at catching bragging teenagers and allowing companies to shut up white-hat hackers; it won't catch anybody who is really determined to do damage and hide their identity: there are too many ways of using the Internet anonymously, from trial dial-up accounts and public phones to public Internet terminals. It has no force as a deterrent.
The only way consumer confidence can be created is by holding the people who can do something meaningful about security, the Internet companies who hold private data, responsible.
Now, I'm not saying this Dressel guy was thinking along these lines or that his bank has done anything to warrant such paranoia. I'm just saying that it is possible that a person who reports a security flaw to the press and not to the company that created it isn't doing so to be 'leet.
--
Fuck the system? Nah, you might catch something.
So the analogy that works is not going around a parking lot determining if cars are unlocked, but rather checking car types to determine if the locks are enough to hold against, say, another car's key. And cars whose locks can be opened by other cars' keys (or cars whose doors open when their locks are engaged!) should not be allowed out there.
Jeff
With all due respect, I disagree.
You're correct as far as the "conventional wisdom" goes, of course. Inform privately, blah-blah-blah. But considering that many (perhaps "most") companies who are so informed will prosecute you for hacking into their machines, and you will go to jail for many years, I would suggest that a public announcement is the best way to start. You want to take the public initiative, portray your actions in the best light available, and you want to do it preemptively. If the company is the one firing the initial public salvo, you're going to jail for many years.
What? The above post is written as if the company is your enemy rather than your ally? Yes. Because they are. It's almost certainly much cheaper to tip off the FBI about your evil hacking ways than it would be to fix the security breach. So that's the option they're going to consider first.
--
Michael Sims-michael at slashdot.org
Heh. I spouted what I believe to be the correct way to handle this. Three people (so far) have disagreed *for the same basic reason*. I find it worrying that corporations have this much perceived power. That's why I support This organisation.
However, If a bank *did* gag someone, and were subsequently raided, the shareholders (usually large corporations themselves) would be round with the highly-trained, half-starved RottLawyers faster than you can say 'Fiduciary Duty'. Or, at least, that's how I hope it works.
Every time there is the smallest security breach in an online e-commerce related company, the news gets broadcast all over the place. However, rarely are news stories posted anywhere about more traditional financial institutions or retailers. Ok, so there have been a few credit cards exposed online. But, do you know how many fraud schemes there have been invoving physical cards, at places such as gas stations and restaurants? The amount of online fraud is so small compared to the size of traditional financial fraud. From someone who knows quite a bit about the banking industry I feel way safer about giving my credit card to amazon.com then I do to my local Gas Station!!
It's the same think that happens with airline crashes. They may make the news every time but you've got a way higher chance of being killed every time you get in your car!
Bottom line, when you are using a credit card online, yes you have to be careful, but believe me, you better be way more careful using it offline!
Seems really strange that a bank would have just a single PIN to 'protect' customer accounts (Well, E*Trade has...) Our local banks use either PIN code list or a combination of usercode/password and PIN code list. List is needed whenever you what to add, change or delete information. PIN codes are 4-5 digits long, sometimes associated with a 'challenge' number. Some banks will soon offer access with the Government issued identity card (smart card). If you read the Observer's news article carefully, you'll notice it never mentioned that full access was available for the accounts. Change PIN, but what if the system required old PIN first? Transfer money, but what if the PIN was again required?
Maybe they're trying to obtain security by running their Winshit software under WINE
scary thought, isn't it?
-- Only unbalanced people can tip the scales.
Be careful here. Smart cards do not automatically mean security, and there are unfortunately many poor implementations around. And btw: if the smart card reader is disconnected from the computer, how does the encrypted data get to the web site?
