Slashdot Mirror

← Back to Stories (view on slashdot.org)

Memory Gaffe Leaves Aussie Bank Accounts Open To Theft

Posted by timothy on from the willie-sutton-down-under dept.

mask.of.sanity writes "A researcher has found flaws in the way major Australian banks handle customer login credentials which could allow the details to be siphoned off by malware. He built proof of concept malware to pull unencrypted passwords, account numbers and access credentials from volatile memory of popular web browsers every two hours."

18 of 69 comments (clear)

  1. Careful Reporting These by Anonymous Coward · · Score: 5, Informative

    In the 80s, my comp sci partner and I discovered a similar case at Acadia University. We reported it to the head of the computer center. He told us it wouldn't work, it couldn't be done. I left that meeting feeling betrayed. My partner decided to write a proof of concept. He was successful and to prove it logged in as the main admin account. Days later he decided to try it again to see if they still hadn't fixed it or changed the password. They were waiting. He was expelled from Acadia. He was a brilliant honors student.

    It's worse these days. They will charge you for cybercrimes, or treason, and sentence you to decades in prison. Or hold you without trial. Be careful when you do the right thing and report these. Just report them, don't "proof of concept" or you could be charged. It's unfair and immoral but it's what they'll do to you, mostly out of their own shame and embarrassment.

    1. Re:Careful Reporting These by darkfeline · · Score: 4, Insightful

      I hear about these kinds of things all the time. It's utter bullshit; they're literally making it more appealing for people to anonymously sell these exploits on the black market. "No, we don't want to know if our software has an exploit. If you've found one, go ahead and sell it to whoever you want, as long as we don't know, it's cool, we can keep deluding ourselves, thanks."

      It reminds me of, among other counterproductive measures, media conglomerates pushing oppressive DRM on consumers as if to drive them toward piracy or forcing drug addicts to carry their criminal status with them as if to force them back toward poverty and drug abuse. If an alien race were to monitor us, they'd probably assume we're running some sort of elaborate self-extermination campaign.

  2. and now he be researching the side of jail down un by Joe_Dragon · · Score: 2

    and now he can be researching the in side of jail down under hands on.

  3. Already running? by Anonymous Coward · · Score: 5, Insightful

    You have to be infected first for your credentials to be stolen? Couldn't the hacker just have installed a key logger?

    If you can't trust the machine, don't put your sensitive data on the thing.

    1. Re:Already running? by slashmydots · · Score: 2

      And yet regardless, he's not getting in. If I so much as log into my online banking from another computer let alone another state or country, I have to enter multiple security question answers as well. Almost every bank does it that way. If yours doesn't, get a new bank.

    2. Re:Already running? by You're+All+Wrong · · Score: 5, Insightful

      So you're saying that if you log in from a new infected machine, your bank obliges you to leak sensitive security information to the keylogger that's been installed there?

      Congratulations for feeling all warm and fuzzy from your bank's security measures whilst gaining very little actual security against real threats - that's what they were hoping you'd feel, you're a good customer.

      *One time* passwords are the *only* thing that *can't* be re-used. By definition. If your bank does not use them, get a new bank.

      --
      Your head of state is a corrupt weasel, I hope you're happy.
  4. How bloody embarrassing! by beaverdownunder · · Score: 4, Informative

    Aussie IT is a bit Mickey Mouse all around, sadly -- especially in the banks, oddly (you'd expect a higher standard where billions of dollars are concerned, but no...)

    As for the researcher, they didn't actually 'hack' into anything, merely scraped their own computer for data, so I wouldn't expect them to face any problems over revealing the exploit. Probably hasn't won them any friends in the banking sector though...

    1. Re:How bloody embarrassing! by bloodhawk · · Score: 4, Insightful

      While this isn't exactly shining a pleasant light on the quality of the banks code. It is still very much a storm in a teacup, if you have access to scrape the memory of the computer then you could have gotten access to credentials in a far simpler means such as keylogging. The simple fact is if you can't trust the machine you are using you're already boned and no amount of secure coding from the bank is going to save you. Besides which I believe most of those banks (if not all) do 2 factor auth to transfer funds to accounts you haven't previously transferred too. (at least the 2 of them I use do).

