Slashdot Mirror
Internet Banking Security Hole
A reader writes: "The Observer newspaper (the Sunday edition of The Guardian) in the UK is reporting what looks like a major security problem with Internet bank accounts run by Fiserv. The U.S. company says it runs more than 200 million accounts on-line, looking after more than £15bn of customers' money. The guy who discovered the problem, Ralph Dressel, showed The Observer three sample printouts giving account details of customers at the Amalgamated Bank of Chicago, the Bank of Oklahoma and the Sovereign Bank in Connecticut. As well as seeing account details, Dressel claims he could have changed PIN numbers or transferred money to his own account."
If you think about it, attaching a smartcard reader to the PC will not help.
The only way to deal with this threat is to attach a non-user-programmable smartcard with its own protected user-interface.
)9TSS
So the analogy that works is not going around a parking lot determining if cars are unlocked, but rather checking car types to determine if the locks are enough to hold against, say, another car's key. And cars whose locks can be opened by other cars' keys (or cars whose doors open when their locks are engaged!) should not be allowed out there.
Jeff
Every time there is the smallest security breach in an online e-commerce related company, the news gets broadcast all over the place. However, rarely are news stories posted anywhere about more traditional financial institutions or retailers. Ok, so there have been a few credit cards exposed online. But, do you know how many fraud schemes there have been invoving physical cards, at places such as gas stations and restaurants? The amount of online fraud is so small compared to the size of traditional financial fraud. From someone who knows quite a bit about the banking industry I feel way safer about giving my credit card to amazon.com then I do to my local Gas Station!!
It's the same think that happens with airline crashes. They may make the news every time but you've got a way higher chance of being killed every time you get in your car!
Bottom line, when you are using a credit card online, yes you have to be careful, but believe me, you better be way more careful using it offline!
Be careful here. Smart cards do not automatically mean security, and there are unfortunately many poor implementations around. And btw: if the smart card reader is disconnected from the computer, how does the encrypted data get to the web site?
I used to work for a bank which used a smart card reader for their e-banking product. Officially, the advantage of this solution over plain https would be that even if the user's computer was compromised by a trojan or a virus, his pin and passwords were still secure. However, unfortunately, the bank was too cheap to buy smart card readers with integrated keyboards and displays. Thus, a virus or trojan would just need to grab the cleartext data stream going from the computer's keyboard to the reader, and presto! After pointing out that flaw to my boss, he just said "You're basically right. However, you should understand that the goal is not to provide actual security, but rather to give the customer an impression of security. Customers read about security problems on the internet so frequently, that it takes sth special to convince them that E-banking can be secure. However, the same customers trust the security of smart cards, most already carry several of them in their wallet (credit cards, access badges, ATM cards...). So we just capitalize on their trust in smartcards and integrate one in our solution. Even if it doesn't help security. But don't worry: nobody'll find out, after all not everybody has a PhD in cryptography..." I don't either... but I still noticed.
With all the talk about strengthening computer crime legislation and the penalties associated with violations, this scenario provides a perfect example of where an individual provided a service to the company in question by committing a "crime" against them.
Ralph Dressel provided Fiserv with the results of what would have been an expensive internal controls audit for free. If this vulnerability would have remained undiscovered, a malicious party that discovered it could have stolen money or blackmailed Fiserv in the same way that the hacker who stole CDUniverse's credit card database blackmailed them.
We should hesitate to condem these "grey hat" hackers by drafting legislations to criminalize their exploits.
ByteMyCode.com: A Web 2.0 code sharing community.
This is where software/service firms need to take some responsibilty for their actions and inactions. Do you really think that if this guy had gone ahead and taken $50m or more Fiserv would have said "oops! we made a mistake, let us fix it". Nope. It would be up to the banks or end users to repair the damages to their accounts. All because some company whose job is to keep data secure failed.
I always thought the whole PIN number thing was a huge security issue anyway. It seems far more insecure than an English word password (there are less options -- 9 digits on a keypad or 26 letter in an alphabet). Also, most people don't go past 4 numbers for their PIN, even if they have the option. It would be pretty easy to use a heat spectrometer to analyse what PIN it is immediately after they've been pushed -- or better yet, look over the person's shoulder if you're in the vicinity.
