IE Devs Criticize Bank Security Vulnerabilities

← Back to Stories (view on slashdot.org)

IE Devs Criticize Bank Security Vulnerabilities

Posted by Zonk on Tuesday May 8, 2007 @01:22AM from the i-tend-to-like-that-little-lock-icon dept.

mrcaseyj writes "A post on the IE blog criticizes some banks for no longer using secure connections for entire login pages and only encrypting the password as it goes back to the bank. This prevents simple password sniffing but doesn't prevent a man in the middle attack from replacing the unsecured login page with one that has disabled encryption. This is especially a problem if you are using an unencrypted wireless connection such as at a coffee shop, because hackers can easily use the airpwn package to intercept the login page and steal your password. An easy remedy for when a secure page isn't available is to enter a bad username and password which usually brings up a secure page telling you to try again. But can you really trust your money to a bank that doesn't even offer the option of a secure login page?"

33 of 214 comments (clear)

Min score:

Reason:

Sort:

Fixed it for ya! by tomhudson · 2007-05-08 01:26 · Score: 3, Funny

"But can you really trust your money to a bank that doesn't even offer the option of a secure login page?""
But can you really trust your money to a web browser and operating system that are the most hijacked in the world?"
There, fixed it for you.
1. Re:Fixed it for ya! by cryptoguy · 2007-05-08 01:48 · Score: 3, Insightful
  
  I'm no fan of IE, but firefox is equally vulnerable to this issue. It's caused by the way SSL / TLS is used by the app on the server.
2. Re:Fixed it for ya! by rblancarte · 2007-05-08 02:03 · Score: 3, Interesting
  
  The fact is that for an IE Dev to point fingers solely at the bank is joke.
  
  There is a lot of blame to go around for unsecure bank transactions. In the example, we are presented w/ the whole case of user on unsecured wireless. I think the lack of security of the bank in that case is the end users - I never would do bank transactions on an unsecured network except in extreme cases.
  
  Granted, I do believe that banks do share some responsibility. I think they would be best served to do all of their pages as secure. Therefore minimize the chance for information to be captured. But still I can't solely blame them.
  
  And it isn't to say that IE is without blame either ...
  
  RonB
  
  --
  It is human nature to take shortcuts in thinking.
3. Re:Fixed it for ya! by bberens · 2007-05-08 02:42 · Score: 4, Insightful
  
  Yes, because I'd much rather push my bank password through several other user's machines than to have my ISP route directly to the site. Tor is for anonymity, not data security.
  
  --
  Check out my lame java blog at www.javachopshop.com
4. Re:Fixed it for ya! by Anonymous Coward · 2007-05-08 03:30 · Score: 4, Insightful
  
  If Apache made 70% of the webservers in the world, they would also likely be the most hacked webserver in the world ... Oh wait -- they do make 70% of the webservers in the world. Your metaphor fails.
  
  So back to the obvious explanation: the IE team can't code for shit
5. Re:Fixed it for ya! by ewanm89 · 2007-05-08 04:23 · Score: 2, Interesting
  
  Find me a bank who uses apache? None, right how about on that uses IIS?
6. Re:Fixed it for ya! by ThinkFr33ly · 2007-05-08 05:17 · Score: 3, Informative
  
  An, indeed, they likely are the most hacked web servers in the world. IIS 6, on the other hand, appears to be extremely secure. Whether this is a factor of market share or code quality, we don't know.
  
  Apache: http://secunia.com/search/?search=Apache
  
  IIS 6: http://secunia.com/product/1438/
  
  The fact of the matter is that you do not have enough information to conclude that IE is more poorly coded that any other browser out there. You are coming to this conclusion based on assumptions, not based on facts.
7. Re:Fixed it for ya! by ad0gg · 2007-05-08 06:29 · Score: 4, Interesting
  
  Who says apache isn't the most hacked webserver? I highly doubt IIS is ever hacked, IIS6 which has been out for 4 years only has 3 exploits come out of which 2 were from components that aren't even installed by default and the exploit that is actually in IIS has a rating of "not critical". Apache on the other has 10% of its known security holes unpatched. It also has 10 fold more holes than IIS. I'd take an educated guess and say apache is hacked way more than IIS so your example fails.
  IIS security holes
  Apache Security Holes
  
  --
  Have you ever been to a turkish prison?
8. Re:Fixed it for ya! by nekokoneko · 2007-05-08 08:19 · Score: 4, Informative
  
