Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Internet

Internet Banking Security Hole 121

A reader writes: "The Observer newspaper (the Sunday edition of The Guardian) in the UK is reporting what looks like a major security problem with Internet bank accounts run by Fiserv. The U.S. company says it runs more than 200 million accounts on-line, looking after more than £15bn of customers' money. The guy who discovered the problem, Ralph Dressel, showed The Observer three sample printouts giving account details of customers at the Amalgamated Bank of Chicago, the Bank of Oklahoma and the Sovereign Bank in Connecticut. As well as seeing account details, Dressel claims he could have changed PIN numbers or transferred money to his own account."
This discussion has been archived. No new comments can be posted.

Internet Banking Security Hole

Comments Filter:
  • This might be news to you, but some people actually have limits to their cynicism and prefer to give others benefit of the doubt. Also, the firm will probably not press charges against him for informing them of their security hole, compared with the fraud case that would have followed if he ripped off $100 million.

    Tell me what makes you so afraid
    Of all those people you say you hate

  • The insecurity here resides on the bank's server machines. This British lad apparently found some way to do a html get command and retrieve a list of passwords for the server. Basically, their database was wide open.

    But I do agree with you that even after the banks clean up their security loopholes there still needs to be some second factor authentication (big buzz word there) like a smart card reader.

    Since most online banking takes place from the home, it would be cool if the banks could use GPS (global positioning system) to verify the users location (they are at home or at their office) before allowing any transactions to take place. Simply attach a GPS sensor to the client's machine and send some of the raw GPS data to the bank for authentication in conjunction with the username and password.


    -----------------

  • The U.S. company says it runs more than 200 million accounts on-line, looking after more than £15bn of customers' money.

    Wait a minute here... divide the number of users into the money that's only an average of $75 per user. Apparently no one trusted these guys BEFORE the hole was discovered, nevermind after.
    -----
  • In the banking case, yes, I agree. Companies can't be trusted to publicly admit to their own weakness (see also: Firestone tire debacle).

    I guess my analogy was not completely on target, then, because I was thinking of the security "tests" on things that people have no business testing. I often leave my car unlocked, windows rolled down when I go get groceries, and even when parked in front of my apt. These locations are fairly safe and there's nothing of value in the car. And if someone really wants to steal my car, a locked door won't stop them. So I don't need someone trying my car doors and telling me it's unlocked. Likewise, I don't necessarily want someone checking the "doors" of my website.

    But getting back to your point; if my website was "Password.com: Keeper of your Vital Info", then perhaps it would be in public's best interest for people to try and (non-maliciously) break in.
    -----
    D. Fischer
  • by Anonymous Coward

    I disagree. I've worked for a few banks, in some cases with direct responsibility for security. Let me tell you honestly:

    It's a fucking joke!

    Most places don't even bother with such rudimentary tools such as ssh to protect logins and passwords. At once place, I recommended that we implement ssh and no one knew what it was! Finally after months and months, it was approved for a few systems only, but other holes in the systems weren't fixed.

    Often systems are put in production with all default services running because "the firewall will take care of that." Usually, they're never patched (or maybe once during the big Y2K scare.) The coding of online applications is usually pathetic with default passwords, no input checking, etc.

    These companies need a wake-up call badly. Lots of bad publicity is a good start. I think it would actually be good if a few grey hats ripped some of these banks off for a few hundred million (not from customer accounts) and explained why they did it.

    There should be some sort of government or other standard that the banks must adhere to, perhaps required simply to operate. If they screw up, they should be fined, and this can be used to pay down the debt, or social programs or something.

    What we need is an open infrastructure supporting real anonymous e-cash. Once we have this the banks will all be out of business.

  • I always thought the whole PIN number thing was a huge security issue anyway. It seems far more insecure than an English word password (there are less options -- 9 digits on a keypad or 26 letter in an alphabet). Also, most people don't go past 4 numbers for their PIN, even if they have the option. It would be pretty easy to use a heat spectrometer to analyse what PIN it is immediately after they've been pushed -- or better yet, look over the person's shoulder if you're in the vicinity.

    Okay here are the problems with that: I used to have a 10 digit pin number - out of a possible 14. I travel quite often, and in Germany three years ago I had my ATM card eaten because the machine would not accept my pin number (only had room for a six digit number).
    The other problem with A-Z is that you are assuming that English words == French words == Japanese words == etc.
    My friend had this problem when he had to translate his pin word from English to French only to have it be rejected.
    In both cases the solution was the same, a four digit pin number.

  • Good detective skills, but... The URL to login to these places also has an .exe file extension in it - not unheard of, but seems more Windows-ish. The header info could simply be meant to throw casual hackers off the scent. We will probably never know, unless someone at site-secure.com actually spills the beans.
  • Did anybody notice that, if those figures jibe, we deal with a very cheap bank.

    C'mon, 200 000 000 accounts, 15 billion in managed assets. That's about 75$ per account.

    Doesn't look as if I'd buy shares from those bozos.

  • Not having done so for a while, i'm not sure, but i'm fairly willing to bet that if you went in and left a cash deposit for the car you were renting, you could take it off the lot without leaving a credit card. Likewise, you might even be able to do it if you leave a deposit equivalent to the insurance deductable on the car. The rental agencies just don't want to be giving new cars out to people in exchange for $200 (a 3 or 4 day rental fee).

    Cash isnt' useless...
  • If they were stupid enough to use Micorosft products for secure transactions, they deserve to be cracked.

    After all the thousands of breeches in MS security, it seems that the business community would get a clue.

  • I accept your point. Large companies do tend to behave like that. However, this was a German citizen, working for a Scandinavian/European bank in the Isle of Man. The Isle of Man has it's own legal system, separate from English law. I'm pretty sure that (although it is part of Great Britain) it is not part of the EU. I don't think this chap had much to fear from an American corporation.
  • Okay, yes, I'll admit that gold really has nothing to do with it :).

    Still, my other points I think stand. In order for digital money to have value, someone has to give it value, be that the US government or somebody else. Frankly, I don't see how it would be possible to make that possible unless that authority controlled it entirely (i.e. you would have an "account" with them).

  • Having played with the Cybercash MCK, they have(had?) a little issue as well.

    Go on, do a search for +link:mck-cgi on altavista. Follow a link. eg:

    http://www.madamealexander.com /special/get_copy.html [madamealexander.com]

    Buy something and proceed to secure form.

