Online Bank Security: Cover Your Assets! 85
LogError writes: "Randy M. Nash writes in this article: 'Why are there so many concerns about online banking? Where is the breakdown in security? Even brick and mortar banks have internal networks that must be secured. It's my understanding that these are very well secured indeed. What happens when these security-conscious organizations move their presence to the Internet?'"
Keep a paper trail to be safe (Score:1)
Oh the security... (Score:1)
Banks may not be the problem... (Score:1)
Don't forget the banks have thier own internal systems. Locally the banks didn't get hurt by Mafia boy because they had been warned. The people who weren't in the old boys club got hammered.
OTOH you have banks with the brain power of a walnut. I know of one bank that makes it virtually impossible to change your password. You can't do it online. When you file your application for online access the person taking your application will often suggest using your mothers maiden name as a password. I think they actually teach this to people. That's real secure.
Re: (Score:1)
Re:Online Banking.. (Score:1)
Re:Online Banking is a joke (Score:1)
Klaus
Bank networks (Score:1)
Why. (Score:1)
"Because that's where the money is."
Re:Online Banking is a joke (Score:1)
I've personally used two systems. One was based on a java applet which generated a local key based on a one time password I got sent from the bank via snailmail. My selected password only decrypts my local key which resides on my machine, which is then used for further communication with the bank.
The other system uses a device protected by a pin code which generates one-time passwords.
As to reactions regarding bad press: True this is feared, but it is also hard to avoid as security problems can just as well be discovered from the outside as from the inside. The first implementation of net.banking in norway was indeed unsecure. A couple of local geeks blew the whistle and the system was taken down immidiatly.
Scary stuff (Score:1)
I'm surprised that many people are talking about the security at the bank itself, when it's the client machines that are the most vulnerable.
It would be completely stupid for on-line banking to be used by the vast majority of computer (especially Windows-based ones - a relative of mine had sub7 only a month after buying the machine) - the security of the client can't be guaranteed.
This method [slashdot.org] seems an excellent way of doing things (it's not foolproof. How about installing a client on the machine that snooped the keystrokes in real-time, and then disabled the network so that the code could be used by the attacker instead?) but the thought of having insecure operating systems on the client sends shivers down my spine.
I don't think that on-line banking should be commonplace until the security of clients is vastly improved - there's too much of a chance for passwords, IDs, credit card numbers, etc being snooped on.
wrt: [CH]racker tests (Score:1)
--------
Life is a race condition: your success or failure depends on whether you get the work done on time.
Re:Wrong again (Score:1)
I recall Rolling Stone (they weren't completely lame at that point) having an article about all the things you could do for that much money -- like take a cab ride to Jupiter...
Re:Online Banking.. (Score:1)
If someone grabbed my password, he could just see my account, to make any transaction you need a so called TAN Number, I get them from my bank via snail-mail and you can only use one number one time, kind of shared secret. When you have used all your number you have to order new ones from your bank. This and 128-bit SSL looks like it's secure enough...;-)
Michael
Re:It's the application stupid! (Score:1)
I agree you, you need to hire good coders. But I have seem some of the best make the worst mistakes. With the time to market demands slaming them in the face everyday, the chances that they will make a mistake increces. Good coders minimize the risk, but they can't eliminate it. Perhaps the coolest thing about AppShield is that it is not based on pattern files that you need to keep updated, it just figures out your web app by parsing the HTML and then blocks all the rest. How many things out there can protect against unknow hacks? According to their web site this thing is protecting the Israeli goverment!
Damn I sound like an advertisment, but technology like this is going to be the only thing that can save online banking and e-commerce from a hacking arms race that is out of control.
First Tennessee (Score:1)
That defect pertains to other things, too (Score:1)
How many other problems related to other issues, like privacy, would be fixed by using the same design philosophy? Consider the user-profiling used by web advertisers. The avowed purpose is to give the user ads which interest them, and avoid showing the user ads which are not of interest. Why does this require the banner-ad site to be in the loop? These preferences could be collected and managed by the user's own computer, and never sent outside it; presented with a choice between several ads, the client-side preference machine could pick the one most aligned with the historical likes of the user. It would even be possible to make something to get rid of particular ads permanently; what need does a male user have for feminine hygiene products, or female users for Viagra? If this were configured as a client-side selection apparatus, privacy would be preserved and relevance even more so.
If this happens anywhere, it'll be in the EU. The USA allows this tracking information to be collected and sold, so there is a powerful incentive to grab it even if the model is broken in serious ways. If the sale of that information is barred and even the keeping requires subject-review procedures, the incentive to collect it is lost (it costs money to keep data). At this point it makes far more sense to shove the work and the data down to the user's machine and never touch it at the server, and the privacy problem goes away. At this point, security becomes the user's problem. Most user machines are very insecure, but hacking one web site is a lot easier than hacking hundreds or thousands of individual PCs.
--
Re:Online Banking.. (Score:1)
----------------------------------
Internal vs. external (Score:1)
Internet banking is very different. When you have a bank on the Internet, you must allow people anywhere on the Internet to manipulate those critical internals, and the system must be very, very carefully designed to allow only authenticated people to manipulate only their accounts. This is highly non-trivial, and it's only a matter of time before somebody manages to exploit a flaw. Whether we will ever hear about it is another story.
Cheers,
-j.
Smart Money's "E=Bank" ratings. (Score:1)
Re:If you build them like I do... (Score:1)
So what bank was this? I'd be interested in checking it out to see if it fits my needs.
Re:Online Banking is a joke (Score:1)
How about "My bank just made me change my PIN to a 4 number code?"
Bricks & mortar banks are far from airtight (Score:1)
Re:Online Banking is a joke (Score:1)
Stronger encryption option for financial and banking Web servers
When designated as a financial or banking Web server, the North American edition of the HTTP Server can exploit the strong encryption capabilities in the domestic and international versions of Netscape Navigator 4.x and Microsoft Internet Explorer 4.x. To use this function, you must purchase a special digital certificate from VeriSign called a Global Server ID.
For regular Web transactions, the Netscape and Microsoft export browsers can use 40-bit encryption only for Secure Sockets Layer (SSL) transactions. However, when the server uses a VeriSign Global Server ID for its SSL certificate, the export browsers can use stronger levels of encryption of 128-bits or greater. This enables a server with a Global Server ID to communicate at the highest SSL encryption level with both domestic and international versions of the Netscape and Microsoft browsers.
