Slashdot Mirror
Internet Banking Security Hole
A reader writes: "The Observer newspaper (the Sunday edition of The Guardian) in the UK is reporting what looks like a major security problem with Internet bank accounts run by Fiserv. The U.S. company says it runs more than 200 million accounts on-line, looking after more than £15bn of customers' money. The guy who discovered the problem, Ralph Dressel, showed The Observer three sample printouts giving account details of customers at the Amalgamated Bank of Chicago, the Bank of Oklahoma and the Sovereign Bank in Connecticut. As well as seeing account details, Dressel claims he could have changed PIN numbers or transferred money to his own account."
But I do agree with you that even after the banks clean up their security loopholes there still needs to be some second factor authentication (big buzz word there) like a smart card reader.
Since most online banking takes place from the home, it would be cool if the banks could use GPS (global positioning system) to verify the users location (they are at home or at their office) before allowing any transactions to take place. Simply attach a GPS sensor to the client's machine and send some of the raw GPS data to the bank for authentication in conjunction with the username and password.
-----------------
The U.S. company says it runs more than 200 million accounts on-line, looking after more than £15bn of customers' money.
Wait a minute here... divide the number of users into the money that's only an average of $75 per user. Apparently no one trusted these guys BEFORE the hole was discovered, nevermind after.
-----
Still, my other points I think stand. In order for digital money to have value, someone has to give it value, be that the US government or somebody else. Frankly, I don't see how it would be possible to make that possible unless that authority controlled it entirely (i.e. you would have an "account" with them).
Your aging rustbucket is your car. It doesn't have anything to do with hundreds or thousands of other people. The analogy would not be to putting a note on your dashboard (and I would argue it's actually a note on their window, but whatever), but rather would be to contacting the manufacturer of the car.
Really, though, the critical thing is that the analogy between a car and a banking database does not work. A car is an individually owned product. A banking database is a service to thousands if not millions of people. A carjacking affects one person. The cracking of a computer database could affect millions.
I'll leave it to someone else to figure out an appropriate analogy. I'm too tired.
Jeff
To some extent, I agree with you, save for one point. In this particular instance, I personally would have done the same thing.
I think when the security problem is on something like online banking (where a great many people can be screwed thoroughly), more exposure is better. Send this info to everyplace that'll broadcast it for you. It's the only way that businesses and the government will see that security is a very real issue.
Quietly allowing a bank to fix patches like this obscures something very important from the general populus...online banking isn't safe yet, and should DEFINATELY be regulated.
I truly don't believe this particular person falls into your over-generalized 'leed kiddie' catagory, I call him civic-minded with his own political agenda.
Evidently so. After all, it's not like someone could send whatever data they liked.
There are two solutions, the easiest being to avoid storing plaintext passwords since you have absolutely no need to do so. This has been recognized as a good idea for something like 30 years...
A more complex but significantly more secure approach would be the use of a smart card card which would perform some sort of operation on a challenge sent by the bank and send back the result. Unfortunately, smart-cards aren't invulvnerable to attacks but a reasonably hardened system would be much more secure than the current approaches. Since companies like Visa manage to be quite profitable even with comparatively high theft rates, something like this should be quite acceptable.
If you think about it, attaching a smartcard reader to the PC will not help.
The only way to deal with this threat is to attach a non-user-programmable smartcard with its own protected user-interface.
)9TSS
Here is an interesting article on security methods, from a user-interface design perspective. Maximum Security
:)
Here's a quote to whet your appetite:
Security in our nation's computer systems is in trouble, and the fault lies with an education system turning out security people unprepared to build real-world secure systems. As a result, many of our most secure-appearing systems sport all the impenetrability of a slice of Swiss Cheese.
(BTW: I recommend looking through AskTog and Alertbox if you deal at all with interface design, or want to know why today's interfaces suck so much sometimes
-----
D. Fischer
ShoutingMan.com
Now, I'm not saying this Dressel guy was thinking along these lines or that his bank has done anything to warrant such paranoia. I'm just saying that it is possible that a person who reports a security flaw to the press and not to the company that created it isn't doing so to be 'leet.
