22 October 2014

Dean Procter

Dean Procter - Transinteract

326 | posts 922,991 | views 466 | comments

Online Banking

This community is for discussion of developments in the e-banking world, including mobile banking. This can include all the functional, business, technical, marketing, web site design, security and other related topics of Internet Banking segment, including public websites of the banks and financial institutions across the globe.
A post relating to this item from Finextra:

Security flaws plague majority of e-banking sites - research

23 July 2008  |  10588 views  |  0
Over three quarters of banking Web sites contain fundamental design flaws that could put customers at risk from cyber thieves, according to a study conducted by researchers at the University of Michig...

Security flaws on bank sites - no surprise.

23 July 2008  |  4250 views  |  0

The University of Michigan study comes to similar conclusions to our own study - most banks have serious problems. What can I say? There's the easy way and the hard way and it appears are a multitude of wrong ways.

It doesn't bode well for banks wishing to make customers liable for internet banking losses.

I mentioned this recently but I guess that now there's academic confirmation, someone might have a peek at their sites? It's probably cheaper than the bad publicity associated with losing a legal battle with a customer. We're sure you'll still miss plenty to be embarrassed about later.

What's that old tale about 'glass houses'?

TagsSecurity

Comments: (1)

Dean Procter - Transinteract - Sydney | 24 July, 2008, 15:12

I assume that everyone one now knows about the long known about critical flaws in the Domain Name System which ISP's everywhere are scrambling to 'fix'. This is one of those issues which fundamentally makes the internet totally unsafe, ie. no big deal  to 'poison' your ISP's DNS server and your computer to think that hacker.com is really bank.com and trojan-download.com is operating-system-update.com or even hackerscertificate.com is secureservercertificate.com.

This type of flaw makes it a simple matter to steal anyone's logon details without any trace of a trojan or virus on the target machine and even the ISP's DNS server through which the attack is performed can be 'cleaned' after you have stolen the target's credentials. ie. poison dns, point target to evilbank.com server instead of goodbank.com and get logon details do man-in-the-middle or whatever and 're-poison' the DNS with genuine data.

It probably plays havoc with any form of remote access authentication or certification dependent on the internet network. Chinese hackers have been boasting  "所有您的DNS 屬於我們!" or "We own your DNS!" so it's not as if the flaws weren't known to at least some goodies and baddies. Dan Kaminsky may have publicised that there is a way to reduce the complexity of the attack by reducing the effectiveness of 'randomised' data used in the DNS system and make the previously known attacks particularly easier to accomplish. The spooks have probably been using it as a very effective tool for years without the need for their own botnet to launch it.

Just because a big noise has been made about it doesn't mean that all the DNS problems will suddenly be fixed. It will take a lot of work from service providers to tackle even part of the problem for their users and some approaches may still leave many network appliances, including some home routers, vulnerable to the weakness.

Several full blown exploit tools using it are available to anyone who really wants them, so the issue is now even more critical, however it is probably better that some move is being made to focus on fixing one of the major problems of the internet. A little imaginative browser plug-in might also help.

I'm not particularly keen on publishing the details of flaws and they take time, energy and wildly varying levels of intellect to find so why expect anyone to fix or even critique flawed software or systems for free, or even tell the company concerned that the flaw exists?

The idea of paying independent 'consultants' who discover weaknesses in your product is of course not open to some modern software vendors who release products which barely work, let alone get tested for flaws, so payment for after sales 'consultation' would ruin most of their budgets. The popular approach is hope someone puts the effort in and tells you for free by blabbing it on a blog site before any particularly embarrassing incident occurs.

Even many of the supposedly 'invisible' Lawful Interception and filtering appliances on networks are not always quite so invisible to the wizards , so even those may be open to some form of misuse. The DNS poisoning weakness might for instance, be used to exploit a network appliance which connects to the manufacturer's site.

There were a few particular incidents of this attack which put a scare into some security vendors over the last year or so and the response has basically been green bars and window dressing.

I wouldn't be breathing a sigh of relief just yet.

The question of who should be liable for internet banking transactions remains contentious, but if the banks know these problems exist with the vector they use to deliver their services then where are the ethics in offering internet banking on any other terms than 'at your own risk' in bold letters? Of course that might seriously impair the profit margins when the customers correctly chose not to use internet banking at all.

Having told customers that it was safe, when it never really was, and then when it becomes too obvious that it isn't safe, switch the liability to the customer who'll hopefully still be conditioned to believe that internet commerce is safe. I am not satisfied that it is safe if it's just because no-one has bothered to steal from me yet, or the odds of someone bothering might currently be low.  Perhaps I am a conservative, but that doesn't sound like my idea of what a bank should be offering.

There are probably better ways to build trust.

I might add that we designed our system with knowledge of things like this in mind and it isn't vulnerable to this inherent and probably not entirely fixable weakness in the internet network. A user would know they weren't at the right site and so would we.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Dean

It makes perfect sense of course, to have a Plan

03 October 2013  |  2415 views  |  0  |  Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

iPhone fingerprint scanner broken by Chaos

22 September 2013  |  3001 views  |  3  |  Recommends 0 TagsSecurityMobile & onlineGroupInformation Security

Did I mention, 'your dongle dongle is impotent'?

22 September 2013  |  2378 views  |  0  |  Recommends 0 TagsSecurityMobile & onlineGroupInformation Security

Thank you Andrew Haldane

31 October 2012  |  4623 views  |  0  |  Recommends 0 TagsRisk & regulationRetail bankingGroupWhatever...

NATO persecution update

06 July 2011  |  7856 views  |  0  |  Recommends 0 TagsSecurityGroupWhatever...
name

Dean Procter

job title

CEO

company name

Transinteract

member since

2008

location

Sydney

Summary profile See full profile »
Ubiquitous mobile phone based payments, ID, transaction authentication, mobile wallet and transpo...

Dean's expertise

Who is commenting on Dean's posts