I used to work for a bank which used a smart card reader for their e-banking product. Officially, the advantage of this solution over plain https would be that even if the user's computer was compromised by a trojan or a virus, his pin and passwords were still secure. However, unfortunately, the bank was too cheap to buy smart card readers with integrated keyboards and displays. Thus, a virus or trojan would just need to grab the cleartext data stream going from the computer's keyboard to the reader, and presto! After pointing out that flaw to my boss, he just said "You're basically right. However, you should understand that the goal is not to provide actual security, but rather to give the customer an impression of security. Customers read about security problems on the internet so frequently, that it takes sth special to convince them that E-banking can be secure. However, the same customers trust the security of smart cards, most already carry several of them in their wallet (credit cards, access badges, ATM cards...). So we just capitalize on their trust in smartcards and integrate one in our solution. Even if it doesn't help security. But don't worry: nobody'll find out, after all not everybody has a PhD in cryptography..." I don't either... but I still noticed.
> One instance where cash (US or otherwise) is worthless: Automobile rentail. 'A major credit card' is a requirement... They like to get rude about it, too.
Funny thing. When the local mobsters come around to collect their protection money, 'cash' is a requirement... They like to get rude about it, too.
Since "not getting my kneecaps broken" is more convenient than "renting a car", I tentatively conclude that cash is more convenient than credit cards are.
--
Sheesh, evil *and* a jerk. -- Jade
> I asked if she had read the article, and she had, but said it wasnt' true. I asked how she knew this, and she said because they had investigated it.
That's when you ask her to sign a "hold harmless" agreement to the effect that you will not be held responsible for any money you extract that way. After all, they're not at risk, right?
--
Sheesh, evil *and* a jerk. -- Jade
Now, granted a government agency is going to the ut-most greatest in catching anything at all ... it would at least provide us with an excuse to blame the government. :-)
Seriously tho, an agency ( govermental, non-profit, even for-profit ) needs to be set up with regulatory authority to mandate passage of certain criteria before a web-site can say it's "Protected" customer data.
There's a gorilla from Manilla whose a fella that stinks of vanilla and has salmonella.
Maybe it's time again to buy gold and bury it in the backyard :)
Founder's Camp
Founder's Camp
News for non-Nerds. Stuff that matters.
You're an optimist. He'll be lucky if they don't indict him for computer crimes. Breaking into their system. Accessing without authorization. Evil evil evil, bad hacker.
It's much easier to kill the messenger, and (hopefully) quietly make fixes. Otherwise they'll have to admit that they have been grossly negligent in their security.
With all the talk about strengthening computer crime legislation and the penalties associated with violations, this scenario provides a perfect example of where an individual provided a service to the company in question by committing a "crime" against them.
Ralph Dressel provided Fiserv with the results of what would have been an expensive internal controls audit for free. If this vulnerability would have remained undiscovered, a malicious party that discovered it could have stolen money or blackmailed Fiserv in the same way that the hacker who stole CDUniverse's credit card database blackmailed them.
We should hesitate to condem these "grey hat" hackers by drafting legislations to criminalize their exploits.
ByteMyCode.com: A Web 2.0 code sharing community.
Uh, yeah... sure - just give me your account info. I'll make sure it's out^H^H^H there in a hurry.
There's a gorilla from Manilla whose a fella that stinks of vanilla and has salmonella.
This is where software/service firms need to take some responsibilty for their actions and inactions. Do you really think that if this guy had gone ahead and taken $50m or more Fiserv would have said "oops! we made a mistake, let us fix it". Nope. It would be up to the banks or end users to repair the damages to their accounts. All because some company whose job is to keep data secure failed.
Besides the other problems that have been mentioned, GPS receivers do not work very well inside buildings. You usually have to install an external antenna on the roof of the building.
Mea navis aericumbens anguillis abundat
I bet this guy is going to get a medal, a plaque, and an article. That's it. When he could've had 10 mil just like that.. I demand that the bank gives him the award of... one million dollars! (Dr.Evil finger thingy... )
http://dtum.livejournal.com
I always thought the whole PIN number thing was a huge security issue anyway. It seems far more insecure than an English word password (there are less options -- 9 digits on a keypad or 26 letter in an alphabet). Also, most people don't go past 4 numbers for their PIN, even if they have the option. It would be pretty easy to use a heat spectrometer to analyse what PIN it is immediately after they've been pushed -- or better yet, look over the person's shoulder if you're in the vicinity.