  Mod parent down! Nice try, but your search listed the vulnerabilities for all Apache related products (httpd 1.x, httpd 2.x, Tomcat, etc), totaling 383 advisories, while listing the vulnerabilites for only a specific version of IIS (IIS 6.0), totaling 3 advisories.
  Comparing IIS 6.0 to, say, Apache 2.2, we see 3 advisories for each product. Also, the comparison fails for only comparing the number of advisories and not the severity level of each one of them. Granted, Apache 2.2 has one unpatched advisory compared to zero for IIS 6.0, but it is not nearly as clear cut and one sided as your post made it seem.
9. Re:Fixed it for ya! by ThinkFr33ly · 2007-05-08 11:46 · Score: 2, Informative
  
  Well, I gave a link to the search results for Apache, as opposed to a specific Apache version, to allow people to compare the versions they choose. How convenient that in your comparison you chose to concentrate only on Apache 2.2, which has, by far, the fewest vulnerabilities of the Apache family.
  
  To compare them somewhat accurately, one should compare IIS 6 with the version of Apache that has been out a similar amount of time, and, ideally, has a similar market share.
  
  I guess this would mean you would compare IIS 6.0 to Apache 2.0. In that case, IIS 6.0 has 3, and Apache 2.0 has 33. Furthermore, none of the IIS 6.0 issues were "critical", while at least 2 of the Apache ones were.
  
  Even this isn't really a fair comparison, since I would be that a *huge* percentage of Apache sites run Apache 1.3.x, not 2.x or 2.2.x. Apache 2.2 has been out for only about 1.5 years. (Versus 4.5 years for IIS 6.)
  
  For the IIS users base, almost everybody is running IIS 6. (And for obvious reasons... IIS 5 and earlier sucked hardcore.)
  
  The point is that the idea that IIS 6 is insecure is clearly false.
Isn't this a little old? by Hoover,L+Ron · 2007-05-08 01:27 · Score: 5, Informative

Links goes to some 2 year old blog entry.
1. Re:Isn't this a little old? by Don_dumb · 2007-05-08 01:41 · Score: 3, Informative
  
  This whole article is basically just the same two posts the same submitter (mrcaseyj) made in this article http://it.slashdot.org/article.pl?sid=07/05/07/224 7244 earlier today. Now his posts may be interesting but anyone who was actually interested in this would have seen these posts today already.
  
  --
  If this were really happening, what would you think?
Nevermind Just The Login Page by garett_spencley · 2007-05-08 01:28 · Score: 4, Insightful

The entire session should be secured. Bank account numbers, credit card numbers, transaction histories, information about billers and automatic withdraw dates etc. are easily sniffed.

Just because they can't get your password doesn't mean they can't get useful information about you. Sniffing out an online banking session could be a big jackpot for an identity thief.
Um... by 0123456 · 2007-05-08 01:30 · Score: 2, Insightful

"This is especially a problem if you are using an unencrypted wireless connection such as at a coffee shop"

Surely anyone who logs onto their bank site from a wireless connection in a coffee shop is just asking to get owned?
1. Re:Um... by Anonymous Coward · 2007-05-08 01:43 · Score: 4, Insightful
  
  Surely anyone who logs onto their bank site from a wireless connection in a coffee shop is just asking to get owned?
  
  Why? SSL protects you from MITM attacks and provides strong encryption & authentication.
  
  That is exactly what SSL is for, to protect you from sniffers/spoofers between you and the website.
2. Re:Um... by jimicus · 2007-05-08 02:08 · Score: 5, Insightful
  
  Surely anyone who logs onto their bank site from a wireless connection in a coffee shop is just asking to get owned?
  
  Not really - this is the whole point of SSL. If you trust both endpoints, you don't much care about what's in the middle.
  
  Now, if you'd said "anyone who logs into their bank site from a random Internet cafe PC is just asking to get owned", I'd agree. It wouldn't require a great deal of sophistication to install keyloggers on every PC. Or if you're rather more sophisticated, you could set up some sort of proxy which sets up a MITM with every HTTPS session, presenting a self-signed certificate for $BANK and configure the client PC's with the appropriate certificate from the proxy's root CA.
3. Re:Um... by Z33kPhr3k · 2007-05-08 04:03 · Score: 2, Insightful
  
  2 factor auth prevents key loggers, but you need your own pc and secure dns to keep it private on the road.
  