    Change URL to http://www.whatever.com/mck-cgi/conf/merchant_conf

    If they web designer is a little careless, you'll see something like this [madamealexander.com]. If you know what you're doing, you can now play around with the user's merchant credit card account.

    Note: I'm not just explaining this maliciously. I detailed this issue to Cybercash 6 months ago (twice) and they didn't even bother replying (a 'thank you' would have sufficed). Perhaps now this is in the open they'll deal with it? All they had to do was change their install program to ensure this data doesn't appear in the public domain.

    <sigh>

  • If you write $5000 down in the place where the bank checks when your check is cashed, you have 5000 'real' dollars. (Incidentally, as any introductory economics class will tell you, money is a collective illusion we all participate in because it's much more conventient than barter.)

    -_Quinn
  • You missed the analogy.

    Your aging rustbucket is your car. It doesn't have anything to do with hundreds or thousands of other people. The analogy would not be to putting a note on your dashboard (and I would argue it's actually a note on their window, but whatever), but rather would be to contacting the manufacturer of the car.

    Really, though, the critical thing is that the analogy between a car and a banking database does not work. A car is an individually owned product. A banking database is a service to thousands if not millions of people. A carjacking affects one person. The cracking of a computer database could affect millions.

    I'll leave it to someone else to figure out an appropriate analogy. I'm too tired.

    Jeff

  • To some extent, I agree with you, save for one point. In this particular instance, I personally would have done the same thing.

    I think when the security problem is on something like online banking (where a great many people can be screwed thoroughly), more exposure is better. Send this info to everyplace that'll broadcast it for you. It's the only way that businesses and the government will see that security is a very real issue.

    Quietly allowing a bank to fix patches like this obscures something very important from the general populus...online banking isn't safe yet, and should DEFINATELY be regulated.

    I truly don't believe this particular person falls into your over-generalized 'leed kiddie' catagory, I call him civic-minded with his own political agenda.

  • I'm the programmer your mother warned you about!


    Evidently so. After all, it's not like someone could send whatever data they liked.


    There are two solutions, the easiest being to avoid storing plaintext passwords since you have absolutely no need to do so. This has been recognized as a good idea for something like 30 years...


    A more complex but significantly more secure approach would be the use of a smart card card which would perform some sort of operation on a challenge sent by the bank and send back the result. Unfortunately, smart-cards aren't invulvnerable to attacks but a reasonably hardened system would be much more secure than the current approaches. Since companies like Visa manage to be quite profitable even with comparatively high theft rates, something like this should be quite acceptable.

  • "This is perhaps the equivalent of opening someone's unlocked car door to turn off their lights. Or perhaps, it's like picking their lock to get in and turn off the lights."

    What about reaching under the car to find the magnetic spare-key holder, unlocking the door, and turning off the lights?

  • Money is never worthless. Currency often is.
  • You question that FiServ is using Microsoft products. I give a link that gives evidence that they *do* in fact use a Microsoft setup. You rant for a paragraph about how terrible I am for bashing Microsoft.

    I don't know if this particuar hole is Microsoft related or not. It probably isn't. FiServ *does* make significant use of Microsoft products in their banking setup. Finantial systems should be as secure as possible. Microsoft software is not optimal for security. FiServ deserves to be picked on for their insecurity. Microsoft software, even if unrelated to this particular security flaw, *is* being used by them, and *is* known for it's insecurity, so they *should* be flamed for using it.

  • by pesc ( 147035 ) on Sunday September 24, 2000 @06:25AM (#758028)
    ...since they all let the customer's PCs do the banking. If you manage to install a trojan in the PC, it can empty the account (or do other malicious stuff). The trojan can get the PIN codes or encryption keys stored on the PC, listen to keystrokes, display its own dialogs, perform man-in-the-middle attacks or whatever.

    If you think about it, attaching a smartcard reader to the PC will not help.

    The only way to deal with this threat is to attach a non-user-programmable smartcard with its own protected user-interface.

  • Here is an interesting article on security methods, from a user-interface design perspective. Maximum Security [asktog.com]

    Here's a quote to whet your appetite:
    Security in our nation's computer systems is in trouble, and the fault lies with an education system turning out security people unprepared to build real-world secure systems. As a result, many of our most secure-appearing systems sport all the impenetrability of a slice of Swiss Cheese.

    (BTW: I recommend looking through AskTog [asktog.com] and Alertbox [useit.com] if you deal at all with interface design, or want to know why today's interfaces suck so much sometimes :)
    -----
    D. Fischer
  • There's an agreement? By whom?

    Oops. When I originally posted, other /.ers had already found fault the idea of an external auditing group, and I hadn't taken into account that as the threads expanded, those posts would be obscured.

    In short, I meant that since there was agreement by other readers, there was no point rehashing discussing why it would or would not be good to have an external audit.

    The 2 big points I liked from other posts were on this were 1) Too much liability for auditor. and 2) Govt.'s ineffectiveness (inability to move/change quickly, regulations, being out of touch with new tech, etc.) would make them an unreliable 'guarantee'.

  • Just a thought... if you have fib[n]=.... shouldn't you have a 'n' somewhere in the expression?
  • i'm fairly willing to bet that if you went in and left a cash deposit for the car you were renting, you could take it off the lot without leaving a credit card.
    This is a common misconception, and is not true. Don't take my word for it, call some rental companies... They require that the person renting the car have 'a major credit card' and a valid drivers license. If you find a find an auto rental company that does not follow this policy, please post.

    They get around the "all debts public and private" arguement by requiring that you have the card before they will rent you the car; they allege that you can use cash to pay the debt once you have the car and have used it, but you won't get it off the lot without they see your credit card. Has to be in the drivers name, too. No third party cards. Don't know how they handle that for corporate...

    Fwiw, I know 1st-hand this policy was not in place a few years ago, but it is now. Note that I cannot speak for regional or local rental companies...


    0x0000

  • I demand that the bank gives him the award of... one million dollars!

    Choas would ensue.

    Cute. :-) Seriously, though... There's agreement that a paid auditor group (esp. govt. controlled) would be foolish. If you also believe forcing banks to reward the finding holes, why not require (for consumer protection) that all sites dealing with financial data to hold cracking contents before offering their services?

    Shoot, if business holds contests to crack water marks on new music formats, why not *make* business do the same for the sort of protection consumers actively desire?