I've never been a big fan of security. I think some measures people go to protecting basic servers and files can be a little too extreme. But this is your money -- your lifeblood in this day and age where $ == bread and water. I think the security is far more important here.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
Seth
$5 / month hosted VPS on linux = awesome!
Fiserv has a partnership with Security First Technologies. It will be interesting to watch how their stock changes tomorrow as this news gets around.
Fiserv: NASDAQ FISV
SFT: NASDAQ SONE
-- "Complacency is a far more dangerous attitude than outrage." -Naomi Littlebear
This is just another example of information wanting to be free. Let the money get transferred to another account, thats how it was meant to be. Under fair use clause, anyone can have money.
I used to work at a bank that utilized Fiserv for backend stuff. They have many, many different services and so on, but if the rest of the company is anything like the people I dealt with this won't be fixed any time soon. We had to file paperwork (in triplicate) to add a field to a downloaded data extract. And give them at least 30 days lead time. And then re-submit when it came back wrong, or the field was empty, or some damn thing.
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
I work within the eCommerce group of a bank who is a direct competitor to one of the victims, Soverign Bank. I am a systems integrator and I do much of the security work at the systems/app level on our eCommerce systems.
:)
I am not suprised to read what the Brit got for info (although I am suprised he got it within minutes, unless he knows the online banking backend software)
Any bank worth doing business with will have many controls in place to ensure that financial institutions are taking the correct precautions needed to safeguard their customers. These controls include internal and FDIC audits, external attack and penetration tests against systems, and curious/nosey/tinkering staff like myself
Any organization which runs an eCommerce system without contracting a highly reputed firm to do an attack/penetration test is completey crazy! (and out of FDIC compliance too) I *highly* doubt that the firms in question had taken the time to do this.
I coordinate a/p tests within my company, and these guys we hire will try to find *anything* that is remotely considered a security hole, ranging from things like Public communites for SNMP on a router to last logged in user is displayed on console in NT.
Beware however, I have worked with some reputed firms who sent me people who couldn't break out of a brown paper bag, let alone crash my firewall to hop thru the VLAN and into my host systems! Also another problem: many vulnerablities are never exposed during these tests, as they require doing things like dDOS attacks against firewalls, etc, and cannot be done in a feasible manner.
Here are some of the major problems with many banks today:
1) Shitty technology: Sometimes banks buy apps for reasons other than they work well, are secure, etc. i.e. everyone else runs it, so we need to as well (a'la M$)
2) Time to market too aggressive: Aggressive growth, mergers, etc. dictate that we have every bell and whistle available on the systems side. This means that we end up with too much work to do in too little time. Things like proper systems design, security planning, etc. suffer because some jackass project mgr. can't fit it into his M$ project file, or the budget can't fit in a $30,000 attack/penetration test. If banks want to grow fast, they need to gear up with people and money to match!
3) Horseshit outsource providers: I am sure that this app that was hosed by the Brit has some components outside of the actual banks that were victimized. I can tell you first hand that many of these providers, i.e. BBN, AT&T, etc. are not nearly what they claim to be. They claim they are a high availablity, fully secured operation. I have seen firsthand such idiotic things as: open remote control s/w (i.e. PcNowhere) running on the default port on the internet NIC accepting logins from any IP, machines that run NetBIOS on the internet NIC (because they login to DCs that sit on the internet). How in all high hell can you secure something when you have your domain logins flying unencrypted across the internet?!?
4) Poor security planning: Not enough gurus for to plan/build/support the systems that are in place.
5) Too easy too look secure: All you need to do is buy an app, setup the back end stuff at the bank, get an outsource provider that can host your web boxes (they must be SAS70 certified) and then hire XYZ to do a penetration test...if it comes back with security holes, just fix them!