I've never been a big fan of security. I think some measures people go to protecting basic servers and files can be a little too extreme. But this is your money -- your lifeblood in this day and age where $ == bread and water. I think the security is far more important here.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
Fiserv has a partnership with Security First Technologies. It will be interesting to watch how their stock changes tomorrow as this news gets around.
Fiserv: NASDAQ FISV
SFT: NASDAQ SONE
-- "Complacency is a far more dangerous attitude than outrage." -Naomi Littlebear
But I bet a lot of banks would fail rigorous checks, which is why it won't happen until lots of money is stolen and consumers will start demanding protection. After all, the DoS against the big websites a few months back got a huge amount of publicity and threats of terrible vengeance, whereas the theft and subsequent use of thousands of credit card numbers by a German hacker the week before got virtually no press. The powers-that-be are terrified that people will find out the truth about the papier-mache style security of e-commerce and will stop buying into the hype, so they're stalling as long as they can, fearing that a loss of confidence will dent the American economic 'miracle'.
I work within the eCommerce group of a bank who is a direct competitor to one of the victims, Soverign Bank. I am a systems integrator and I do much of the security work at the systems/app level on our eCommerce systems.
:)
I am not suprised to read what the Brit got for info (although I am suprised he got it within minutes, unless he knows the online banking backend software)
Any bank worth doing business with will have many controls in place to ensure that financial institutions are taking the correct precautions needed to safeguard their customers. These controls include internal and FDIC audits, external attack and penetration tests against systems, and curious/nosey/tinkering staff like myself
Any organization which runs an eCommerce system without contracting a highly reputed firm to do an attack/penetration test is completey crazy! (and out of FDIC compliance too) I *highly* doubt that the firms in question had taken the time to do this.
I coordinate a/p tests within my company, and these guys we hire will try to find *anything* that is remotely considered a security hole, ranging from things like Public communites for SNMP on a router to last logged in user is displayed on console in NT.
Beware however, I have worked with some reputed firms who sent me people who couldn't break out of a brown paper bag, let alone crash my firewall to hop thru the VLAN and into my host systems! Also another problem: many vulnerablities are never exposed during these tests, as they require doing things like dDOS attacks against firewalls, etc, and cannot be done in a feasible manner.
Here are some of the major problems with many banks today:
1) Shitty technology: Sometimes banks buy apps for reasons other than they work well, are secure, etc. i.e. everyone else runs it, so we need to as well (a'la M$)
2) Time to market too aggressive: Aggressive growth, mergers, etc. dictate that we have every bell and whistle available on the systems side. This means that we end up with too much work to do in too little time. Things like proper systems design, security planning, etc. suffer because some jackass project mgr. can't fit it into his M$ project file, or the budget can't fit in a $30,000 attack/penetration test. If banks want to grow fast, they need to gear up with people and money to match!
3) Horseshit outsource providers: I am sure that this app that was hosed by the Brit has some components outside of the actual banks that were victimized. I can tell you first hand that many of these providers, i.e. BBN, AT&T, etc. are not nearly what they claim to be. They claim they are a high availablity, fully secured operation. I have seen firsthand such idiotic things as: open remote control s/w (i.e. PcNowhere) running on the default port on the internet NIC accepting logins from any IP, machines that run NetBIOS on the internet NIC (because they login to DCs that sit on the internet). How in all high hell can you secure something when you have your domain logins flying unencrypted across the internet?!?
4) Poor security planning: Not enough gurus for to plan/build/support the systems that are in place.
5) Too easy too look secure: All you need to do is buy an app, setup the back end stuff at the bank, get an outsource provider that can host your web boxes (they must be SAS70 certified) and then hire XYZ to do a penetration test...if it comes back with security holes, just fix them!
It takes a lot of dedicated people to make a fully secured system...firewall/router guys, systems folks, dba's, knowlegable ousource providers, etc. Hopefully high-profile events such as this one will be a wake up call to other banks.