International financial and banking customers of the HTTP Server who want to use this function must contact IBM for an export license to obtain and use
They rush... (Score:1)
Refrag
Re:Can't talk about online, but brick&mortars are (Score:1)
Hmmm... interesting. I had a friend who was in charge of setting up an internal network in a b&m bank. Once he had it set up, he figured that he, knowing everything about the system, would be able to steal a sizeable sum of money in about 20 seconds. And it would take bank security 2 seconds to catch him. So I guess it really depends on who you're dealing with.
Online Banking.. (Score:1)
Re:Online Banking.. (Score:1)
You'd be surprised... (Score:1)
And another bank here which runs it's online services on IIS had left it with all the default settings *AND* passwords! Luckily a third party IT company discovered it while doing some unrelated work and that at least has now been fixed.
The moral of the story? I don't trust the buggers. They're bad enough with hard cash (read: thieving bastards) what makes you think you can trust them with something as temporal as a few bits and bytes on an electronic communication meduim. That's what your money ends up as...
In my opinion, a lot of things still have to mature before I am comfortable with the idea of doing business online with a bank.
Re:It's the application stupid! (Score:1)
There are different solutions for different problems. Don't make the mistake of thinking an outside hacker attack is the most dangerous. When you are worried about insider fraud, SSL and IPSEC are mostly useless.
Some banks are more secure than others (Score:1)
----
Big flaw in the UK banking system.... (Score:1)
For those of you who are unfamiliar with this system, let us take a moment to run through the basics. Visa Delta is a system designed to enable people to use their bankcards like a credit card. The only real difference between a credit card and a Visa Delta debit card is that you have to have available funds in your account to make a purchase.
Sounds like a good idea? It is. And it's very successful, except there's a few cracks in the foundations.
Here is how the system works:
You go into a retail outlet and make a purchase. You hand your Visa Delta card to the sales assistant, she swipes it, keys in the value of the goods you wish to purchase, and then you sign the authorisation slip. That's it. Purchase made.
So what happens when the assistant swipes your card? At least 2 pieces of information are sent to your bank: your card number and the value of the goods. The bank then sets aside the required amount from your account. This process of setting aside an amount from your available balance is called "earmarking". The retail outlet then has 8 working days to follow up the earmark with a transaction, or the earmark is erased. This sets the earmarked funds as available funds again.
So where are the cracks? Let me show you. If the retailer keys in the wrong amount after swiping the card, they just swipe again and rekey. Then, the retailer is supposed to contact the bank and cancel the first earmark. If not, the sum of both earmarks is taken from your available balance.
"That's not so bad", you say, "It'll be cancelled in a week and a half." That may be so, but consider this scenario:
You have £200 of available balance in your account and go to make a purchase of, say, £120. The assistant swipes the card and accidentally keys in a value of £140. Realising their mistake, the assistant reswipes and rekeys the correct value. Immediately, your bank account has been earmarked for £260 -- more than your available funds. The assitant then forgets to cancel the first earmark and you are unaware of the mistake they have made.
The next day, you go to an ATM and your account has been frozen. You phone the bank and they tell you that the earmarked amount is greater than the available funds and that they can't do anything until a transaction comes through. Why can't they do anything? Because when the earmark information is sent to your bank, there is no way of identifying the retailer, thus disabling you from contacting them to get the earmark cancelled.
This is an appalling flaw in the system. It could be easily exploited to disrupt thousands of Visa Delta cardholder's lives by freezing their bank accounts for 8 working days.
So how many people know about the earmarking procedure? Surprisingly few people, which makes this evidently more disruptive as, potentially, a kind of socio-economic virus. The banks know about this and what are they doing about it? Nothing.
Re:The Myth of Bank Security (Score:1)
I must admit that I haven't tried this, and I am surprised. Such an ability is usually dependant upon the card issuer's processing parameters, and not upon those of the acquirer of the transaction (assuming that one of the major schemes isn't standing in for the transaction, and VISA may require address verification as well). One of these days I'll give it a go with my card.
(By the by, I was also surprised about your mention of attacking the PIN PAD, and obtaining it's master key. PIN PAD's are made for one reason only, and that is to not give up this information. I have been told that the only way this information can be obtained in most cases is to carry out some "scan" of the device to literally watch the electrons as they bounce about - I am no expert, but this is what I was told. If you have time, do you remember the PIN PAD manufacturer/type - Ingenico, Intellect, Bull
Re:The Myth of Bank Security (Score:1)
Just out of interest I have asked Ingenico Australia for their comments on this. I've no idea if they will reply, but I am very keen to hear their side of the story.
Re:Online Banking.. (Score:1)
--
Re:Online Banking.. (Score:1)
--
Somebody Please break into my account!! (Score:1)
I don't think so (Score:1)
Thinking about attacks (Score:1)
Because .... (Score:1)
Re:Online Banking.. (Score:1)
Re:Unfortunately... (Score:1)
thoughts on online banking (Score:1)
Current Online Banking Systems Are A Joke (Score:1)
Re:If you build them like I do... (Score:1)
> creative design part was over and I got bored
> doing routine administration) was an Internet
> Systems Engineer for a large bank/credit card
> company/merchant processor.
The other thing about that place was about the 20th time someone takes all the credit for your ideas, it gets old......
> We built that system as impenetrable
and uninterruptable
> as we could.
Four sources of power, clustered port redirectors for doing server farms, fully redundant hardware, etc.
The security was give or take that one last little tweak that nobody would let us do....... Or that one last item on the checklist that was added and had to go through a change control process to be implemented.
The actual redundantcy was to the point that it was harder to shut the the thing down than it was to keep it up. (almost like it was alive)
> Extreme security, multi-level DMZ
> design, black IP, major intrusion detectors,
> dead-end fake IP subnets, quite a few traps
> and, uh, planted 'distraction', and of course
> 128-bit SSL.
Hey-- I liked my planted distractions. They didn't have honey pot written all over them, but low and behold that's what they really did.