--
Fuck the system? Nah, you might catch something.
So the analogy that works is not going around a parking lot determining if cars are unlocked, but rather checking car types to determine if the locks are enough to hold against, say, another car's key. And cars whose locks can be opened by other cars' keys (or cars whose doors open when their locks are engaged!) should not be allowed out there.
Jeff
With all due respect, I disagree.
You're correct as far as the "conventional wisdom" goes, of course. Inform privately, blah-blah-blah. But considering that many (perhaps "most") companies who are so informed will prosecute you for hacking into their machines, and you will go to jail for many years, I would suggest that a public announcement is the best way to start. You want to take the public initiative, portray your actions in the best light available, and you want to do it preemptively. If the company is the one firing the initial public salvo, you're going to jail for many years.
What? The above post is written as if the company is your enemy rather than your ally? Yes. Because they are. It's almost certainly much cheaper to tip off the FBI about your evil hacking ways than it would be to fix the security breach. So that's the option they're going to consider first.
--
Michael Sims-michael at slashdot.org
Every time there is the smallest security breach in an online e-commerce related company, the news gets broadcast all over the place. However, rarely are news stories posted anywhere about more traditional financial institutions or retailers. Ok, so there have been a few credit cards exposed online. But, do you know how many fraud schemes there have been invoving physical cards, at places such as gas stations and restaurants? The amount of online fraud is so small compared to the size of traditional financial fraud. From someone who knows quite a bit about the banking industry I feel way safer about giving my credit card to amazon.com then I do to my local Gas Station!!
It's the same think that happens with airline crashes. They may make the news every time but you've got a way higher chance of being killed every time you get in your car!
Bottom line, when you are using a credit card online, yes you have to be careful, but believe me, you better be way more careful using it offline!
Be careful here. Smart cards do not automatically mean security, and there are unfortunately many poor implementations around. And btw: if the smart card reader is disconnected from the computer, how does the encrypted data get to the web site?
I used to work for a bank which used a smart card reader for their e-banking product. Officially, the advantage of this solution over plain https would be that even if the user's computer was compromised by a trojan or a virus, his pin and passwords were still secure. However, unfortunately, the bank was too cheap to buy smart card readers with integrated keyboards and displays. Thus, a virus or trojan would just need to grab the cleartext data stream going from the computer's keyboard to the reader, and presto! After pointing out that flaw to my boss, he just said "You're basically right. However, you should understand that the goal is not to provide actual security, but rather to give the customer an impression of security. Customers read about security problems on the internet so frequently, that it takes sth special to convince them that E-banking can be secure. However, the same customers trust the security of smart cards, most already carry several of them in their wallet (credit cards, access badges, ATM cards...). So we just capitalize on their trust in smartcards and integrate one in our solution. Even if it doesn't help security. But don't worry: nobody'll find out, after all not everybody has a PhD in cryptography..." I don't either... but I still noticed.
Now, granted a government agency is going to the ut-most greatest in catching anything at all ... it would at least provide us with an excuse to blame the government. :-)
Seriously tho, an agency ( govermental, non-profit, even for-profit ) needs to be set up with regulatory authority to mandate passage of certain criteria before a web-site can say it's "Protected" customer data.
There's a gorilla from Manilla whose a fella that stinks of vanilla and has salmonella.
With all the talk about strengthening computer crime legislation and the penalties associated with violations, this scenario provides a perfect example of where an individual provided a service to the company in question by committing a "crime" against them.
Ralph Dressel provided Fiserv with the results of what would have been an expensive internal controls audit for free. If this vulnerability would have remained undiscovered, a malicious party that discovered it could have stolen money or blackmailed Fiserv in the same way that the hacker who stole CDUniverse's credit card database blackmailed them.
We should hesitate to condem these "grey hat" hackers by drafting legislations to criminalize their exploits.