Sorry for the extended rant,
Andrew
BEGIN RANT BLOCK===============
There has been a lot of discussion over the past couple of years about the rights and wrongs concerning full disclosure of security flaws.
The person who tipped off the newspapers obviously has no understanding of how full disclosure should be used. What he did is functionally identical to spouting off about his 'leet discovery on a dodgy IRC channel.
Most security professionals agree that full disclosure is the correct way to proceed (anything else is security through obscurity). Note: This does NOT mean that you inform the media, post to leet.kiddies.cracking, or issue a press release saying that your company's product whould have prevented it.
If you are a responsible person, you inform the organization that has the vulnerability. You ask them to investigate it, and ask them for a timescale for a fix. 99% of the time, they will be grateful for the tip-off, and will issue a fix promptly.
If they don't, you tell them that you intend to release the information so that the potential victims are informed, and can manage the risk appropriately.
If they still refuse to do anything, then you think long and hard about going public. You probably should.
Once it's public they *have* to fix it.
However, the way it usually works is that they respond to the tip-off, provide interim/permanent fixes and credit the discoverer.
The aim is to use full disclosure to minimize the exploitability of a security problem. It is not meant to be used by pathetic attention-seekers to grab media focus, or for companies touting security snake-oil to chalk up another few sales.
This disclosure (as far as I can see) was intended to create media exposure (or why was a newspaper contacted?).
I can't see any evidence here that the person who discovered this acted to minimize the effects of the alleged security problem. That puts the discoverer in the "leet kiddie" category until evidence is presented that the bank refused to act on the information.
There is no security. Any organisation (even one without a single computer) is vulnerable to security breaches. This will never change. Unless people act responsibly when a breach occurs, the only winners are criminals.
END RANT BLOCK===============
How about 1. buy a set of false ID documents (birth certificate, social security card, driver's license, etc), 2. open an account under the false ID, 3. hack the bank and transfer small amounts of cash (say, $50 from 100 accounts per week) into your own account, picking those accounts with the highest transaction rates and balances so the cash won't be missed, 4. move the money to the Cayman Islands/Vanuatu/Belgium/somewhere else with strong banking secrecy laws.
:-)).
Of course, you'd want to perform the fraud over the course of a single month to finish the job before 400 irate people call the bank about an error in their monthly statements.
This scheme seems dangerous and somewhat expensive for a single person to do multiple times, so it may be better suited to organized crime, which could easily run multiple scams at once, get the false ID's at cost, and launder the profits through high-volume commercial accounts.
ObDisclaimer: IANAM (I am not a mobster
In order to drive turn-key functionalities in the new economy, any company or profit-making entity - banks included, need to utilize integrated web-readiness and reintermediate web-enabled networks without goverment interference - in such a way that it's possible for them to optimize dot-com infrastructures as they relate to the banking and commercial world. In this way, they can engineer efficient commercial applications and incubate a sophisticated userbase.
Everything is but a number spoken by itself.
BOK has been notoriously security-lax in the past years. Their credit bureau network admin left the default password/login on the system, which was findable by anyone who had used/had a manual for the software. You could go in, and change credit ratings, find Names + SSNs, and change payments. Pretty much why I refuse to use them for my bank. Now this comes up, and I can't help but laugh.
I did a little research, and found out there is an easy way to tell.
I couldn't find The Amalgamated Bank of Chicago, but I did find http://www.bankofoklahoma.com/ and http://www.sovereignbank.com/.
When you go to the login screen at either of those to bank sites, you will see that the secure server is really hosted at https://www.secure-site.com/, instead of the bank's site.
So, there you go, an easy way to tell.
BTW, Netcraft shows this site as running Stronghold/3.0 Apache/1.3.12 C2NetEU/3012 (Unix) PHP/3.0.16 mod_ssl/2.6.4 OpenSSL/0.9.5a mo So, so much for Microsoft-bashing.
God, Slashdot has deteriorated. Whining and whining at the whiners. Does real information hurt or something?
-- Only unbalanced people can tip the scales.