Oh-- and can't forget intrusion detection supplied by different vendors and managed by seperate IDS specialists who completely reviewed eachother's work on a constant and continual basis. Oh-- and as far as anything for security or redundantcy goes...... if one was enough-- there was at least four. (two from two different vendors so it was redundant from both a networking and a security standpoint)
> It's been running for almost two years now, and
> noone has come close to hacking it. The
> firewalls and intrusion detection
> software usually record several
thousand
> attempts per day, usually just script kiddies,
> once in a while a 'real' cracker. But nobody
> has ever got in, and if someone did, I would
> definitely be one of the first to know.
Depends on who is the first to know internally-- race ya.
> We even hired some top-of-the-line, extremely
> good professional hackers, and they were only
> able to gleam the tiniest amount of information
> about the topology of the network.
Now for the question of the day. When the big name security certification companies review a site for insurance purposes, etc-- who certified that they know a damn thing about conducting pentration tests or reviewing security in the first place?
True story: I personally completely and totally ripped SEVERAL of one company's "reports" to shreds in a document and did what I could to see to the refund of several thousand dollars to the bank. Every time we rejected their report because it was totally inaccurate, they would run another. The reports were so bad that they did not even agree with eachother! I felt bad for ripping their security analysts apart so badly, but I felt as though I had to do it-- their report was so bad that I could have composed a more accurate document when I was in Jr High less than a year after I learned what TCP/IP and ports were and still had no clue what a "slash 24" was.
On with the rest of the story. I later ended up getting cornered into help their people understand what they did wrong and help them improve their security review process.
I forsee someone wanting to bring up levels of experience or training so I'll just let it be known now that I am a self taught admin/security analyst/IDS/IPS type with little to no formal schooling or certification. I have lived, breathed, ate, and slept network security for over 5 VERY long years (with more 100 hour weeks than I care to think about) Granted I am probably the exception since I am under 30 and have done things from firewall QA, to VPN engineer, to banking system security person, to intrusion detection specialist. Now I am authoring from scratch enterprise wide security policy/requirement docs (posted to the intranet), aid in product selection, identify test paramenters for product security review, and make very important security decisions for a company with over 80K employees. I also gather best practice inputs and write implementation procedures and security checklists for of system/application build. Oh-- and it is a fortune 50 corporation. Oddly enough one of the few who was 99.9% mainframe up until a year ago and has skipped the 'open systems client/server' environment almost entirely)
> The only bad thing about the bank site is that
> the HTML coders have made one of the ugliest,
> lamest sites I've ever seen. They sure could
> have done a better job, but it's at least
> usuable and extremely secure.
Truely an example of beauty being in the eye of the beholder. I agree-- the site was/is hidious. I can't say too much about the code though since I have a different view on what a web architecture SHOULD look like. (I tend to like to put layered IDS type traps inside of application architectures though so don't mind me-- I'm a bit ahead of current best practice in that regard)
> I use it myself, and feel safe doing so,
> especially as I implemented a lot of the
> security myself, very very carefully, as if I
> made an idiot mistake I would be held
> PERSONALLY liable.
Yes I helped build it, and yes I helped secure it, but to this day I detest internet banking systems mere existance. I don't want or need my bank hooked into the internet, but unfornately all of them are now. I am left with only the comfort of knowing that at least this bank has used state-of-the-art technology configured to deny everything by default based on TWO sets of default deny rules on seperate products from different vendors. I take comfort in knowing that they are on completely different OS platforms for the two control points and that there is more IDS at those control points than I care to thing about. (to the tune of several gigs per day worth of logs that ARE ALL coorilated in real time for serious infractions and REVIEWED DAILY)
> Kinda scary knowing how many billions of
> dollars are in that bank, and it's my ass if
> they get through. But I'd be very very
> surprised (and very respectful of the person)
> if anybody actually got through!
That's what made the job fun though.
> I don't know about other banks, but this one is
> tight. (Sorry, I cannot disclose which bank it
> is without written permission from them, or I'd
> be happy and proud to tell you.)
Good man. And no-- not a chance that I am giving that up either.
> As far as the one bank someone was talking
> about that didn't even use SSL - you'd better
> find yourself a new bank - FAST!
Actually, I'd recommend also calling the feds. They are in violation of several banking regulations.
Now for the next person who posted:
> I don't know why, but you sound like a total
> cluebi.
We won't go into what you sound like.
> you just read 'hacking exposed' right?
> Good network design is always good,
> distractions are good, honeypots are good,
> 128bit SSL, hoho, now that sounds promising.
> You're using state of the art stuff 'eh, right.
> I don't know any current or past commercial,
> let alone public! software which I would trust.
There are not any that we would trust either. You should not make assumptions like there is only one type of anything in that network.
> For example, the world leader in firewalls,
> yes, you know who that is, has had a remotely
> exploitable buffer overflows in their code
> since the very early stages of the product,
> until today, they still don't know about it.
I've known about it for nearly 18 months. I personally called the vendor you are talking about and talked to them about the problem when I learned of it in the underground. Once again an assumption. You ASSUME that the vendor does not know about it because they don't acknowledege it, have not published it or released a fix, etc.
Having market share is entirely different than being the "world leader". I have worked with several firewalls. (I worked for a firewall vendor and did the configuring my vendor's firewall in the "firewall roundup" by NSTL) I know which product you are talking about find that the one you are talking about. It is basically junk relative the stuff some of the other guys are doing. I certainly would not trust it to direct internet exposure with no other control points between it and a secure bank network.
> Oh, it's been running for almost two years now, > no incidents 'eh
He did not say that-- he said "..... nobody
has ever got in, and if someone did, I would
definitely be one of the first to know. "
There have been incidents of people hitting the honeypots. They did not get anywhere except somewhere where let's just say they have plenty of time to think about the "no good" they were up to.
> let me tell you this darling, and you listen
> well, if someone serious was after this system,
> you certainly wouldn't know about it
It helps to measure the situation before shooting your mouth off uncontrollably. For example, you just called a 6'8 280 lb guy with shoulders practically broad enough to put his arms out of BOTH windows when he drives down the street "darling"
> Would you trust a system designed by a person
> which has the above homepage ooze.bloomnet.com
Trust is a relative thing. It is based on assurance.
Let's analize it shall we.
Relative to someone who practices in the making of assumptions rather than in the analysis of the situation as it presents itself. You don't have the kind of information you need to say any of what you have said.