  5. Wait, so your machine is already compromised? by complete+loony · · Score: 3, Insightful

    So he's running malware that's sniffing your browsers memory? If your machine is already compromised, there are easier ways to get access to login credentials.

    --
    09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
  6. Re:and now he be researching the side of jail down by Frobnicator · · Score: 4, Insightful

    Sadly, he probably will.

    Financial institutions want to keep their vulnerabilities quiet. People who shout them to the world face lawsuits

    If you are smart enough to discover a major exploit, also be smart in how you notify them. There are many great security companies who work as middle-men to help submit the bugs to the corporations and at an appropriate time make the information public so it gets fixed.

    Going through a security company is free, and means you won't get the big splash on news sites or all the public attention, but it also means you can generally avoid hiring a lawyer, or worse, having he cops knock at your door with warrants.

    --
    //TODO: Think of witty sig statement
  7. My bank doesn't seem vulnerable by jonwil · · Score: 4, Interesting

    My bank uses POST in the login form which means that sniffing memory for URLs (which is what this malware seems to do) wont get you a login.
    Plus, in order to actually transfer money to someone you haven't transferred money to before you have to input a second password.

    The biggest failing of the bank in question is that it has a 10 char maximum on passwords for some stupid reason.

    1. Re:My bank doesn't seem vulnerable by chrismcb · · Score: 2

      The biggest failing of the bank in question is that it has a 10 char maximum on passwords for some stupid reason.

      I've always assumed that anyone that limits the password to an arbitrarily small number, or limits what characters you can use, does so because of incompetence. And so it makes me wonder what other security vulnerabilities there are.

    2. Re:My bank doesn't seem vulnerable by DarkOx · · Score: 2

      I agree its major red flag. Yes there needs to some limit; you don't ever want to take user input of undefined maximum length, but in the case of passwords a sane max is like 255 bytes, which might be a bit shorter than 255 chars if you are running utf8, and is probably still enough if you need to use a two byte character encoding.

      When you lengths like 8 or 10 it leads one to assume passwords probably are being stored insecurely; after all if they were hashing passwords like they should be the final storage requirement would not depend on the size of the original password string.

      Its like hanging a sign out "Hey pen testers compromise this box, good password list to try on everything else can be found here!"

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    3. Re:My bank doesn't seem vulnerable by WD · · Score: 2

      You're joking, right? Please tell me that you don't think you're protected from banking malware because your bank uses POST instead of GET.

  8. horses and barns by stenvar · · Score: 3, Informative

    If malware has access to the RAM of another process, the horse has left the barn.

    1. Re: horses and barns by starsky51 · · Score: 2

      And if the user is gullible enough to run any exe that they come across, then the sheep is sitting to close to the barbecue.

      --
      There are 2 types of people in this world. Those who understand ternary and those who don't.
  9. I'm starting to be sick by trifish · · Score: 4, Insightful

    I am really starting to be sick of these "security researchers" who don't know that the 1st law of the computer security is:

    If malware is running on your computer, it is not your computer anymore.

    It follows that no matter what you do, malware will win. Discovering that malware can "siphon" memory is really... uh, groundbreaking.

    What makes me even more sick is the incredibly amount of various BlackHat "security conferences" and supposedly geek-oriented media like Slashdot that let those people present this kind of "discoveries" as legitimate, notable, noteworthy, important and new.

    I am really, really, sick of you.

  10. Re:and now he be researching the side of jail down by FireFury03 · · Score: 4, Insightful

    Not really a banks fault though - why is the browser hanging on to post'd data after it's been post'd??

    So that when you hit refresh on the page, the browser can pop up its usual "you'll need to repost to refresh this page, are you sure?" and do the repost if you tell it to.

    --
    http://blog.nexusuk.org