Bank accounts in online security scare

[SDK]

British Internet bank Cahoot has plugged a flaw in its online security that could have enabled people to move freely in and out of other customers' accounts.

Cahoot took the site down for 10 hours while it fixed the flaw, a representative for Abbey, Cahoot's parent financial institution, said. The problem was likely the result of an upgrade 12 days ago. During the outage, the previous system was put in place, independently tested by Qinetiq and found to prevent the breach--indicating it was the systems upgrade that was responsible.

The vulnerability was discovered by a customer who had bookmarked areas of his online bank account, Abbey said. The customer was then able to access those areas on future visits to the site without entering anything other than a user name.

When the customer began tinkering with the site, he noticed he was also able to access other customers' accounts simply by guessing user names and then moving to a bookmarked page.

The process of guessing user names is far from rocket science, given the likelihood of there being a number of variations on popular names such as John Smith or Jill Brown.

Security consultant Neil Barrett said that he had witnessed a number of tests of this method in a controlled environment. He confirmed that a common name, entered in the last name-first initial format, had yielded instant access to one account. Barrett also said he was shocked at how easy it was.

He added: "I think the ease with which it was possible to access these accounts may have been Cahoot's saving grace. It was so very simple, it is likely it fell below the radar of the hackers."

It's not uncommon for wannabe hackers to surf secure Web sites where they remove and replace parts of the URLs to try to gain access to accounts. Barrett said there was no specialist knowledge required in the Cahoot instance.

However, the Abbey representative said that the customer who discovered the flaw has been in touch regularly with the bank in the past "raising various security issues, all of which have been answered to his satisfaction."

Barrett believes Cahoot may not be only bank affected. He warned other financial institutions that have adopted the same system could "be open to the same level of exposure."

Source : http://news.zdnet.com/2100-1009_22-5440931.html

It was so simple, I feel right into script kiddie hand!

[Sun]

Really shocking...

more and more security patches.. more and more bugs..

[littlenick]

attempts to try and hack banks are increasing.
hackers need deep knowledge of working of any banking system in order to try to hack them.
they are using banks employees to do exactly that.security in banking system is usually high.but there are ways to bypass that one of them is using trojans anather is called the mathod of code cracking.
java class files can be converted to asm codes and in case client side authorization is used u can bypass that.even if all the security authorization is done on server side any security breach in the web server or for that matter any security bug that allows you to download java class files used for authentication allows attacker to gain an understanding of file system what database files are used for authentication and even encryption algorityhm.

what SDK said is really shocking.still a online bank robbery has not been reported till now(atleast in recent years)but it is always on cards.

[sam2k]

there is lack of secrity firewalls..........and now a days cisco concentrator(hardware) is also being used...it is more sercure than any other sercurity firewalllssssssssssss..............

[SittingDuck]

there is lack of secrity firewalls..........and now a days cisco concentrator(hardware) is also being used...it is more sercure than any other sercurity firewalllssssssssssss..............

Did you replay to the wrong thread or something , or possible you work for cisco?

Back to the matter in hand

Even the vulnerability did allow an attacker to steal money, where would they send it? There own account? Once the money moves it becomes very easy to track.

SittingDuck

[Cybr1d]

hackers need deep knowledge of working of any banking system in order to try to hack them.
they are using banks employees to do exactly that.security in banking system is usually high.but there are ways to bypass that one of them is using trojans anather is called the mathod of code cracking.

What is even scarier is that hackers could get employed in a bank and work from the inside. Once inside, a hacker could very easily learn the procedures, usernames and passwords used, IPs that the bank uses to connect into the main server, or drop a trojan onto the bank's computers. Quite often the computers used in many banks are not always up to date and many run on Windows 98. Banks do not upgrade their computers very often because the software they generally run does not require a lot of resources from the computer so its cheaper for them to keep them as they are. The AV software banks use is not quite up to date neither simply because quite often all the computers pass through a firewall and everything gets blocked there. Generally employees do not have internet at their terminals although lately a lot of banks which have started upgrading their systems to faster machines and broadband connections to the internet, have started allowing some of their employees to connect to the net.

Most computers have a live connection to the net, its just disabled on the machine itself, and a hacker could very easily enable the internet and do his thing. Also, bank tellers are often not the sharpest knife in the drawer when it comes to technology and that would give the hacker better chances of not getting caught although more and more people are getting educated. BTW, i'm talking about banks in the US> East Coast to be more precise.

[Ghost_25inf]

Originally posted here by Cybr1d
What is even scarier is that hackers could get employed in a bank and work from the inside. Once inside, a hacker could very easily learn the procedures, usernames and passwords used, IPs that the bank uses to connect into the main server, or drop a trojan onto the bank's computers.


Most computers have a live connection to the net, its just disabled on the machine itself, and a hacker could very easily enable the internet and do his thing.

I worked for a bank once and if a Hacker did get hired he wouldnt have access to that information untill he hit admin status and Im not talking logon status either. Bank computers dont all run on internet, infact they are more up to date than you think. Most banks run on a Token ring connected to other branches thru a Ring of Fiber optic cable and the banks that are out of the metro area they run on VPN.

Trojans dropped within a system will automatically be detected and the Admin would be notified of who planted it so the Inside job just doesnt pan out.

[Cybr1d]

I worked for a bank once and if a Hacker did get hired he wouldnt have access to that information untill he hit admin status and Im not talking logon status either. Bank computers dont all run on internet, infact they are more up to date than you think. Most banks run on a Token ring connected to other branches thru a Ring of Fiber optic cable and the banks that are out of the metro area they run on VPN.

Trojans dropped within a system will automatically be detected and the Admin would be notified of who planted it so the Inside job just doesnt pan out.

You'll be surprised ...or maybe you wont.

[morganlefay]

Of all the banks in Canada..I think the RBC is putting the most money into security.

I have attended security seminars hosted by RBC and know a person the works for the bank as a Financial Advsor .

RBC has several passwords to login, also the user is not an administrator...or power user and the system is not a default install. At one point they didnt have Interenet access and had to use a direct dialup to the bank...(I beleive that has changed now)

Any tranasaction has a username and a password generator that changes every 15 seconds which is outside the computer on a handheld device.

You have to enter a minimum of 7 username\passwords before you even get there...all unique...and not every employee has this type of access. I think it all depends on your job function....and you are monitored..no doubt about it

Also all attachments are striped and quarrentined scanned\monitored before it gets beyond the firewall.... and most dont even get through..even by renaming.


I think all bank customers should know what measures and levels of security are used to protect thier money....cause I was pretty unimpressed when the person approving my last mortgage...was processing it on a 98 machine

But hey...I got a good rate...and do not do any online banking....yet...and here in Canada the Banks are insured to the nines...(not sure bout the rest of the world)

MLF

[RoadClosed]

In the US if an admin has access to financial files, the bank will be come under scrutinty from the FFEIC and it's underlings. The real dangers in a bank are the Tellers and people NOT REMOTELY associated with IT. There are accounting procedures in place that have been there for decades that catch fraud and sometimes the criminals are smarter than the accountants and they get away with a little bit. MUCH MORE is stolen from bank robberies every year and bank officers printing out customer contact sheets when they leave for those greener pastures at other competing banks. Just putting a persepective on things. The danger lies in quick implementations of on-line banking facilities. But ebay and email accounts are more lucritive at the moment. Regulations are geared toward protecting privacy versus monetary assets because there are human controls in place for every online action involving money transfers.

If you work in a bank were IT has actual access to transfer a money ammount with no oversight then it's either very small or it's on the verge of being shut down.