  • the problem isn't just Fiserv, it is the terrible software they chose to runGarbage in Garbage out [yahoo.com]

    Best send them links to openBSD.
  • Your figures are wrong. That should be £75. For us americans, that would equal a little over 50 dollars.
  • I don't know about American banks, but if it had been exploited against a British bank they would probably have pursued a fraud case against the person whose savings were stolen; that's what they did when someone claimed that a crook had been withdrawing money from their account with a forged ATM card a couple of years ago, since banks would never, ever, ever have a security flaw in their systems.

    In America, our banking regulations require that a bank, upon notification of an unauthorized electronic transfer, provisionally credit the customer's account within 10 days, and conduct an investigation within 45 days, presumably to see if the individual is defrauding them. However, the law is clear that the bank is liable for any unauthorized transfer that they allow.

  • Where is any of this did it say MS products were to blame? Granted, I will agree with you that MS is widely used and frequently the people using it rarely do more than install it with its defaults - but just to jump in and post something saying like "MS sucks" or or what you said is childish - do you even know how to break into a MS site? I doubt it - there a whole bunch of people on this site that routinely go on about how easy it is to break into an MS site, but couldn't even so it themselves. Please either post something useful or just shut up and quit wasting space.
    ------------------------------------------ --------
  • US Cash - always good, always accepted, almost always works in soda machines.
    One instance where cash (US or otherwise) is worthless: Automobile rentail. 'A major credit card' is a requirement... They like to get rude about it, too.
    0x0000
  • What do you maen "real". Digital Money will just be made so it's difficult to forge. It won't be backed by anything else . Just like now it's 'hard' to print fake money and you can also goto jail for years if found guilty. But if you do print a perfect forgerie then it's money and noone would be the wiser. Our money system is based on the idea it's worth something. Also on the intrest rates at which banks borrow from the federal reserve. So really digital money will be the same, we will have safeguard measures so it's hard to fake and severe punishments if caught. Look at Check Cards those really are digital money...

    Brian Peace

  • Well, yes, thirty years ago that was true. But these days billion in the UK means the same as billion here. So it's back to $113.
  • In the current climate, poor security, insurance, and off-loading finding the criminals on overworked police is going to be cheaper for many E-commerce sites than hiring the right people to implement good security procedures.

    Economics comes to the rescue: we should force companies to take full responsibility for the losses and the suffering that their carelessness causes others. Any company that exposes private data should be penalized, whether or not any losses are actually incurred by an individual. And if that company becomes target of a computer crime, they should not be able to hide behind someone else's guilt: they should be subject to stiff penalties. That way, poor security is not going to be the most rational economic choice for a company.

    Going after the "computer criminals" is not going to be a solution. The current approach is only effective at catching bragging teenagers and allowing companies to shut up white-hat hackers; it won't catch anybody who is really determined to do damage and hide their identity: there are too many ways of using the Internet anonymously, from trial dial-up accounts and public phones to public Internet terminals. It has no force as a deterrent.

    The only way consumer confidence can be created is by holding the people who can do something meaningful about security, the Internet companies who hold private data, responsible.

  • A more paranoid person might be worried about the following scenario: She discovers a flaw in her bank's system. She notifies the bank. The bank decides the easiest way to nullify this new threat is to silence her. She is charged with things she did in order to discover the flaw (regardless of whether those things are actually illegal) and a gag order [slashdot.org] prohibits her from discussing not only the details of the case but even the existence of the case. The public is not informed, at least not for several months and the hole remains open for much longer than it would have if the bank had been forced to close it.

    Now, I'm not saying this Dressel guy was thinking along these lines or that his bank has done anything to warrant such paranoia. I'm just saying that it is possible that a person who reports a security flaw to the press and not to the company that created it isn't doing so to be 'leet.
    --

  • by zelyan ( 222028 ) on Sunday September 24, 2000 @08:30AM (#758043)
    The problem with your analogy is that I don't use your car. With a computer system, especially a high-profile system like a bank or (and these are even less secure) a medical system, LOTS of people use it.

    So the analogy that works is not going around a parking lot determining if cars are unlocked, but rather checking car types to determine if the locks are enough to hold against, say, another car's key. And cars whose locks can be opened by other cars' keys (or cars whose doors open when their locks are engaged!) should not be allowed out there.

    Jeff

  • With all due respect, I disagree.

    You're correct as far as the "conventional wisdom" goes, of course. Inform privately, blah-blah-blah. But considering that many (perhaps "most") companies who are so informed will prosecute you for hacking into their machines, and you will go to jail for many years, I would suggest that a public announcement is the best way to start. You want to take the public initiative, portray your actions in the best light available, and you want to do it preemptively. If the company is the one firing the initial public salvo, you're going to jail for many years.

    What? The above post is written as if the company is your enemy rather than your ally? Yes. Because they are. It's almost certainly much cheaper to tip off the FBI about your evil hacking ways than it would be to fix the security breach. So that's the option they're going to consider first.
    --
    Michael Sims-michael at slashdot.org
  • Heh. I spouted what I believe to be the correct way to handle this. Three people (so far) have disagreed *for the same basic reason*. I find it worrying that corporations have this much perceived power. That's why I support This organisation. [eff.org]

    However, If a bank *did* gag someone, and were subsequently raided, the shareholders (usually large corporations themselves) would be round with the highly-trained, half-starved RottLawyers faster than you can say 'Fiduciary Duty'. Or, at least, that's how I hope it works.
  • by ledbetter ( 179623 ) on Sunday September 24, 2000 @09:49AM (#758046) Homepage
    Every time there is the smallest security breach in an online e-commerce related company, the news gets broadcast all over the place. However, rarely are news stories posted anywhere about more traditional financial institutions or retailers. Ok, so there have been a few credit cards exposed online. But, do you know how many fraud schemes there have been invoving physical cards, at places such as gas stations and restaurants? The amount of online fraud is so small compared to the size of traditional financial fraud. From someone who knows quite a bit about the banking industry I feel way safer about giving my credit card to amazon.com then I do to my local Gas Station!!

    It's the same think that happens with airline crashes. They may make the news every time but you've got a way higher chance of being killed every time you get in your car!