It takes a lot of dedicated people to make a fully secured system...firewall/router guys, systems folks, dba's, knowlegable ousource providers, etc. Hopefully high-profile events such as this one will be a wake up call to other banks.
Sorry for the extended rant,
Andrew
You have your conversion factor backward. £1 is worth about $1.5, not the other way around. So that £75 is worth about $113. Still the original poster's point is valid -- either somebody already raided most of these accounts, or most of the people don't trust the system. Most likely there is an order-of-magnitude error in the article, and they either manage 20 million accounts (with an average of about $1100 in them) or the accounts add up to £150bn.
BEGIN RANT BLOCK===============
There has been a lot of discussion over the past couple of years about the rights and wrongs concerning full disclosure of security flaws.
The person who tipped off the newspapers obviously has no understanding of how full disclosure should be used. What he did is functionally identical to spouting off about his 'leet discovery on a dodgy IRC channel.
Most security professionals agree that full disclosure is the correct way to proceed (anything else is security through obscurity). Note: This does NOT mean that you inform the media, post to leet.kiddies.cracking, or issue a press release saying that your company's product whould have prevented it.
If you are a responsible person, you inform the organization that has the vulnerability. You ask them to investigate it, and ask them for a timescale for a fix. 99% of the time, they will be grateful for the tip-off, and will issue a fix promptly.
If they don't, you tell them that you intend to release the information so that the potential victims are informed, and can manage the risk appropriately.
If they still refuse to do anything, then you think long and hard about going public. You probably should.
Once it's public they *have* to fix it.
However, the way it usually works is that they respond to the tip-off, provide interim/permanent fixes and credit the discoverer.
The aim is to use full disclosure to minimize the exploitability of a security problem. It is not meant to be used by pathetic attention-seekers to grab media focus, or for companies touting security snake-oil to chalk up another few sales.
This disclosure (as far as I can see) was intended to create media exposure (or why was a newspaper contacted?).
I can't see any evidence here that the person who discovered this acted to minimize the effects of the alleged security problem. That puts the discoverer in the "leet kiddie" category until evidence is presented that the bank refused to act on the information.
There is no security. Any organisation (even one without a single computer) is vulnerable to security breaches. This will never change. Unless people act responsibly when a breach occurs, the only winners are criminals.
END RANT BLOCK===============
Somebody discovered that once logged into an account on the server, your account number was encoded in the URL, and you could just change the account number in the URL to get access to the account of any other customer in the bank. It was fixed pretty fast, but it is incredible that the hole could have been created in the first place.
I attempted to crack my own bank in the same way after this became known. It certainly does not share the vulnarability, but I do not feel entirely confident that it doesn't have related holes that can be exploited by a specialized user agent, but I haven't time to check it out. I feel safe though, as it is a law giving the bank full responsibility for my money, and they use a smart card that is disconnected from the computer to generate 8-digit access codes, no PINs or password is stored on the computer.
Employee of Inrupt, Project Release Manager and Community Manager for Solid
Note to any script kiddies: Proving that you are 1337 by changing my PIN (I suppose you could steal my money, but there's really not a whole lot there) will result in being hunted down and thrown in jail like the table-scrap pilfering grab-asses you are (GRAB ASSES BAD!)
Er.
But seriously. I did just sign up for net banking w/ Sovereign. I wonder if they're going to mention anything about this to me.
Quidquid latine dictum sit, altum sonatur.
I mean, the only things you can do on an online account is transfer money or cause a check to be sent to you via checkfree. Each of these leaves a "paper" trail where the money goes.
The best I can come up with with my non-criminal mind is to cause havoc by transfering money into my favorite charity's accounts.
What if they turned around and had him arrested for "hacking?" What would his defense be?
Nah, by going straight to the press, the FBI, and his local police up front, it guaranteed that it'd get enough publicity that there's no way the banks could get away with attempting to prosecute and if they even tried, he'd have a good defense beyond his word that he was doing it to disclose their security flaws.