Just take the time to stop and look. Ask questions instead of assuming and flaming.
Just incase you are wondering no-- I would not trust your skills over the guy you just flamed.
> he clearly has obvisous mental problems.
Once again-- another assumption.
> I would flame some more, but I'm tired.
Glad to see something was able to save you from the embarressment.
A wise man once wrote: It is better for someone to think you might be a fool than to open your mouth and remove all doubt.
Please spare us the removal of doubt factor.
Security not as important as you think (Score:2)
- First, it is not an ATM machine, there is no way to get money out. You can request a check, but it will be mailed to the address on your account and only payable to the name on the account.
- You can transfer money only within your member number. Unlike banks, credit unions issue you a member number and you have sub-accounts for checking and savings. Even so, most banks' internet banking only allows you to transfer between pre-arranged accounts.
- The main function of internet banking is to deliver statement information (i.e. account balances, check clearings, loan payoffs, etc) through the web. Since SSL is classified as munitions by the government, I like to tell people that using SSL is like having your statement delivered by an armored truck. In our case, we don't display any identifying information. So although it runs under SSL, it would be difficult to identify the account owner even if it was not SSL.
- Network security is an issue, but that is needed whenever a bank or credit union is connected to the internet irregardless of whether they offer home banking.
Think about this:If I gave you my online banking account and password, you could do little more than see my balances and statement information.
However, if you had my Amazon.com account, you could order thousands of dollars worth of merchandise and have them shipped anywhere in the world.
Different Threats (Score:2)
However, I don't let other organizations do direct debiting (like for bills, etc.) nor do I check my account from just anywhere. I trust my bank's internals, but I don't trust other people with access to my money. The only people who have outside access to my account are my employers, who have permission to direct debit my paycheck (hey, if they're putting money in
Re:My experiences... (Score:2)
Strategy: Westpac's Web revolution [brw.com.au]
Customers redesign www.westpac.com.au
www.westpac.com.au/internet/publish.nsf/Content/W
Can't talk about online, but brick&mortars are bad (Score:2)
All that said, the actual online services that most smallish banks use (again places like eds and fiserv) tend to be secure as hell. Still run mainframes. ibm and unisys heavy iron at most as I recall. So even if an attacker go into a branch, they would probably not get to move any money.
Peoples records on the other hand would probably be easy pickings. Some of these places stored a LOT of scanned stuff on optical jukebox type setups that required no authentication to access. Shocked the hell out of my the first time I had to field service one.
thus endeth my rant, back to counting electoral vote totals
dv
Re:If you build them like I do... (Score:2)
Re:If you build them like I do... (Score:2)
I and a few other people WERE/ARE held personally liable. Not for it getting hacked for any reason, but if it got hacked and it turned out to be due to negligence on our part. Such as doing or not doing something that would allow the system to be compromised. Any piece of the system implemented had to be first approved by security auditors/analysts, etc.
Re:If you build them like I do... (Score:2)
Haha. Of course, I design a play website called "Reflective Puddle of Leaking Mental Ooze" - yep, that definitely points out my mental problems! :) (actually, there's a history to the whole ridiculous name. I needed a DNS entry to point to my IP, my friend who admins DNS for bloomnet just set up three stupid names pointing at it, out of the blue, one of them ooze, so I took it and ran with it. It's not supposed to be anything serious, I do it for fun, just enjoy it and laugh, jeez. :)
Oh fuck, remotely exploitable buffer overflows! Oh shit, the world is going to end! I've never heard of a non-remotely exploitable overflow. AS typical wannabe security guy, they always freak out about buffer overflows. Sure, they are a theoretical weakness, but come on, the chances of overflowing a buffer with obnoxious code and then actually getting the CPU's intruction pointer to execute them with an authorized user ID is just about impossible. The web server account itself does not have enough power to get into anything, it can't even modify files. Gimme a break, is that the best you can come up with. Typical skript kiddie trick.
Oh, yah, 128-bit SSL is bad. Actually, it's not the greatest possible, but it's the best you're going to get without requiring every user to install some proprietary bit of code on every machine, whether NT, Mac, Linux, whatever. It encrypts it hard enough that it's not going to get cracked before the mandatory password expiration kicks in. Beyond that, what are you going to do besides "wow, User A transfered X dollars from account Y to account Z" Yippee. Boring...
But hey, it was funny. Good flame. I liked it. :)
Re:If you build them like I do... (Score:2)
Certificates? Sure, I've been to a lot of classes and read a lot of books, but certificates? Give me a break, I respect them no more than you do.
Banks will like me better? Wow! I can't wait, I'd just love to cut my hair short again and start wearing a suit again for half the money.
All I was pointing out is that Internet Banking can be done, securely. To the point that your biggest weakness is social engineering.
Good people are rare, I dunno where I rank, but I know that if you think that buffer overflows are the scariest thing out there, then...
Ack! I've responded to two flames. I know what that is gonna get me, this is going to be most entertaining. I wonder how long until it digresses into spelling flames and Nazi comparisons? :)
Let the games begin :)
Re:Online Banking is a joke (Score:2)
You've said in other posts (Yes, you, your points are redundant and identifiable, even if you are posting as an AC) the same point about system admins who know this or that are rare. What exactly are you trying to say. If you have a good point, say it. Just saying "Pretty much everybody is a moron" is just restating the obvious.
Why does what I said piss you off so much? Maybe cut back on the methamphetamines a bit!
Re:Online Banking.. (Score:2)
They outsource, that's how (Score:2)
The company I work for is an ISP/Mail/Web hosting for credit unions exlusively, and provide them with the services they don't have the expertise to maintain...anything from encrypted online banking and bill pay, to firewalled internet access and email services.
While I can't divulge exact information for very obvious reasons, they're quite secure, barring a hack at the CU itself. (Someone walks up to a station at an office where some dumb teller didn't lock his/her terminal) The host with all customer info actually sits at the CU, behind our network and two firewalls. A hit to their website hits one server, and if they log in to online banking, it proxies to an SSL server that can ONLY be hit from the web server, which in turn communicates with the datahost at the CU. To actually get customer data, 3 extremely hardened servers and 2 firewalls would need to be compromised. It's not even worth the effort. We don't even see the customer information, as the encryption/decryption take place at the user and CU ends. We've had security audits and penetration tests up the ass (no pun) and have yet to be compromised. Not to mention everything is logged and monitored both onsite and off.