    Bottom line, when you are using a credit card online, yes you have to be careful, but believe me, you better be way more careful using it offline!
  • Seems really strange that a bank would have just a single PIN to 'protect' customer accounts (Well, E*Trade has...) Our local banks use either PIN code list or a combination of usercode/password and PIN code list. List is needed whenever you what to add, change or delete information. PIN codes are 4-5 digits long, sometimes associated with a 'challenge' number. Some banks will soon offer access with the Government issued identity card (smart card). If you read the Observer's news article carefully, you'll notice it never mentioned that full access was available for the accounts. Change PIN, but what if the system required old PIN first? Transfer money, but what if the PIN was again required?
  • <only-half-joking>
    Maybe they're trying to obtain security by running their Winshit software under WINE ... </only-half-joking>

    scary thought, isn't it?

  • by cyberdonny ( 46462 ) on Sunday September 24, 2000 @10:16AM (#758049)
    > and they use a smart card that is disconnected from the computer to generate 8-digit access codes, no PINs or password is stored on the computer

    Be careful here. Smart cards do not automatically mean security, and there are unfortunately many poor implementations around. And btw: if the smart card reader is disconnected from the computer, how does the encrypted data get to the web site?

    I used to work for a bank which used a smart card reader for their e-banking product. Officially, the advantage of this solution over plain https would be that even if the user's computer was compromised by a trojan or a virus, his pin and passwords were still secure. However, unfortunately, the bank was too cheap to buy smart card readers with integrated keyboards and displays. Thus, a virus or trojan would just need to grab the cleartext data stream going from the computer's keyboard to the reader, and presto! After pointing out that flaw to my boss, he just said "You're basically right. However, you should understand that the goal is not to provide actual security, but rather to give the customer an impression of security. Customers read about security problems on the internet so frequently, that it takes sth special to convince them that E-banking can be secure. However, the same customers trust the security of smart cards, most already carry several of them in their wallet (credit cards, access badges, ATM cards...). So we just capitalize on their trust in smartcards and integrate one in our solution. Even if it doesn't help security. But don't worry: nobody'll find out, after all not everybody has a PhD in cryptography..." I don't either... but I still noticed.

  • > One instance where cash (US or otherwise) is worthless: Automobile rentail. 'A major credit card' is a requirement... They like to get rude about it, too.

    Funny thing. When the local mobsters come around to collect their protection money, 'cash' is a requirement... They like to get rude about it, too.

    Since "not getting my kneecaps broken" is more convenient than "renting a car", I tentatively conclude that cash is more convenient than credit cards are.

    --
  • > I asked if she had read the article, and she had, but said it wasnt' true. I asked how she knew this, and she said because they had investigated it.

    That's when you ask her to sign a "hold harmless" agreement to the effect that you will not be held responsible for any money you extract that way. After all, they're not at risk, right?

    --
  • Rather thank taking people at their word that a ste is safe.. there needs to be paid auditor's group - similair to how the NTSB ( National Transportation Safety Board ) or the FAA regular automobiles, and air-planes.

    Now, granted a government agency is going to the ut-most greatest in catching anything at all ... it would at least provide us with an excuse to blame the government. :-)

    Seriously tho, an agency ( govermental, non-profit, even for-profit ) needs to be set up with regulatory authority to mandate passage of certain criteria before a web-site can say it's "Protected" customer data.

  • Security problems seem to keep cropping up. Does anyone know of any recent case where individuals lost their savings?

    Maybe it's time again to buy gold and bury it in the backyard :)

    Founder's Camp [founderscamp.com]

  • You're an optimist. He'll be lucky if they don't indict him for computer crimes. Breaking into their system. Accessing without authorization. Evil evil evil, bad hacker.

    It's much easier to kill the messenger, and (hopefully) quietly make fixes. Otherwise they'll have to admit that they have been grossly negligent in their security.
  • by LaNMaN2000 ( 173615 ) on Sunday September 24, 2000 @05:36AM (#758055) Homepage
    With all the talk about strengthening computer crime legislation and the penalties associated with violations, this scenario provides a perfect example of where an individual provided a service to the company in question by committing a "crime" against them.

    Ralph Dressel provided Fiserv with the results of what would have been an expensive internal controls audit for free. If this vulnerability would have remained undiscovered, a malicious party that discovered it could have stolen money or blackmailed Fiserv in the same way that the hacker who stole CDUniverse's credit card database blackmailed them.

    We should hesitate to condem these "grey hat" hackers by drafting legislations to criminalize their exploits.
  • Could you please transfer some money to me? $100M would be fine for a start. Thank you.

    Uh, yeah... sure - just give me your account info. I'll make sure it's out^H^H^H there in a hurry.

  • by yawhcihw ( 171760 ) on Sunday September 24, 2000 @05:38AM (#758057)
    This is where software/service firms need to take some responsibilty for their actions and inactions. Do you really think that if this guy had gone ahead and taken $50m or more Fiserv would have said "oops! we made a mistake, let us fix it". Nope. It would be up to the banks or end users to repair the damages to their accounts. All because some company whose job is to keep data secure failed.
  • Regulating services that have serious repocussions, if the service were to fail, are prime candidates to be regulated. Who wants to fly in an aeroplane owned by an airline who doesn't give a crap about maintaining their aircraft? No one. You can't wait for the service to fail spectacularly, and cause a lot of grief, to educate the public about which services are okay and which are dangerous. You need a preemptive agency that will find these substandard services before they fail.

    If people buy a buggy piece of software for your home PC and it fails, it won't cause as much grief as if a plane, for example, falls out of the sky. You can quite easily distinguish which services need to be regulated and which do not by how much grief they will cause the public if they fail.

    Commerce systems are in the league of services that need to be regulated. If a commerce system fails and people get hold of sensitive information, the repocussions are serious.

    It makes sense that the regulating body should be a government agency. A government agency (one would hope anyways) would be less succeptible to hidden agendas and corruption than a for profit organisation.
  • Besides the other problems that have been mentioned, GPS receivers do not work very well inside buildings. You usually have to install an external antenna on the roof of the building.
  • The problem with that is that no organization can afford to make those sort of guarantees. As soon as someone guarantees a site involving banking details is safe, they open themselves up to all sorts of liability. That in turn means that if they are wrong, then they could we be forced to cover all losses incurred from such an attack. Nemir
  • I bet this guy is going to get a medal, a plaque, and an article. That's it. When he could've had 10 mil just like that.. I demand that the bank gives him the award of... one million dollars! (Dr.Evil finger thingy... )
  • by Fervent ( 178271 ) on Sunday September 24, 2000 @05:40AM (#758062)
    Several hundred of your best customers taking their money out of your bank because their PIN numbers have been stolen? Yeah, I think that would be enough to make a manager weep.