ByteMyCode.com: A Web 2.0 code sharing community.
Uh, yeah... sure - just give me your account info. I'll make sure it's out^H^H^H there in a hurry.
There's a gorilla from Manilla whose a fella that stinks of vanilla and has salmonella.
This is where software/service firms need to take some responsibilty for their actions and inactions. Do you really think that if this guy had gone ahead and taken $50m or more Fiserv would have said "oops! we made a mistake, let us fix it". Nope. It would be up to the banks or end users to repair the damages to their accounts. All because some company whose job is to keep data secure failed.
Besides the other problems that have been mentioned, GPS receivers do not work very well inside buildings. You usually have to install an external antenna on the roof of the building.
Mea navis aericumbens anguillis abundat
I bet this guy is going to get a medal, a plaque, and an article. That's it. When he could've had 10 mil just like that.. I demand that the bank gives him the award of... one million dollars! (Dr.Evil finger thingy... )
http://dtum.livejournal.com
I always thought the whole PIN number thing was a huge security issue anyway. It seems far more insecure than an English word password (there are less options -- 9 digits on a keypad or 26 letter in an alphabet). Also, most people don't go past 4 numbers for their PIN, even if they have the option. It would be pretty easy to use a heat spectrometer to analyse what PIN it is immediately after they've been pushed -- or better yet, look over the person's shoulder if you're in the vicinity.
I've never been a big fan of security. I think some measures people go to protecting basic servers and files can be a little too extreme. But this is your money -- your lifeblood in this day and age where $ == bread and water. I think the security is far more important here.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
Seth
$5 / month hosted VPS on linux = awesome!
Fiserv has a partnership with Security First Technologies. It will be interesting to watch how their stock changes tomorrow as this news gets around.
Fiserv: NASDAQ FISV
SFT: NASDAQ SONE
-- "Complacency is a far more dangerous attitude than outrage." -Naomi Littlebear
This is just another example of information wanting to be free. Let the money get transferred to another account, thats how it was meant to be. Under fair use clause, anyone can have money.
I work within the eCommerce group of a bank who is a direct competitor to one of the victims, Soverign Bank. I am a systems integrator and I do much of the security work at the systems/app level on our eCommerce systems.
:)
I am not suprised to read what the Brit got for info (although I am suprised he got it within minutes, unless he knows the online banking backend software)
Any bank worth doing business with will have many controls in place to ensure that financial institutions are taking the correct precautions needed to safeguard their customers. These controls include internal and FDIC audits, external attack and penetration tests against systems, and curious/nosey/tinkering staff like myself
Any organization which runs an eCommerce system without contracting a highly reputed firm to do an attack/penetration test is completey crazy! (and out of FDIC compliance too) I *highly* doubt that the firms in question had taken the time to do this.
I coordinate a/p tests within my company, and these guys we hire will try to find *anything* that is remotely considered a security hole, ranging from things like Public communites for SNMP on a router to last logged in user is displayed on console in NT.
Beware however, I have worked with some reputed firms who sent me people who couldn't break out of a brown paper bag, let alone crash my firewall to hop thru the VLAN and into my host systems! Also another problem: many vulnerablities are never exposed during these tests, as they require doing things like dDOS attacks against firewalls, etc, and cannot be done in a feasible manner.
Here are some of the major problems with many banks today:
1) Shitty technology: Sometimes banks buy apps for reasons other than they work well, are secure, etc. i.e. everyone else runs it, so we need to as well (a'la M$)
2) Time to market too aggressive: Aggressive growth, mergers, etc. dictate that we have every bell and whistle available on the systems side. This means that we end up with too much work to do in too little time. Things like proper systems design, security planning, etc. suffer because some jackass project mgr. can't fit it into his M$ project file, or the budget can't fit in a $30,000 attack/penetration test. If banks want to grow fast, they need to gear up with people and money to match!