Remember what the common person these days thinks about "hackers" and the bad press hackers get these days.
It is really huge hole :^)
After a few keystrokes he obtained something called the 'access log' which had all the security information needed to access any of the internet accounts run by Fiserv.
They obviosely posted access-log... It's really stupid for secure site, but it's not unfixable.
BTW, Netcraft shows this site as running Stronghold/3.0 Apache/1.3.12 C2NetEU/3012 (Unix) PHP/3.0.16 mod_ssl/2.6.4 OpenSSL/0.9.5a mo So, so much for Microsoft-bashing.
Don't forget, Netcraft can be thrown off by firewalls, routers, etc in the way...
----
---- I made the Kessel Run in under 11 parsecs.
Usual question: How did you get this info? (I know it's impolite to ask this, but as I already did...)
That way, if someone should install a trojan in my PC and pick up the pin code, that code would be useless next time. Furthermore, before I send any money off my accounts I have to verify with another one-time code from my box. (so even if a trojan would somehow add a transaction during my banking session it would not be sent to the bank unless I verified it)
The system is not perfect, of course. Someone might reverse engineer the code box to get the algortihm *AND* somehow get the key for my box without breaking it. I guess it is possible, but it would be easier to just rob me.
Another way would be to rely on me being clueless enough to leave bo box somewhere together with a note containing the PIN for the box. In that case I'd deserve to get robbed...
Bottom line. Never trust anything user configurable. It must be secure from the box *AND* foolproof (as in "don't let any fool tamper with it")
All opinions are my own - until criticized
Ishrat (Founderscamp.com)
There's always sufficient, but not always at the right place nor for the right folks.
You don't even have to reveal details of the hack. All you have to do is show it's possible. The loss of confidence in the company could do millions of dollars worth of damage to the company.
I'm not saying that DID happen. I'm saying it COULD have.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Evan Reynolds evanthx@hotmail.com
Evan Reynolds evanthx@hotmail.com
Two peanuts crossed the street. One was assaulted.
Slashdot style!
Boffoonery - downloadable Comedy Benefit for Bletchley Park
In Citibank the web-password of one's account is the same as your Citibank card PIN!
Practically it is just 4 digits - which gives you 10^4 = 10000 passwords. You don't need supercomputers to crack this...
I have contacted Citibank-customer service several times, asking them to establish separate password for account web-access. They said their state-of-the-art bla-bla encription
is safe enough. By the way, they refuse to send their messages to a customer Internet's email-address - for (pause,) security reasons.
I still have an account there. May be I like to test my calmness. My PIN # is ooops...
I've always feared that the banks were not secure. That's why I keep all my money in my mattress. Of course, all those coins make the bed lumpy, but you get used to it eventually.
--
In order to drive turn-key functionalities in the new economy, any company or profit-making entity - banks included, need to utilize integrated web-readiness and reintermediate web-enabled networks without goverment interference - in such a way that it's possible for them to optimize dot-com infrastructures as they relate to the banking and commercial world. In this way, they can engineer efficient commercial applications and incubate a sophisticated userbase.
Everything is but a number spoken by itself.
BOK has been notoriously security-lax in the past years. Their credit bureau network admin left the default password/login on the system, which was findable by anyone who had used/had a manual for the software. You could go in, and change credit ratings, find Names + SSNs, and change payments. Pretty much why I refuse to use them for my bank. Now this comes up, and I can't help but laugh.
The last I checked finnish soda machines didn't eat dollars. This is the case for other European countries also, at least I have yet to see one in Europe.
I did a little research, and found out there is an easy way to tell.
I couldn't find The Amalgamated Bank of Chicago, but I did find http://www.bankofoklahoma.com/ and http://www.sovereignbank.com/.
When you go to the login screen at either of those to bank sites, you will see that the secure server is really hosted at https://www.secure-site.com/, instead of the bank's site.
So, there you go, an easy way to tell.