I imagine most banks have a similar setup, though the larger ones utilize their own networks. But to sum up, I guarantee you that your cash is safe...federal regulations require it. If a bank thought their setup was a risk to their network integrity, they wouldn't offer the service...it's just not worth it to them to lose the federal insurance.
Regarding sysadmins and security (Score:2)
I'm willing to bet that this is the #1 reason. And who's fault is it? It's BOTH the sysadmins fault and the company's fault.
The Sr. Sysadmin should be able to, in no uncertain terms, explain to the company the importace and *COST JUSTIFICATION* of proper security, and should also perform proper security audits, and instruct his staff accordingly.
In cases where there is no overall system designer, and some Jr. guy runs the show... that's the fault of the company.
And yeah.. I'm kind of saying that the most important factor (or at least, an equally important factor) about systems administrations is not simply technical knowhow, but procedural knowhow.. knowing how to do your job, which is more than just technical.
Saying 'most sysadmins don't know much about security' has nothing to do with the issue.
"Poor policy" is a better one...
Re:Why. (Score:2)
Re:Big flaw in the UK banking system.... (Score:2)
It gets more difficult if the transactions aren't entered for the same amounts, but you can usually spot the time stamps on the statement.
The bad part on all of this (both the earmarking and double transaction entry) is the fact that the money is out of your bank, and you don't know it until your next statement (and balancing - you do balance, right?). Hopefully, you didn't overdraw by writing other checks or bills, thinking you had one amount, when you really had a bit less (this is where living month-to-month is a bad thing - which I why I always keep a buffer of several hundred dollars in my account).
Of course, there are upsides to everything - I have several transactions still "pending" from several years that didn't hit my bank account. IOW, I went someplace, purchased something, they earmarked it - then never completed the transaction! Free stuff! Several hundred dollars worth from many different places (most out of state). I keep 'em on the books just in case, though...
I support the EFF [eff.org] - do you?
Re:The Myth of Bank Security (Score:2)
bzzz.. actually you don't even need the expiry date. Just enter any date after today's date and it will work fine - try it - go to amazon, put in your credit card number and 12/00 and it will work just fine.
Re:The Myth of Bank Security (Score:2)
My experiences... (Score:2)
You don't get to choose a password. You are assigned a customer ID code and a sheet of one-time PIN numbers. Upon logging into the system, you must give both the customer ID code and the next PIN number in sequence, after which that particular PIN ceases to be valid and you must use the next number on the sheet. This way, even though someone listened in on your keyboard, they can not benefit from knowing your PIN code, since it is never the same.
The same applies when making transfers: on the same sheet with your PIN numbers are a bunch of other PIN numbers which are used for validation. When you tell the system to proceed with your transfer, the computer will query you for a particular PIN number ("please give PIN F") to which you must answer correctly. When you finally run out of PINs, they'll send you a new sheet.
Of course, this whole thing requires that you keep your Customer ID code and your PIN sheet totally separate - and that you keep the PINs secure. But then again, that is what you have to do with your credit card, anyway =).
Of course, the site is protected by 128 bit SSL and the works - so I feel pretty confident about the whole online banking idea.
Compare that to WestPac [westpac.com.au] in Australia, which I've had had the privilege to be acquainted with during the past weeks: single password, which is 6 CHARACTERS AT MAXIMUM and may NOT contain any punctuation marks... And if someone grabs your connection, they can do whatever you want with your account... Eww.
Disclaimer: I am just a customer to these two banks, nothing more.
Re:Because .... (Score:2)
Anyway, Ob. Topic:
So the FDIC presumably (so add salt to taste) has standards that a bank has to be audited to -- somehting like iso 9001 I'd imagine -- concerning data firewalling, air gaps, and the like. I think any 3 out of 10 slashdotters could draft pretty reasonable guidelines.
The problem is x-fold (don't know how many I can come up with) as I see it:
1) The bank has no interest in being any more secure than it needs to be, as long as it is insurable. I'd imagine premiums are flat-rate, and you don't get a cut if you are over-secure. Security costs money.
2) If the FDIC needs to up premiums 'cause too many banks are insecure, it is easier to pass these costs on to customers than to deal with them. All credit cards (and checks for banks) accept that their system is dead-easy to defraud, but that it is cheaper to accept some loss (passed on to customers as fees) than to fix the system. Apparently you need at least $10000 on a check before the signature is verified.
So relying on insurance means that banks can basically turn their insecurity into a systematic cost that everybody else has to pay. It seems to me that the FDIC should reevaluate whether it insures on-line transactions too, at least without very strict security audits.
Unfortunately... (Score:2)
Re:Online Banking.. (Score:2)
----------------------------------
Password? (Score:2)
I don't know what's behind the web interface of *my* bank, but one thing that made me trust them is that they *dont* use regular passwords. Instead it's a pain-in-the-ass-but-safe procedure with one-time passwords from an external gadget.
The web site prompts me two four digit numbers which I enter in the device to get a six digit number back. That is the one-time password.
Even if someone broke the ssl and sniffed a password it would do them no good, since it was already expired.
And if I make any transaction that send money ouside my accounts, i must enter another one-timer, just in case I was stupid enough to leave my computer logged in.
Of course the system can be broken, but I'd worry much more about CC fraud or someone copying the magnetic strip from my ATM card and somehow get my PIN. (looking over my shoulder for example)
Go the easy route (Score:2)
Overconfident in your security... (Score:2)
Last year I "owned" a bank in Florida (that will go un-named) through some pretty well documented issues and the lack of patching on certain servers. Their servers were not only insecure, but the software running on them was insecure. Upon reporting the issues directly to the bank's ceo via phone and then faxing documentation to their offices, they never once contacted me to thank me. I documented ONLY one security issue and how to fix it, but I said there were _many_ more issues and that they needed a security audit.
Even to this day, they only fixed the one issue... I've documented my side in writing... It's their problem if they get hacked and someone starts stealing money from their database... Anyways, my point is that even though I detailed issues in both technical and non-technical forms.... they still did not care too much about security... Does it really take an "evil malicious cyber criminal" to wake a bank up ???