    I always thought the whole PIN number thing was a huge security issue anyway. It seems far more insecure than an English word password (there are less options -- 9 digits on a keypad or 26 letter in an alphabet). Also, most people don't go past 4 numbers for their PIN, even if they have the option. It would be pretty easy to use a heat spectrometer to analyse what PIN it is immediately after they've been pushed -- or better yet, look over the person's shoulder if you're in the vicinity.

    I've never been a big fan of security. I think some measures people go to protecting basic servers and files can be a little too extreme. But this is your money -- your lifeblood in this day and age where $ == bread and water. I think the security is far more important here.

  • There's agreement that a paid auditor group (esp. govt. controlled) would be foolish.

    There's an agreement? By whom? If you are going to say there's an agreement, to enforce your point, you should also say who you are referring to.



  • Ralph Dressel provided Fiserv with the results of what would have been an expensive internal controls audit for free

    I can bet you that the execs at this company would have preferred the security audit at even ten times the price over this public revelation of their faulty security. In addition to the execs, I imagine the people who got pink slips over this would also have preferred the audit.



    Seth
  • Seriously tho, an agency ( govermental, non-profit, even for-profit ) needs to be set up with regulatory authority

    A for-profit group with widespread regulatory authority? That sounds like bad news to me. Just imagine if the RIAA or MPAA were given regulatory authority over electronic media distribution. Oops...My mistake...the DMCA did just that!
  • by dboyles ( 65512 ) on Sunday September 24, 2000 @05:41AM (#758066) Homepage
    Fiserv [fiserv.com] has a partnership with Security First Technologies [s1.com]. It will be interesting to watch how their stock changes tomorrow as this news gets around.

    Fiserv: NASDAQ FISV [northernlight.com]
    SFT: NASDAQ SONE [northernlight.com]
  • This is just another example of information wanting to be free. Let the money get transferred to another account, thats how it was meant to be. Under fair use clause, anyone can have money.
  • by cyber-vandal ( 148830 ) on Sunday September 24, 2000 @05:41AM (#758068) Homepage
    But I bet a lot of banks would fail rigorous checks, which is why it won't happen until lots of money is stolen and consumers will start demanding protection. After all, the DoS against the big websites a few months back got a huge amount of publicity and threats of terrible vengeance, whereas the theft and subsequent use of thousands of credit card numbers by a German hacker the week before got virtually no press. The powers-that-be are terrified that people will find out the truth about the papier-mache style security of e-commerce and will stop buying into the hype, so they're stalling as long as they can, fearing that a loss of confidence will dent the American economic 'miracle'.
  • I think an important difference is that everyone already knows that they need to lock their doors to secure their car. The banking company presumably did not know that they were insecure.
  • I used to work at a bank that utilized Fiserv for backend stuff. They have many, many different services and so on, but if the rest of the company is anything like the people I dealt with this won't be fixed any time soon. We had to file paperwork (in triplicate) to add a field to a downloaded data extract. And give them at least 30 days lead time. And then re-submit when it came back wrong, or the field was empty, or some damn thing.
    --
    Linux MAPI Server!
    http://www.openone.com/software/MailOne/
  • by drew_ri ( 236095 ) on Sunday September 24, 2000 @08:34AM (#758071)
    I work within the eCommerce group of a bank who is a direct competitor to one of the victims, Soverign Bank. I am a systems integrator and I do much of the security work at the systems/app level on our eCommerce systems.

    I am not suprised to read what the Brit got for info (although I am suprised he got it within minutes, unless he knows the online banking backend software)

    Any bank worth doing business with will have many controls in place to ensure that financial institutions are taking the correct precautions needed to safeguard their customers. These controls include internal and FDIC audits, external attack and penetration tests against systems, and curious/nosey/tinkering staff like myself :)

    Any organization which runs an eCommerce system without contracting a highly reputed firm to do an attack/penetration test is completey crazy! (and out of FDIC compliance too) I *highly* doubt that the firms in question had taken the time to do this.

    I coordinate a/p tests within my company, and these guys we hire will try to find *anything* that is remotely considered a security hole, ranging from things like Public communites for SNMP on a router to last logged in user is displayed on console in NT.

    Beware however, I have worked with some reputed firms who sent me people who couldn't break out of a brown paper bag, let alone crash my firewall to hop thru the VLAN and into my host systems! Also another problem: many vulnerablities are never exposed during these tests, as they require doing things like dDOS attacks against firewalls, etc, and cannot be done in a feasible manner.

    Here are some of the major problems with many banks today:

    1) Shitty technology: Sometimes banks buy apps for reasons other than they work well, are secure, etc. i.e. everyone else runs it, so we need to as well (a'la M$)

    2) Time to market too aggressive: Aggressive growth, mergers, etc. dictate that we have every bell and whistle available on the systems side. This means that we end up with too much work to do in too little time. Things like proper systems design, security planning, etc. suffer because some jackass project mgr. can't fit it into his M$ project file, or the budget can't fit in a $30,000 attack/penetration test. If banks want to grow fast, they need to gear up with people and money to match!

    3) Horseshit outsource providers: I am sure that this app that was hosed by the Brit has some components outside of the actual banks that were victimized. I can tell you first hand that many of these providers, i.e. BBN, AT&T, etc. are not nearly what they claim to be. They claim they are a high availablity, fully secured operation. I have seen firsthand such idiotic things as: open remote control s/w (i.e. PcNowhere) running on the default port on the internet NIC accepting logins from any IP, machines that run NetBIOS on the internet NIC (because they login to DCs that sit on the internet). How in all high hell can you secure something when you have your domain logins flying unencrypted across the internet?!?

    4) Poor security planning: Not enough gurus for to plan/build/support the systems that are in place.

    5) Too easy too look secure: All you need to do is buy an app, setup the back end stuff at the bank, get an outsource provider that can host your web boxes (they must be SAS70 certified) and then hire XYZ to do a penetration test...if it comes back with security holes, just fix them!

    It takes a lot of dedicated people to make a fully secured system...firewall/router guys, systems folks, dba's, knowlegable ousource providers, etc. Hopefully high-profile events such as this one will be a wake up call to other banks.