  BTW without secure dns, Google Apps is worthless toy for the enterprise. M$ is shaking in their boots.
Don't trust any bank that relies on credentials by bjourne · 2007-05-08 01:30 · Score: 4, Insightful

Personally, I wouldn't trust any bank whose security system relies on user supplied credentials. Any bank that does not supply its customers with an electronic hardware-based security token is not trustworthy enough to handle my savings.

--
Football Odds
1. Re:Don't trust any bank that relies on credentials by SlOrbA · 2007-05-08 01:40 · Score: 2, Insightful
  
  Man ..
  It's all software .. It's all software.
2. Re:Don't trust any bank that relies on credentials by popejeremy · 2007-05-08 02:20 · Score: 2, Interesting
  
  Hardware tokens present software cyphers, and cyphers can be spoofed.
Credit Unions by daeg · 2007-05-08 01:31 · Score: 5, Interesting

I petitioned my credit union to force SSL on the entire bank website, complete with a few dozen signers (several of them with very large accounts). Shortly after the entire website is accessible via SSL only, with any HTTP page redirecting you to the homepage (SSL). Sometimes banking with a small credit union has its advantages.

I suggest everyone do the same.
1. Re:Credit Unions by mashade · 2007-05-08 01:51 · Score: 3, Interesting
  
  USAA's site is all https and provides an immediate redirect if you type http://www.usaa.com/ for example.
  
  Wachovia's site is as the article describes and only gives you https after login. I wondered about it myself and so began going to the site by manually specifying https://www.wachovia.com/ -- this works and gives you SSL for the entire browsing session. You may want to type it manually every time, though it would be nice if all banks made their sites HTTPS only.
  
  --
  Technology tips and tricks.
bank web security practices annoy by Gary+W.+Longsine · 2007-05-08 01:32 · Score: 2, Interesting

This same annoying tendency of banks has another artifact (it's probably not intentional). It typically prevents the user's password management scheme (like Keychain on Mac OS X and analogous 3rd party password managers for Windows) from working properly. Without a tool like this to support the effort, most people wind up using the same password for all their web logins, which exposes them to dramatically increased risk. (Bad guys can exploit this common human behavior by plucking username / password combinations from any arbitrary p0wn3d web site, and then testing them at all the banks.

--
If you mod me down, I shall become more powerful than you could possibly imagine.
Come on guys... by rob1980 · 2007-05-08 01:35 · Score: 5, Insightful

Published Wednesday, April 20, 2005 6:44 PM by ieblog

Two thousand and five.
What me worry by packetmon · 2007-05-08 01:41 · Score: 4, Interesting

Why should I really worry about security anyway they've either thrown away my information in a dumpster or were compromised...

Scott Trade
Verizon
Bank of America
Choicepoint
Mastercard
AT&T
Department of Edumacashun
Chase

--
Infiltrated dot Net
Great article, but by reezle · 2007-05-08 01:49 · Score: 2, Insightful

Great article, but WHICH BANKS are the problem?
I'd love to complain to my bank if it is guilty of these lapses, but how would I know?
Re:Cringe by LighterShadeOfBlack · 2007-05-08 02:01 · Score: 3, Insightful

I cringe a little whenever I visit a bank or CC site ans see .asp or .aspx at the end of the URL. Why, are you afraid of snakes?

They're just file extensions buddy, they can't hurt you.

--
Spelling mistakes, grammatical errors, and stupid comments are intentional.
One word answer: mattress by Anonymous Coward · 2007-05-08 02:02 · Score: 3, Funny

Just put your money in your mattress and avoid all those newfangled bank things.
Re:Low tech banks by Sobrique · 2007-05-08 02:06 · Score: 2, Insightful

Big banks have the tools and means, but also a whole wall of 'change control' that requires you to explain in detail why, exactly, you think the way they're doing it is moronic, and to assess it's impact exhaustively alongside the relative costing of project to redesign and implement a solution.
Security is expensive. by Anonymous Coward · 2007-05-08 02:14 · Score: 2, Insightful

I have worked with computer programmers who think they know how to write secure software, but don't. They know maybe one or two basic principles, and think they have it all figured out. I call this the "well no one told me" phenomenon.

Not every IT professional wants to spend lots of his free time researching the latest means of breaking into something, and defending against the break-in. So a lot of people just don't go out of their way to find out if they really know enough to write secure software...it is easer to assume that one's current knowledge is sufficient and to let one's employer take the heat when something surprising comes up.