Another issue was this recent IIS Unicode decoding issue that allows escaping of the web root onto the physical hard drive root. Major issue... many banks still exhibit the bug and I've even noticed that some banks exhibiting the but on their financial servers that talk with their databases even have full C: drives... where IIS usually stores logs. So guess what? I am not logged if I go exploit a server where it's Web-logging drive (default win nt install is C:) is full... how convenient!
I am not a "security expert" by any means, I am more a security enthusiast. Even I have been able to see MAJOR issues with banks being online. I will _NOT_ trust any of the banks that I have visited online yet.... there are just too many damn security issues involved.
Most banks don't even use IPSEC inside their firewall, another MAJOR issue.... Some banks run Win9x terminals, install a keylogger and log their whole damn telnet session to their server
Re:Online Banking.. (Score:2)
Ditto, except I think their money-market accounts are mythical. At least, they've lost our app twice, and their tech-support's response to notifying them of this is to send us a boilerplate How To Open A Moneymarket message. Our trust is eroding slightly. It's not as if they've lost our money or anything, though.
Re:Online Banking is a joke (Score:2)
There are several issues that make online banks easy targets:
The only issue that makes them targets is that they have lots of money. They are not easy however...
1. Extreme conservitism - Oftentimes, their internal systems are quite old. While this tends to make their systems quite stable, it also means that they are generally insecure.
Are you living in the 1990's? I don't know of a single bank in the UK that has systems that are in use that are not on sale today. You see, this was this little "Y2K" bug that they had to get rid of, so they had to throw out the old, bring in the new. My cash machine down the road runs Windows NT 4.0. Are you saying they should be on W2K? I don't think you undrestand that there are real advantages to running code a few years out of date - it's been audited. Clever that isn't it?
2. Sensitivity to bad press - online banking systems, when compromised, are often hushed up quickly, due to the fact that the publicity will scare clients away.
Firstly, to hush something like that up is illegal at least in the UK. Secondly, they will own upto it - they want to catch the bastards. A few years ago a few banks got hit by dudes with some EMP blasters, and were blackmailed for a total of £400 million. They hushed it up for a few months, then went to Special Branch. They learnt their lesson that time - now, within a few minutes they will be on the phone. The more we go through this, I'm convinced you're living in 1994 or something.
3. browser ssl - it doesn't matter if the site's key is 128-bit; if the browser functions at 40-bit, then that's the key size used for encryption. This is a problem with all ssl-based connections.
Yeah, this post is definitely out of a timewarp. How many people do you know with browsers that only have 40-bit crypto? You need to tell them to upgrade. How many banks do you know that will accept 40-bit crypto? None. In fact, my on-line banking service loads a Java applet that runs it's own crypto on top of SSL. Go figure.
4. user passwords - people in general are dumb about choosing passwords. They often choose easy to guess passwords. It doesn't matter what security mechinisms you have in place; if a password can be compromised, the cracker has access.
My bank requires me to know the full sort code and account number, a security PIN just for access to that system, and then there are around half a dozen "authentication challenges" along the lines of "First school attended" etc. If you get any of these wrong more than 3 times in a row, the account is locked out, and I then have to phone them up to get it unlocked. The statement "if a password can be compromised, the cracker has access" also betrays your complete and total lack of experience in the security field as well. You have based your whole argument on that sentence without taking into account how big the word "if" is at the start. How exactly are you going to compromise this password then? Brute force the website? I think they might notice. Use 'phf' to get
5. poor sysadmin training - this is the plague of the industry. Most sysadmins don't know much of anything about security. The one's that do are rare.
I wonder if that's why they have something called a "recruitment procedure" that makes sure the admins do know what they are doing. I wonder if that's why the banks spend thousands on training programs for them. I wonder if just possibly those admins have slightly more of a clue than you do.
In your arguments as to why on-line banking is a "joke", you have not come up with one single, solitary argument that stands upto any scrutiny. For you to start mouthing off about security would be a bit like me mouthing off about baseball. I think I know the basics, and I've read some stuff written years ago about it, but in actual fact, I haven't really got much of a clue.
Think and then post!
Re:If you build them like I do... (Score:2)
So you are telling us a bank trusted you as one individual to secure their systems which they put on the internet without audit by a trusted third party?
I have two problems with this:
1) The financial regulators would not approve this business, as it has not been audited 2) No-one in this dear green world is personally liable for the security of banking systems. We are talking about corporate security here, not firewalling some guys @home account.
The rest of your comment sounds believable, but I'm sorry
As someone who has been involved in the regulatory hurdles involved in putting a financial site live in the developed world, I cannot accept some bank took your word for anything: they need to get it approved by the government.
Re:Online Banking is a joke (Score:2)
In actual fact, you will find most banks Core Banking Systems i.e. the bits that actually process banking transactions, whether online or offline, are extremely secure, and running on legacy mainframe platforms.
They do exactly the same thing as they have always done (i.e. move money about), and thus are not usually subject to massive development projects, or huge leaps in technology. Because they don't have to. Online banking merely provides another interface to the core systems, and unfortunately it is the interfaces which are providing easy targets for malicious users.
This happens because:
a: The core system is written in something like COBOL or mainframe assembler, by 40 year old programmers who resist change and have many years of experience, using strong development methodologies
b: The whizzy new web front-end was written by a group of 20 year old graduates who are shit-hot tech-wise, but lacking any discipline, and the whole development is being driven by eager managers who have to commit to the Bank's marketing department ("we wanna go oline NOW!!")
I have years of personal experience of working with Banking systems (as one of those un-disciplined twenty-somethings
Your comment:
3. browser ssl - it doesn't matter if the site's key is 128-bit; if the browser functions at 40-bit, then that's the key size used for encryption. This is a problem with all ssl-based connections.
is also flawed. Most new web servers incorporate "step-up" technology, which will "pull" the client crypto up to the level of the server (don't ask me how
Online Banking is a joke (Score:3) by trog on Wednesday November 08, @12:14PM JST (#25) (User #6564 Info) There are several issues that make online banks easy targets: 1. Extreme conservitism - Oftentimes, their internal systems are quite old. While this tends to make their systems quite stable, it also means that they are generally insecure. 2. Sensitivity to bad press - online banking systems, when compromised, are often hushed up quickly, due to the fact that the publicity will scare clients away. 3. browser ssl - it doesn't matter if the site's key is 128-bit; if the browser functions at 40-bit, then that's the key size used for encryption. This is a problem with all ssl-based connections. 4. user passwords - people in general are dumb about choosing passwords. They often choose easy to guess passwords. It doesn't matter what security mechinisms you have in place; if a password can be compromised, the cracker has access.