    Sorry for the extended rant,
    Andrew

  • You have your conversion factor backward. £1 is worth about $1.5, not the other way around. So that £75 is worth about $113. Still the original poster's point is valid -- either somebody already raided most of these accounts, or most of the people don't trust the system. Most likely there is an order-of-magnitude error in the article, and they either manage 20 million accounts (with an average of about $1100 in them) or the accounts add up to £150bn.
  • by chazR ( 41002 ) on Sunday September 24, 2000 @07:03AM (#758073) Homepage
    BEGIN RANT BLOCK===============

    There has been a lot of discussion over the past couple of years about the rights and wrongs concerning full disclosure of security flaws.

    The person who tipped off the newspapers obviously has no understanding of how full disclosure should be used. What he did is functionally identical to spouting off about his 'leet discovery on a dodgy IRC channel.

    Most security professionals agree that full disclosure is the correct way to proceed (anything else is security through obscurity). Note: This does NOT mean that you inform the media, post to leet.kiddies.cracking, or issue a press release saying that your company's product whould have prevented it.

    If you are a responsible person, you inform the organization that has the vulnerability. You ask them to investigate it, and ask them for a timescale for a fix. 99% of the time, they will be grateful for the tip-off, and will issue a fix promptly.

    If they don't, you tell them that you intend to release the information so that the potential victims are informed, and can manage the risk appropriately.

    If they still refuse to do anything, then you think long and hard about going public. You probably should.

    Once it's public they *have* to fix it.

    However, the way it usually works is that they respond to the tip-off, provide interim/permanent fixes and credit the discoverer.

    The aim is to use full disclosure to minimize the exploitability of a security problem. It is not meant to be used by pathetic attention-seekers to grab media focus, or for companies touting security snake-oil to chalk up another few sales.

    This disclosure (as far as I can see) was intended to create media exposure (or why was a newspaper contacted?).

    I can't see any evidence here that the person who discovered this acted to minimize the effects of the alleged security problem. That puts the discoverer in the "leet kiddie" category until evidence is presented that the bank refused to act on the information.

    There is no security. Any organisation (even one without a single computer) is vulnerable to security breaches. This will never change. Unless people act responsibly when a breach occurs, the only winners are criminals.

    END RANT BLOCK===============
  • But there has to be some central authority that gives the money value. US currency only has value because people respect the value that the US government give it (and even then only because they have a lot of gold to back it up). Digital money is by definition just a number. Anyone can write down a number, so it doesn't have any money by itself. Someone has to give that number some value. If that authority is the US government, then you'll have to have a "government money account" instead of a bank account. There's no free lunch here, though.
  • There was a problem in a Norwegian bank recently, that seems to be similar to this one:

    Somebody discovered that once logged into an account on the server, your account number was encoded in the URL, and you could just change the account number in the URL to get access to the account of any other customer in the bank. It was fixed pretty fast, but it is incredible that the hole could have been created in the first place.

    I attempted to crack my own bank in the same way after this became known. It certainly does not share the vulnarability, but I do not feel entirely confident that it doesn't have related holes that can be exploited by a specialized user agent, but I haven't time to check it out. I feel safe though, as it is a law giving the bank full responsibility for my money, and they use a smart card that is disconnected from the computer to generate 8-digit access codes, no PINs or password is stored on the computer.

  • What i'm trying to tell you US Currency is NOT backed by gold. Or anything for that matter. That is why there is inflation if everyone raises their prices on certain good the value of money falls. I can't remember the exact word but it means our money is a 'Faith' money.

    Brian Peace

  • 'Real' money doesn't have any value either by your definition.. A $5 bill only has value because the US government says so, not because it is backed by gold, or silver, or other negotiable item. The Euro, British pound, Russian ruble, are all worthless when it comes down to it. (the Euro and ruble more so than the others)
  • I just signed up for internet banking with Sovereign......

    Note to any script kiddies: Proving that you are 1337 by changing my PIN (I suppose you could steal my money, but there's really not a whole lot there) will result in being hunted down and thrown in jail like the table-scrap pilfering grab-asses you are (GRAB ASSES BAD!)

    Er.

    But seriously. I did just sign up for net banking w/ Sovereign. I wonder if they're going to mention anything about this to me.

  • Yeah, this is frightening news, but I'd be curious how a person could steal money out of an account if they were an online criminal.

    I mean, the only things you can do on an online account is transfer money or cause a check to be sent to you via checkfree. Each of these leaves a "paper" trail where the money goes.

    The best I can come up with with my non-criminal mind is to cause havoc by transfering money into my favorite charity's accounts.

  • how does the encrypted data get to the web site?

    Actually, I have no idea.... :-) There is some https involved, and I do some typing on the keyboard... Anyway, I may have described something wrongly here, it is not a smart card as in credit card, it is a device, looks like a small calculator, that I type a PIN code on, it gives back a 8-digit code, that I have to type on the keyboard to log in and to complete transactions, a new code each time. I don't know how this works, really... I submit a form, that is transfered using https. Somebody once called it a "smart card", though.

    Be careful here.

    Thanks for the word of caution! It always helps to know what's going on when managing risks. I feel that there are so many things that are way more insecure so that I'm really not worried about e-banking. It may be easier to attack a large number of accounts, but that's SEP (somebody else's problem), since the bank is legally responsible for my money.

    Just take dead tree checks. They are so incredibly easy to forge. Very few shops in Norway accept them anymore, and those who do only accepts checks from senior citizens, an 8-year old with a check is assumed to have made it on his father's color printer and alarms would ring... A few years ago, when I lived with my parents, my mother had a deal with the bank that she could transfer money to my account by sending a fax (she is an old trusted client of that bank). Of course, I did the sending of those faxes... They would reject the fax if it wasn't a signature on it, but of course my mother never signed any of those faxes, it was a TIFF-file that I attached when sending it... Naturally, this was the deal that I had with my mother, she knew everything about it, but what was interesting to note is that this signature that really meant nothing whatsoever about authorization of the money transfer meant so much to the bank....

  • If I was this guy, I'd be scared shitless to do "the right thing" and quietly tell these banks that they were vulnerable and how.

    What if they turned around and had him arrested for "hacking?" What would his defense be?

    Nah, by going straight to the press, the FBI, and his local police up front, it guaranteed that it'd get enough publicity that there's no way the banks could get away with attempting to prosecute and if they even tried, he'd have a good defense beyond his word that he was doing it to disclose their security flaws.