Furthermore, employers don't like sending their employees off to training which ultimately will not increase their bottom line, and which may not even turn out to be necessary at all (after all, he DOES believe he can write secure software...). Worse yet, employers don't want to hire people to try to hack into their site, seeing as how that costs a lot of money and time too, and there is no guarantee that the third party actually tried hard.

The end result is quite predictable: insecurity all around.
Mother's Maiden Name by giafly · 2007-05-08 02:46 · Score: 3, Insightful
HTTPS is the least of my worries. I'm more concerned that banks
1. Use insecure information such as mother's maiden name as proof of id
2. Phone me with account questions, and ask me to prove my ID, but are incapable of proving their ID
3. Send my credit cards and PINs using normal post
4. Don't tell me when they have done "3)" so I won't notice if the letters fail to arrive.
5. Don't give me the choice of turning off Internet access to my account
--
Reduce, reuse, cycle
Banks have a much bigger problem by cdn-programmer · 2007-05-08 04:44 · Score: 2, Interesting

Banks have a much bigger problem than this. With the amount of spyware out there and the almost total lack of understanding of what vulnerabilities this exposes, probably more than 1/3 of the passwords and account details are known by Black Hats.

There are many ways to slip money out of accounts it isn't funny.

Trading accounts:

Create a series of bad trade orders. Offset these with legitimate trade orders in legitimate accounts. There are many thinly traded companies where it is easy to figure out who has the buy order and who has the sell order. All one has to do on a thinly traded company for instance is place a lowball buy order and have the victim's account buy shares at whatever price and then sell them into the lowball. This can be triggered from instance by a stop loss order. Once the shares are owned they can then be sold to another victim.

Chequing accounts: Create fraudulent transactions by paying for goods not ordered. These goods can even be shipped to create a semblance of legitimacy. By the time any of these goods arrive and the transactions are noticed the perpetrators are long gone with their loot.

Its quite easy to create a series of dummy companies to accomplish this. Of course, since this is e-commerce one would obtain valid certificates ahead of time.

This is one reason that secure communications offer limited protection. A felon in Jail can always get his lawyer to register a corporation for him and these are legitimate corporations. Its just they are run by crooks. But then Enron was run by crooks too it would seem. In fact, there are a HUGE number of companies run by crooks. Lots of people invest in them.
I'm in the bank business by JustAnotherReader · 2007-05-08 05:10 · Score: 2, Interesting
I've spent nearly a decade as a developer for a major California bank. I can't imagine that the SEC would allow any bank website to NOT use SSL. That's the most basic layer of security. But just to let you folks know that your data is safe, here are a few of the other things we do to keep your money and data safe from harm:
- We also ask for your zip code and make sure it matches the user info we have on file.
- We log the IP address you came from and the time. We do this for several reasons. The most common is that if we see 3 bad log in attempts in a row we lock your account. If we see several locked accounts spawning from the same IP address then we may have someone attempting to hack passwords. If that happens emails are automatically sent and pagers start going off. We notify our security people at once when that happens.
- The password you enter is encrypted in our database via a public private key encryption. But we never generated the private key. We can tell if your password, when passed through the public key, matches what we have in our database. But we can't tell you what your password actually is. Even we don't know. That way if somebody ever gets into our database they can't use the password information.
- We don't allow html or javascript in a user name, password field, account name or anywhere else that the user can enter data. We don't want a simple page display to run a rogue script.
- We have a tremendous amount of safeguards to protect your account information from attacks from inside the bank, behind the firewall. Access to different apps are limit to certain staff via LDAP. All data changes create a record of the change with data on who changed it, what application was used to change it and who was logged into that app at the time. Every bank employee from the managers to the bank tellers is fingerprinted and goes through an FBI background check. Access to data is limited to those who need access to do their jobs. Physical access to the servers is severely limited to a select few.
- The entire server and database infrastructure of the bank is duplicated in a 2nd location hundreds of miles away from the main servers. This database is being updated in real time so if any attack (whether a hack attack or a physical attack) brings down the system we do an immediate fail over to the backup system. This fail over and fail back system is tested regularly. I've been to that location. The servers are underground in a building with thick walls and no windows.
These really are just a few of the many many things we do to protect your data. In fact, I deleted 2 of the list items that I originally wrote about because I didn't want to give away any information that could be useful to a potential crook.
We take security very seriously for two main reasons. First, we're liable for any losses you have due to a security breach. But more importantly, we can't afford to lose the faith of our customers. If they don't trust us they'll take their money somewhere else. The actual financial loss from an attack on our system would be minor compared to the loss of trust from our customers.