Yes, but you can develop screening algorithms, which will force the user to use a god password. And if I find a bank with the old "answer this dumb-ass question to reset your password" option, then I'll walk away.
5. poor sysadmin training - this is the plague of the industry. Most sysadmins don't know much of anything about security. The one's that do are rare.
Exactly! Online banking systems need two things: 1) penetration testing, and 2) more penetration testing to ensure the site is *still* secure.
Unfortunately most institutions (not just banks) have an initial pen-test done to satisfy the financial regulators (as in the UK), and then presume their site will remain secure for ever!!
Anyway: enough rambling!
As I said earlier, most of this comes down to Bank development teams not testing their interfaces thoroughly. This can be proven by the timings of most security breaches: in the UK, it's almost always after a new code upgrade went in!!
See Here [theregister.co.uk] and here [theregister.co.uk] for some gory details!
Re:If you build them like I do... (Score:2)
I was also involved recently in siging-off the architecture for a large UK-based website that offered financial services (but not online banking), and was in a similar situation:
I could easily sign-off the platform, but refused to sign-off the application (aka website).
You can build the best DMZ-oriented architecture in the world, but if the code looks like swiss cheese there's nothing the architecture/dmz/ids/firewalls can do to help you.
Needless to say the site went live anyway: the business "accepted the risk"
Re:Online Banking.. (Score:2)
Unfortunately for the customer, the fantastic on-line deals will cease when the shareholders start wanting returns on their investments (and I mean the corporate shareholders, not the day traders).
Most business models for the online banks work as follows:
Get customers to sign-up and use the services by offering interest on current accounts, little intial deposits, loss leading credit card accounts, and no/minimal banking charges
At some point these banks will have to start repaying investors by actually making money. At the moment every single one of them is still some distance from this goal.
They figure that if they can draw enough customers from the bricks & mortar banks, then eventually they will be able to turn a profit.
Unfortunately (which is the reason we are discussing this!) the average banking customer enjoys the warm feeling they get from actually a) visiting their financial instituions grand palaces, and b) the feeling of cash in the hand.
I think we may well see quite a few
Put your money where your matrace is (Score:2)
Big Rewards : If a cracker succeeds the loot is probably a lot greater then after a successful MyTunafish.com hack. (in theory that is, getting the funds into posession is a whole other issue).
DotCom Greed : In times where banks are no more measured according to their assets, but are taken upon number of customers that bank online, time to market of a system is extremely crucial. So security (the major attribute of banking online systems) gets usually put on a backburner. In fact there aren't that much really good security experts understanding client server systems accessible from everywhere and (save for the servers) with every external component being in a hostile environment. Now a bank, rather then losing a couple bucks of their stock price very often prefers to just rush the system in.
Unsecure Interfaces : Instead of providing dedicated software a lot of online banks rely on web browsers. Thanks to those insightful 'Murican export restrictions on encryption a lot of the world still browses with 40 bit SSL encryption. Every kiddy who just purchased (or ripped off) the Little Crackpot K1dd13s Resource Shareware Kit is able to crack such communications online (or nearly so).
Amount of components :A C/S systems security is as week as it's weekest component. The complexity of system security climbs exponential with every additional component introduced. Due to the lack of qualified people in the field Joe Dork (recently certified MCSE) is suddenly in charge of Unix Systems security without having a clue of course.
There's a variety of more reasons, but those are probably the most important.
The banks on the other hand don't really have to bother since they have that very powerfull tool putting you always into the role of the idiot: The Contract, Service Agreement or the TOS. Did you read it ? Did you find the part where it states that No matter what happens, it's ALWAYS the customers fault (possibly followed by) unless you can provide proof for gross negligence by the bank (Good Luck).
Banks have a huge interest to get you to bank electonically. An electronic customer is the teller, the datatypist and the bank building in person. The cost savings are amazing. As long however those greed-freaks in conservative suits push the entire risk into my general direction I happily invite them to shove their service agreements up their rectums...
Re:The Myth of Bank Security (Score:2)
Reading this post, I started off appalled. Than I realized they were talking about credit card numbers, not PINS. The credit card data is semi-public information, and there are a number of people that have a legitimate need to see credit card data with our current system. The requirements to protect credit card information are comparatively recent (people only started worrying about carbon copies in the late 80's). This has worked OK, until the internet started connecting everything.
Wrong or right, the credit card system relies upon weak authorization systems (what you have, not what you know or what you are). This means they have a high rate of fraud, which is factored into the system costs. Given today's point of view, I'm not surprised that they found a lot of weaknesses. Start with the first and worst credit card problem, which QuantamG did not event think to criticize: the authentication data is public (kind of like the US designing the Social Security Number without a check-digit). If they used some additional data (like a PIN), many of the issues he complains about would be moot (you could find customer lists, but not really commit fraud). The whole credit card was designed around this principle.
Perhaps ironically, Australia has some of the best requirements for POS security when it comes to PIN, the AS-2805 standard. This covers both physical and logical security for POS terminals that handles PINS (often called PINpads). Since AS-2805 was so stringent, Australia ended up with some of the most secure (and most expensive) PINpads around. The PIN encryption was single-DES based, but so was everyone else. Since anything on the magnetic stripe was considered public data, the POS requirements did not spend any effort trying to keep it secret. They only added message integrity protection in the early 90's. A great deal of time and effort was spent on key management (still a major issue today, even with public keys).
An Aside: I worked for a company that used to sell some of the most secure PINpads around. We left the business, because among other reasons, security as a feature did not sell (we found superior usability and security were not worth a $5 premium for a $200 product in the USA!).
Canada (Interact) started out with good security requirements, but kept on relaxing them requirements so the influential members could buy cheaper, and less secure PINpads. I think Interact gave up on their original PINpad security requirements about the time we left the business. Australia, unless they have caved since, was one of the few places that required all PINpads to be at the highest level of security. We never sold POS terminals there, because the market was too small to justify the expense of implementing AS-2805 routines into our product.
