Slashdot Mirror

← Back to Stories (view on slashdot.org)

Memory Gaffe Leaves Aussie Bank Accounts Open To Theft

Posted by timothy on from the willie-sutton-down-under dept.

mask.of.sanity writes "A researcher has found flaws in the way major Australian banks handle customer login credentials which could allow the details to be siphoned off by malware. He built proof of concept malware to pull unencrypted passwords, account numbers and access credentials from volatile memory of popular web browsers every two hours."

3 of 69 comments (clear)

  1. Careful Reporting These by Anonymous Coward · · Score: 5, Informative

    In the 80s, my comp sci partner and I discovered a similar case at Acadia University. We reported it to the head of the computer center. He told us it wouldn't work, it couldn't be done. I left that meeting feeling betrayed. My partner decided to write a proof of concept. He was successful and to prove it logged in as the main admin account. Days later he decided to try it again to see if they still hadn't fixed it or changed the password. They were waiting. He was expelled from Acadia. He was a brilliant honors student.

    It's worse these days. They will charge you for cybercrimes, or treason, and sentence you to decades in prison. Or hold you without trial. Be careful when you do the right thing and report these. Just report them, don't "proof of concept" or you could be charged. It's unfair and immoral but it's what they'll do to you, mostly out of their own shame and embarrassment.

  2. Already running? by Anonymous Coward · · Score: 5, Insightful

    You have to be infected first for your credentials to be stolen? Couldn't the hacker just have installed a key logger?

    If you can't trust the machine, don't put your sensitive data on the thing.

    1. Re:Already running? by You're+All+Wrong · · Score: 5, Insightful

      So you're saying that if you log in from a new infected machine, your bank obliges you to leak sensitive security information to the keylogger that's been installed there?

      Congratulations for feeling all warm and fuzzy from your bank's security measures whilst gaining very little actual security against real threats - that's what they were hoping you'd feel, you're a good customer.

      *One time* passwords are the *only* thing that *can't* be re-used. By definition. If your bank does not use them, get a new bank.

      --
      Your head of state is a corrupt weasel, I hope you're happy.