I work for a security firm that specializes in providing penetraton testing services to financial institutions. In the last year I have seen a few dozen different e-banking applications and cracked almost all of them. The most common setup is a poorly written app running on an insecure NT system. In the rare case that the company is using a non-microsoft OS, the CGI's usually suffer from buffer overflows and the machines themselves are rarely locked down.
People don't seem to realize that firewalls are designed to block access, the minute you allow connections to your web server, and connections from your web server to your mainframe backend, the firewall is already out of the picture. Considering the sheer number of ways to crack a machine through the web, whether its IIS, Netscape, or Apache, you would think more content filters would be in place for incoming traffic.
If you think that internet security is bad enough, the internal networks of most of these institutions are enough to make a network admin vomit. What makes it even worse than the online banking is that there are usually dozens of modems attached directly to the mainframes and internal servers. Most of these internal machines have horrible passwords (if any at all). Just by calling a bank's phone range you can usually gain access to the financial processing system. Since these backend systems are rarely upgraded (the vendors of the financial software wont support any newer OS versions or patches), gaining root or admin access as a normal user is trivial.
Before you go stashing all your cash in a safe and sleeping with a gun under your pillow, remember that these institutions are INSURED. Slowly but surely they will all come up to speed, due to mandatory audits being required by organizations such as the NCUA, CUNA, and the OCC.
-spinux
http://www.digitaloffense.net
Slashdot Mirror
I work for a security firm that specializes in providing penetraton testing services to financial institutions. In the last year I have seen a few dozen different e-banking applications and cracked almost all of them. The most common setup is a poorly written app running on an insecure NT system. In the rare case that the company is using a non-microsoft OS, the CGI's usually suffer from buffer overflows and the machines themselves are rarely locked down. People don't seem to realize that firewalls are designed to block access, the minute you allow connections to your web server, and connections from your web server to your mainframe backend, the firewall is already out of the picture. Considering the sheer number of ways to crack a machine through the web, whether its IIS, Netscape, or Apache, you would think more content filters would be in place for incoming traffic. If you think that internet security is bad enough, the internal networks of most of these institutions are enough to make a network admin vomit. What makes it even worse than the online banking is that there are usually dozens of modems attached directly to the mainframes and internal servers. Most of these internal machines have horrible passwords (if any at all). Just by calling a bank's phone range you can usually gain access to the financial processing system. Since these backend systems are rarely upgraded (the vendors of the financial software wont support any newer OS versions or patches), gaining root or admin access as a normal user is trivial. Before you go stashing all your cash in a safe and sleeping with a gun under your pillow, remember that these institutions are INSURED. Slowly but surely they will all come up to speed, due to mandatory audits being required by organizations such as the NCUA, CUNA, and the OCC. -spinux http://www.digitaloffense.net