Re:The Myth of Bank Security (Score:2)
You jumped in before I had a chance
It has been interesting following the posts regarding the safety of online banking - I guess this is where the technical ability and interest of most of the "posters" lies - but ATM/POS systems are far less secure. For the most part they depend on technology that is over 15 years old - the mention of the single length DES key is a good example; it will remain in widespread use until the Euro-Mastercard-Visa mandates require triple-DES encryption next year.
However, I think the important point that this raises is that banking is not, nor has it ever really been, that secure. The simple fact is that most banks accept the loss - they know they will be de-frauded/robbed of money, no matter what measures they introduce. (To paraphrase another post "they knew it was insecure, and yet they did it anyway".)
Whilst this offends techies to their deepest of deep-bits, in the end it is not our decision, it is up to the people who hold the purse-strings - I guess this is what actuaries get the big bucks for. (Fraud detection systems are all the rage now; note that the majority of these catch transactions after they are completed, not online. Hotcard the card involved, and issue a new one - this is how they work.)
Banks know that the vast majority of people don't have the cabability to crack them wide open - if they did, there are far easier ways than some of those that I have seen mentioned today. Who cares about SSL when, for example, there is an ATM/POS transaction type specific to "mail/telephone" orders
Banks are service providers, consumers demand a service, and as a defensive measure, banks will provide it. The profit in doing it is worth more than the loss from fraud. Not all downtown bricks and mortar banks are secured like the American Fort Knox, remember, it's just not worth it.
Further, limits exist on most credit/debit cards, you can't do 1/1.2 million dollar transactions - on most cards. You have to keep going back, in which case, as fraud detection improves, you'll find that your transactions are noticed much sooner each time. Fraud detection is neural net based, nowadays.
(And by the way, derision for the security employed by the Australian banking system is not really justified. I have been consulting worldwide in the electronic banking industry for the last three years (and worked for 6 years in Australia prior to that), and the ATM/POS network there is, at the very least, consistent with those utilised elsewhere. I'm sure it won't take long for internet banking there to exceed international standards either.)
At the end of the day, locks really do only keep honest people honest.
Online banking is too convenient (Score:2)
Re:For what it's worth... (Score:2)
Re:Online Banking is a joke (Score:3)
If it's a half-way intelligent banking system, they'll have the system set up to ONLY accept 128-bit browsers. If you can hit your bank with an old version of 40-bit Netscape, time to bail!
For what it's worth... (Score:3)
No matter how careful they are, sooner or later somebody is either going to find or stumble upon some back hole into the system, whether it's some nasty SQL that's output that's displayed to the user or just a random glitch.
Re:Regarding sysadmins and security (Score:3)
In a regulated organisation like a bank, it is most definitely NOT the sys admins (whether senior or otherwise) who should be doing this: it's the Security Manager
While I fully agree the sys admins should all be security minded , this should be backed up by clear directives (policies/standards) written/approved by a security manager, who has the time and the high-level clout to act.
It's the application stupid! (Score:4)
Just spent a fortune on that cool network IDS system? Great, well guess what, SSL renders it useless because you can't watch encrypted traffic! So now the hacker is hacking securely as they come right through your firewall on port 443 and just mucks with your web site while you have no clue what's happening.
It's an accepted fact that all code has bugs, your web site is based on code, it has bugs, and it's only a matter of time until the hacker finds a way to exploit them, and most of the time you won't even know.
The problem requires a new approach, you need an web application layer IDS, and this is not entirely a easy thing to do. You have to be able to understand the application in real time and process the SSL transactions yourself, in essence you end up with a very smart (and hopefully fast) reverse proxy. There is only one company out there (www.sanctuminc.com [sanctuminc.com]) that's doing anything at all to solve this problem and they are worth checking out if you are really serious about locking down your web site.
Until the banking world grasps the real problems of application security, sites will continue to get hacked and defaced. Go ahead, hide behind your firewall, your SSL, your IDS, I'm going to come in, right past all of it, and rip your web application to shreds while you watch your firewall and IDS logs - and see nothing.
If you build them like I do... (Score:5)
We built that system as impenetrable as we could. Extreme security, multi-level DMZ design, black IP, major intrusion detectors, dead-end fake IP subnets, quite a few traps and, uh, planted 'distraction', and of course 128-bit SSL. It's been running for almost two years now, and noone has come close to hacking it. The firewalls and intrusion detection software usually record several attempts per day, usually just script kiddies, once in a while a 'real' cracker. But nobody has ever got in, and if someone did, I would definitely be one of the first to know.
We even hired some top-of-the-line, extremely good professional hackers, and they were only able to gleam the tiniest amount of information about the topology of the network.
The only bad thing about the bank site is that the HTML coders have made one of the ugliest, lamest sites I've ever seen. They sure could have done a better job, but it's at least usuable and extremely secure.
I use it myself, and feel safe doing so, especially as I implemented a lot of the security myself, very very carefully, as if I made an idiot mistake I would be held PERSONALLY liable. Kinda scary knowing how many billions of dollars are in that bank, and it's my ass if they get through. But I'd be very very surprised (and very respectful of the person) if anybody actually got through!
I don't know about other banks, but this one is tight. (Sorry, I cannot disclose which bank it is without written permission from them, or I'd be happy and proud to tell you.)
As far as the one bank someone was talking about that didn't even use SSL - you'd better find yourself a new bank - FAST!
Online Banking is a joke (Score:5)
1. Extreme conservitism - Oftentimes, their internal systems are quite old. While this tends to make their systems quite stable, it also means that they are generally insecure.
2. Sensitivity to bad press - online banking systems, when compromised, are often hushed up quickly, due to the fact that the publicity will scare clients away.
3. browser ssl - it doesn't matter if the site's key is 128-bit; if the browser functions at 40-bit, then that's the key size used for encryption. This is a problem with all ssl-based connections.
4. user passwords - people in general are dumb about choosing passwords. They often choose easy to guess passwords. It doesn't matter what security mechinisms you have in place; if a password can be compromised, the cracker has access.
5. poor sysadmin training - this is the plague of the industry. Most sysadmins don't know much of anything about security. The one's that do are rare.
The Myth of Bank Security (Score:5)