    Remember what the common person these days thinks about "hackers" and the bad press hackers get these days.

  • The difference between what he did and what most of the other hackers/crackers mentioned around here do, is that he discovered the exploit, and tehn showed proof and how it was done only to the people that could actually remedy the situation. He didn't post a "balance transfer tool" on the web in order to "pressure the banks" to fix their security.
  • It is really huge hole :^)
    After a few keystrokes he obtained something called the 'access log' which had all the security information needed to access any of the internet accounts run by Fiserv.
    They obviosely posted access-log... It's really stupid for secure site, but it's not unfixable.
  • BTW, Netcraft shows this site as running Stronghold/3.0 Apache/1.3.12 C2NetEU/3012 (Unix) PHP/3.0.16 mod_ssl/2.6.4 OpenSSL/0.9.5a mo So, so much for Microsoft-bashing.

    Don't forget, Netcraft can be thrown off by firewalls, routers, etc in the way...
    ----
  • I don't think this chap had much to fear from an American corporation.

    Er, I think he did - we're talking about a number of American banks here, being at least indirectly grossly negligent.

    Remember the ILOVEYOU virus? I don't recall national boundaries - and even a lack of computer crime laws in the country in question - being a barrier to tracking down and detaining the chief suspect there.

  • Usual question: How did you get this info? (I know it's impolite to ask this, but as I already did...)
  • It's the same think that happens with airline crashes. They may make the news every time but you've got a way higher chance of being killed every time you get in your car!

    Curiously enough, this is not the case. Airlines love to quote safety figures based on miles or km travelled. Airplanes are indeed safer on that basis. But a single trip on an airplane is actually more dangerous than a single trip in a car. A good article in New Scientist a few months ago discussed this.

  • by jbuhler ( 489 ) on Sunday September 24, 2000 @11:48AM (#758088) Homepage
    How about 1. buy a set of false ID documents (birth certificate, social security card, driver's license, etc), 2. open an account under the false ID, 3. hack the bank and transfer small amounts of cash (say, $50 from 100 accounts per week) into your own account, picking those accounts with the highest transaction rates and balances so the cash won't be missed, 4. move the money to the Cayman Islands/Vanuatu/Belgium/somewhere else with strong banking secrecy laws.

    Of course, you'd want to perform the fraud over the course of a single month to finish the job before 400 irate people call the bank about an error in their monthly statements.

    This scheme seems dangerous and somewhat expensive for a single person to do multiple times, so it may be better suited to organized crime, which could easily run multiple scams at once, get the false ID's at cost, and launder the profits through high-volume commercial accounts.

    ObDisclaimer: IANAM (I am not a mobster :-)).
  • I've seen something even more frigtening.

    Last year I was doing some on-site work in the London area for a company who were about to implement a major internet based trading site. I had to sit in on some meetings regarding this system.

    Very little was actually paid to security. They seemed to believe that as long as they had a secure Unix variant, and a firewall, all was well. Intrusion detection was also mentioned, but this seemed to be no more than purchasing a couple of off-the-shelf systems and plugging them into the correct place. As other security aspects at this site were laughable, such as SNMP everywhere and a very week 18-month-old NT Domain password, I wasn't very confident that this would get off the ground.

    What amazed me most about this place was the general level of cluelessness in the IT department on a whole. One machine running just as a trusted time-source for the whole network had been down for weeks prior to anyone realising it wasn't working. Anti-virus software was installed with 3-4 year old signature files, which were not being updated. And quite a number of staff relied entirely on cheat-sheets to guide them through installations; even though these cheat-sheets were incorrectly written, and full of errors.

    I left the place prior to the system going live - I didn't want to see it in action.

  • However, rarely are news stories posted anywhere about more traditional financial institutions or retailers. Ok, so there have been a few credit cards exposed online. But, do you know how many fraud schemes there have been invoving physical cards, at places such as gas stations and restaurants?

    Sure, credit card frauds have happened before. So what's the problem with online bank security? Why does it have to be so much higher?

    I see two new problems with online banking frauds:

    Scale. By distributing a virus, I can coordinate bigger attacks. Note that it must not necessarily transfer money to my account. I could just be a vandal and transfer money randomly. Or I could coordinate an online stock trading attack so that on a given day, all people sell all their stock and buy stocks in littlecorp at any price... You can do damage to the whole system in a new way which is bigger than just emptying some Joes account.

    Trust. It is commonly known that credit cards can become lost. Or that ordinary signatures can be forged. But if your digital signature is forged/hacked I think you will have a much larger problem convincing a court that you have been hacked.

  • My bank has an extra little box which provides one-time login codes.
    That way, if someone should install a trojan in my PC and pick up the pin code, that code would be useless next time. Furthermore, before I send any money off my accounts I have to verify with another one-time code from my box. (so even if a trojan would somehow add a transaction during my banking session it would not be sent to the bank unless I verified it)

    The system is not perfect, of course. Someone might reverse engineer the code box to get the algortihm *AND* somehow get the key for my box without breaking it. I guess it is possible, but it would be easier to just rob me.

    Another way would be to rely on me being clueless enough to leave bo box somewhere together with a note containing the PIN for the box. In that case I'd deserve to get robbed...

    Bottom line. Never trust anything user configurable. It must be secure from the box *AND* foolproof (as in "don't let any fool tamper with it")

  • I am sure any bank would be very concerned with its reputation and aware of its competition, and will take more pains to ensure that its online customers get adequate security. After the leek of such reports many an employee and heads of E-divisions would have been grilled by the banks. Where income and survival is concerned the online banks themselves will prove to be their own police and insure customer data.

    Ishrat (Founderscamp.com) [founderscamp.com]

  • The usual name of the game seems to be, discover hole in banking system, contact company and offer not to go public with the information for a price. Maybe he did this and the company though he was bluffing or that the price was too high.

    You don't even have to reveal details of the hack. All you have to do is show it's possible. The loss of confidence in the company could do millions of dollars worth of damage to the company.

    I'm not saying that DID happen. I'm saying it COULD have.

  • According to the article, he called the Observer, he called the cops and he called the FBI...why didn't he bother to tell the bank? Why announce this publicly, telling hackers how easy it is to steal from this bank, BEFORE telling the bank it needs to patch the hole?