BTW, Netcraft shows this site as running Stronghold/3.0 Apache/1.3.12 C2NetEU/3012 (Unix) PHP/3.0.16 mod_ssl/2.6.4 OpenSSL/0.9.5a mo So, so much for Microsoft-bashing.
God, Slashdot has deteriorated. Whining and whining at the whiners. Does real information hurt or something?
-- Only unbalanced people can tip the scales.
Oops.
-- Only unbalanced people can tip the scales.
They should have audited the software before launching their service. Probably a rush job.
;).
I helped a consulting firm check a bank's internet app _before_ they did a public launch and it had many security holes in it. Hopefully they managed to fix it. The software firm they contracted it out to didn't seem to have much experience with writing stuff for a potentially hostile environment. But when I mentioned a few tips on secure programming to them, I seemed to see "Uhoh!/Whoa!" in their eyes, which is not a bad response. If no lights went on, then I'd have told the consultant to tell the bank to find someone else. Still they better do another audit again before even thinking of launching it.
It's actually not that difficult for decent programmers to write a _reasonably_ secure web app. It's not too bad once they understand the limits of what they can trust, and realize that people can actually do strange stuff
Writing a totally secure web app is not so easy, and it's often not necessary even for banking apps. Because for some attacks the crooks are very likely to leave a trail. Smart crooks will just find an easier target. Whereas stupid vandals will just go to jail. Stupider ones will go to jail for a long time.
Cheerio,
Link.
The customer and the bank will be none the wiser - after the entire contents of the cutomser's savings account and online stock portfolio is transferred to the bad guys, the bank will have perfect records showing the correct PIN, username, password, GPS coordinates, etc. to validate the transaction. And the customer will hae printouts showing they did no such thing.
All that security would be worthless, and either the bank would tell the customer "We think you are trying to defraud us, look we have all this proof you really did make the transfer", or they would say "Tough luck, you should have kept your Windows machine secure, loser", or (more likely) the bank would just eat the loss and hush the whole thing up.
Banks save so much money not having tellers and buildings downtown that they would rather put up with millions of dollars of losses every year than give up on internet banking.
As long as internet banking uses customer's home PC's as trusted links in the whole system, real security is an impossibility.
Torrey Hoffman (Azog)
Torrey Hoffman (Azog)
"HTML needs a rant tag" - Alan Cox
Jeff: Just because I drive an aging rustbucket where there's no working locks and the starter is a pushbutton doesn't exonerate you from the crime of theft when you drive off in it.
OK, to be complete in the analogy: you are still invading my privacy and possibly are a vandal when you put a note on my dashboard letting me know that my car is insecure. Thrail
Two wrongs don't make a right. But three rights make a left.
I just called the bank of oklahoma to ask them if they were aware of anything, and they knew immediately what I was talking about, and transfered me to someone in security. All she did was deny that it was true. I asked if she had read the article, and she had, but said it wasnt' true. I asked how she knew this, and she said because they had investigated it. I asked if anyone else had called, and she said only a few. I then called the local paper, and television station to make them aware of the story. I don't want BOK to try to sweep this away without being sure. I mean, they don't know anything about the system, so how can they be so confident that it wasn't true. smash a glass, chris
...and misleading. They've got their press release up on their website now, claiming Dressel only accessed demonstration accounts. Do they really have "hundreds of thousands" of demo accounts?
Lucky for me, I keep all my cash stashed in a tin can under my mattress. I also have a sock for a safety deposit box.
Got to love it when reporters don't chekc the facts first.
can you please provide a reference to the X.com security hole?
Thanks,
willis/
there is no thing
what else could you want?
US Cash - always good, always accepted, almost always works in soda machines.
Tell me what makes you so afraid
Of all those people you say you hate
If banking was done on cell phones, things would be better...
Think,
1. Unique ID (via sim-card type thing)
2. almost awlays on (few power failures/coverage blackouts)
3. untrojanable (or at least not now)
4. the promise of well encrypted communications...
what do you think?
willis/
there is no thing
what else could you want?