3) Horseshit outsource providers: I am sure that this app that was hosed by the Brit has some components outside of the actual banks that were victimized. I can tell you first hand that many of these providers, i.e. BBN, AT&T, etc. are not nearly what they claim to be. They claim they are a high availablity, fully secured operation. I have seen firsthand such idiotic things as: open remote control s/w (i.e. PcNowhere) running on the default port on the internet NIC accepting logins from any IP, machines that run NetBIOS on the internet NIC (because they login to DCs that sit on the internet). How in all high hell can you secure something when you have your domain logins flying unencrypted across the internet?!?
4) Poor security planning: Not enough gurus for to plan/build/support the systems that are in place.
5) Too easy too look secure: All you need to do is buy an app, setup the back end stuff at the bank, get an outsource provider that can host your web boxes (they must be SAS70 certified) and then hire XYZ to do a penetration test...if it comes back with security holes, just fix them!
It takes a lot of dedicated people to make a fully secured system...firewall/router guys, systems folks, dba's, knowlegable ousource providers, etc. Hopefully high-profile events such as this one will be a wake up call to other banks.
Sorry for the extended rant,
Andrew
BEGIN RANT BLOCK===============
There has been a lot of discussion over the past couple of years about the rights and wrongs concerning full disclosure of security flaws.
The person who tipped off the newspapers obviously has no understanding of how full disclosure should be used. What he did is functionally identical to spouting off about his 'leet discovery on a dodgy IRC channel.
Most security professionals agree that full disclosure is the correct way to proceed (anything else is security through obscurity). Note: This does NOT mean that you inform the media, post to leet.kiddies.cracking, or issue a press release saying that your company's product whould have prevented it.
If you are a responsible person, you inform the organization that has the vulnerability. You ask them to investigate it, and ask them for a timescale for a fix. 99% of the time, they will be grateful for the tip-off, and will issue a fix promptly.
If they don't, you tell them that you intend to release the information so that the potential victims are informed, and can manage the risk appropriately.
If they still refuse to do anything, then you think long and hard about going public. You probably should.
Once it's public they *have* to fix it.
However, the way it usually works is that they respond to the tip-off, provide interim/permanent fixes and credit the discoverer.
The aim is to use full disclosure to minimize the exploitability of a security problem. It is not meant to be used by pathetic attention-seekers to grab media focus, or for companies touting security snake-oil to chalk up another few sales.
This disclosure (as far as I can see) was intended to create media exposure (or why was a newspaper contacted?).
I can't see any evidence here that the person who discovered this acted to minimize the effects of the alleged security problem. That puts the discoverer in the "leet kiddie" category until evidence is presented that the bank refused to act on the information.
There is no security. Any organisation (even one without a single computer) is vulnerable to security breaches. This will never change. Unless people act responsibly when a breach occurs, the only winners are criminals.
END RANT BLOCK===============
But there has to be some central authority that gives the money value. US currency only has value because people respect the value that the US government give it (and even then only because they have a lot of gold to back it up). Digital money is by definition just a number. Anyone can write down a number, so it doesn't have any money by itself. Someone has to give that number some value. If that authority is the US government, then you'll have to have a "government money account" instead of a bank account. There's no free lunch here, though.
'Real' money doesn't have any value either by your definition.. A $5 bill only has value because the US government says so, not because it is backed by gold, or silver, or other negotiable item. The Euro, British pound, Russian ruble, are all worthless when it comes down to it. (the Euro and ruble more so than the others)
.sig: Now legally binding!
I mean, the only things you can do on an online account is transfer money or cause a check to be sent to you via checkfree. Each of these leaves a "paper" trail where the money goes.
The best I can come up with with my non-criminal mind is to cause havoc by transfering money into my favorite charity's accounts.
What if they turned around and had him arrested for "hacking?" What would his defense be?
Nah, by going straight to the press, the FBI, and his local police up front, it guaranteed that it'd get enough publicity that there's no way the banks could get away with attempting to prosecute and if they even tried, he'd have a good defense beyond his word that he was doing it to disclose their security flaws.
Remember what the common person these days thinks about "hackers" and the bad press hackers get these days.