    Evan Reynolds evanthx@hotmail.com

  • In Citibank the web-password of one's account is the same as your Citibank card PIN!
    Practically it is just 4 digits - which gives you 10^4 = 10000 passwords. You don't need supercomputers to crack this...

    I have contacted Citibank-customer service several times, asking them to establish separate password for account web-access. They said their state-of-the-art bla-bla encription
    is safe enough. By the way, they refuse to send their messages to a customer Internet's email-address - for (pause,) security reasons.

    I still have an account there. May be I like to test my calmness. My PIN # is ooops...
  • I've always feared that the banks were not secure. That's why I keep all my money in my mattress. Of course, all those coins make the bed lumpy, but you get used to it eventually.

    --
  • by xonix7 ( 227592 ) on Sunday September 24, 2000 @05:51AM (#758098) Homepage

    In order to drive turn-key functionalities in the new economy, any company or profit-making entity - banks included, need to utilize integrated web-readiness and reintermediate web-enabled networks without goverment interference - in such a way that it's possible for them to optimize dot-com infrastructures as they relate to the banking and commercial world. In this way, they can engineer efficient commercial applications and incubate a sophisticated userbase.

  • by Anonymous Coward
    I don't know about American banks, but if it had been exploited against a British bank they would probably have pursued a fraud case against the person whose savings were stolen; that's what they did when someone claimed that a crook had been withdrawing money from their account with a forged ATM card a couple of years ago, since banks would never, ever, ever have a security flaw in their systems.

    Fortunately digital cash will make bank accounts obsolete, as you'll be able to encrypt it and store it safely on your hard disk with a backup copy secret-shared across a few data havens.
  • by Gryphin ( 85459 ) on Sunday September 24, 2000 @06:07AM (#758100)
    BOK has been notoriously security-lax in the past years. Their credit bureau network admin left the default password/login on the system, which was findable by anyone who had used/had a manual for the software. You could go in, and change credit ratings, find Names + SSNs, and change payments. Pretty much why I refuse to use them for my bank. Now this comes up, and I can't help but laugh.
  • I bet this guy is going to get a medal, a plaque, and an article. That's it. When he could've had 10 mil just like that.. I demand that the bank gives him the award of... one million dollars!

    Choas would ensue. People would quit their jobs and devote their time to trying to make the perfect score. They would, of course be competing with all the script kiddies, who'd have a day or two head start on them. The hard core programmers could demand lots more money (because all the other programmers went on some Cyber Gold Rush). Microsoft would have a hard time trying to peddle their certifications (because, after all, who has time to study - I have a bank to crack). Since the script kiddies are preoccupied, Norton would lose millions in antivirus software sales.

    We'd have to call in Bruce Willis - The world's best deep core driller.

    --
  • Jeez, am I the only one to read this and wonder if my bank is affected by this specific problem?

    I did a little research, and found out there is an easy way to tell.

    I couldn't find The Amalgamated Bank of Chicago, but I did find http://www.bankofoklahoma.com/ [bankofoklahoma.com] and http://www.sovereignbank.com/ [sovereignbank.com].

    When you go to the login screen at either of those to bank sites, you will see that the secure server is really hosted at https://www.secure-site.com/, instead of the bank's site.

    So, there you go, an easy way to tell.

    BTW, Netcraft shows [netcraft.com] this site as running Stronghold/3.0 Apache/1.3.12 C2NetEU/3012 (Unix) PHP/3.0.16 mod_ssl/2.6.4 OpenSSL/0.9.5a mo So, so much for Microsoft-bashing.

    God, Slashdot has deteriorated. Whining and whining at the whiners. Does real information hurt or something?

  • Uhh digital money doesn't have any value unless it's backed up with something real. Instead of a "bank account" you'll have a "something else account". I don't see much gain. Unless you honestly think that if I write down the number "5000" somewhere, I'll have $5000 of "digital money".
  • Beware of any idea that starts "Simply..."
    Simply attach a GPS sensor to the client's machine and send some of the raw GPS data to the bank for authentication in conjunction with the username and password.
    Nice idea, but it still doesn't help if the user's Windows 98 machine with the smartcard reaker and GPS and whatnot has been 0wn3d by the bad guys. They can intercept all communications between the smartcard, GPS unit, computer, and internet connection and basically do whatever they want.

    The customer and the bank will be none the wiser - after the entire contents of the cutomser's savings account and online stock portfolio is transferred to the bad guys, the bank will have perfect records showing the correct PIN, username, password, GPS coordinates, etc. to validate the transaction. And the customer will hae printouts showing they did no such thing.

    All that security would be worthless, and either the bank would tell the customer "We think you are trying to defraud us, look we have all this proof you really did make the transfer", or they would say "Tough luck, you should have kept your Windows machine secure, loser", or (more likely) the bank would just eat the loss and hush the whole thing up.

    Banks save so much money not having tellers and buildings downtown that they would rather put up with millions of dollars of losses every year than give up on internet banking.

    As long as internet banking uses customer's home PC's as trusted links in the whole system, real security is an impossibility.


    Torrey Hoffman (Azog)
  • One place I worked had entry via a four digit pin entered on a horizontal keypad. As a temp worker, I wasn't allowed a pin. Unfortunately, also as a temp worker, I was turning up earlier than the real workers and having to stand around in the cold and the rain. Fortunately, there had been drilling in the corridor so a quick sprinkling of brickdust got me the four numbers and from there, it was trivial to get the actual PIN.

    However, as a temp worker, it turned out that the work ran out shortly after anyway. But it was an interesting exercise (Have to do something to keep yourself sane in those boring summer jobs).

    Rich

  • FiServ reports on their website [fiserv.com] that the accounts were only demonstration accounts used for training purposes.

    Got to love it when reporters don't chekc the facts first.

  • by skoda ( 211470 ) on Sunday September 24, 2000 @06:15AM (#758124) Homepage
    Hmmm... I agree with your thoughts, at least to a point. This is perhaps the equivalent of opening someone's unlocked car door to turn off their lights. Or perhaps, it's like picking their lock to get in and turn off the lights.

    The former case is good; the second case is not exactly bad, but I'm not comfortable with it.

    What I would have a strong distaste for would be someone who goes around a parking lot, trying to open car doors, and when he finds one unlocked, leaves a note or something saying, 'your car is insecure, you need to lock your doors'.

    Well, just some thoughts.
    -----
    D. Fischer

If you fail to plan, plan to fail.

Working...