Join the Community

22,128
Expert opinions
44,136
Total members
428
New members (last 30 days)
208
New opinions (last 30 days)
28,711
Total comments

How password recovery threatens online banking security

  0 4 comments

The online banking systems offered by the Lloyds Banking Group (including Bank of Scotland & Halifax) and the Royal Bank of Scotland Group (including Natwest, Royal Bank of Scotland & Ulster bank) are vulnerable to an attack which allows an adversary to commit financial fraud. More precisely, the login systems used by these banks to authenticate customers are coupled with credential recovery mechanisms which allow customers whom have forgotten their username/password to login; however, these secondary authentication mechanisms are insecure due to their complete reliance on publicly available information. It is therefore possible for organised criminals to steal funds from customer accounts. In addition, the attack compromises the financial privacy of customers (a similar vulnerability has previously been found with Barclays online banking).

These failures are particularly interesting to the design of online banking systems and legal cases in which customers are found liable for fraud. In these cases banks may refuse refunds by asserting negligence or blaming the customer for fraud. Indeed, Which? magazine has reported that twenty percent of customers are not refunded after claiming to be fraud victims. In some of these cases the banks may attribute blame on the basis of audit trails which suggest a customer authenticated using online banking systems. These attacks demonstrate that audit trails associated with such authentication mechanisms are insufficient to attribute blame and may help explain cases in which customers have been charged for fraudulent transactions, even when customers are adamant that they did not authorise such payments. These attacks are being published to ensure fair judgement of fraud cases, push for public policy changes which hold banks accountable for the systems which they have designed and ultimately help bring an end to unfair banking practices.

The full details are available: http://www.bensmyth.com/publications/10-forgotten-your-responsibilities/

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Join the Community

22,128
Expert opinions
44,136
Total members
428
New members (last 30 days)
208
New opinions (last 30 days)
28,711
Total comments

Trending

Tachat Igityan

Tachat Igityan Founder and CFO at destream

Is Fintech Neglecting the Creator Economy?

Luigi Wewege

Luigi Wewege President at Caye International Bank

The Evolving Relationship Between Fintechs and Traditional Banks

Nkahiseng Ralepeli

Nkahiseng Ralepeli VP of Product: Digital Assets at Absa Bank, CIB.

Blockchain Oracles in Payments: The Unsung Heroes.

Now Hiring