BTW, Netcraft shows this site as running Stronghold/3.0 Apache/1.3.12 C2NetEU/3012 (Unix) PHP/3.0.16 mod_ssl/2.6.4 OpenSSL/0.9.5a mo So, so much for Microsoft-bashing.
Don't forget, Netcraft can be thrown off by firewalls, routers, etc in the way...
----
---- I made the Kessel Run in under 11 parsecs.
That way, if someone should install a trojan in my PC and pick up the pin code, that code would be useless next time. Furthermore, before I send any money off my accounts I have to verify with another one-time code from my box. (so even if a trojan would somehow add a transaction during my banking session it would not be sent to the bank unless I verified it)
The system is not perfect, of course. Someone might reverse engineer the code box to get the algortihm *AND* somehow get the key for my box without breaking it. I guess it is possible, but it would be easier to just rob me.
Another way would be to rely on me being clueless enough to leave bo box somewhere together with a note containing the PIN for the box. In that case I'd deserve to get robbed...
Bottom line. Never trust anything user configurable. It must be secure from the box *AND* foolproof (as in "don't let any fool tamper with it")
All opinions are my own - until criticized
You don't even have to reveal details of the hack. All you have to do is show it's possible. The loss of confidence in the company could do millions of dollars worth of damage to the company.
I'm not saying that DID happen. I'm saying it COULD have.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
In order to drive turn-key functionalities in the new economy, any company or profit-making entity - banks included, need to utilize integrated web-readiness and reintermediate web-enabled networks without goverment interference - in such a way that it's possible for them to optimize dot-com infrastructures as they relate to the banking and commercial world. In this way, they can engineer efficient commercial applications and incubate a sophisticated userbase.
Everything is but a number spoken by itself.
BOK has been notoriously security-lax in the past years. Their credit bureau network admin left the default password/login on the system, which was findable by anyone who had used/had a manual for the software. You could go in, and change credit ratings, find Names + SSNs, and change payments. Pretty much why I refuse to use them for my bank. Now this comes up, and I can't help but laugh.
I did a little research, and found out there is an easy way to tell.
I couldn't find The Amalgamated Bank of Chicago, but I did find http://www.bankofoklahoma.com/ and http://www.sovereignbank.com/.
When you go to the login screen at either of those to bank sites, you will see that the secure server is really hosted at https://www.secure-site.com/, instead of the bank's site.
So, there you go, an easy way to tell.
BTW, Netcraft shows this site as running Stronghold/3.0 Apache/1.3.12 C2NetEU/3012 (Unix) PHP/3.0.16 mod_ssl/2.6.4 OpenSSL/0.9.5a mo So, so much for Microsoft-bashing.
God, Slashdot has deteriorated. Whining and whining at the whiners. Does real information hurt or something?
-- Only unbalanced people can tip the scales.
Uhh digital money doesn't have any value unless it's backed up with something real. Instead of a "bank account" you'll have a "something else account". I don't see much gain. Unless you honestly think that if I write down the number "5000" somewhere, I'll have $5000 of "digital money".
The customer and the bank will be none the wiser - after the entire contents of the cutomser's savings account and online stock portfolio is transferred to the bad guys, the bank will have perfect records showing the correct PIN, username, password, GPS coordinates, etc. to validate the transaction. And the customer will hae printouts showing they did no such thing.
All that security would be worthless, and either the bank would tell the customer "We think you are trying to defraud us, look we have all this proof you really did make the transfer", or they would say "Tough luck, you should have kept your Windows machine secure, loser", or (more likely) the bank would just eat the loss and hush the whole thing up.
Banks save so much money not having tellers and buildings downtown that they would rather put up with millions of dollars of losses every year than give up on internet banking.
As long as internet banking uses customer's home PC's as trusted links in the whole system, real security is an impossibility.
Torrey Hoffman (Azog)
Torrey Hoffman (Azog)
"HTML needs a rant tag" - Alan Cox
Got to love it when reporters don't chekc the facts first.