The online banking systems offered by the Lloyds Banking Group (including Bank of Scotland & Halifax) and the Royal Bank of Scotland Group (including Natwest, Royal Bank of Scotland & Ulster bank) are vulnerable to an attack which allows an adversary to
commit financial fraud. More precisely, the login systems used by these banks to authenticate customers are coupled with credential recovery mechanisms which allow customers whom have forgotten their username/password to login; however, these secondary authentication
mechanisms are insecure due to their complete reliance on publicly available information. It is therefore possible for organised criminals to steal funds from customer accounts. In addition, the attack compromises the financial privacy of customers (a similar
vulnerability has previously been found with
Barclays online banking).
These failures are particularly interesting to the design of online banking systems and legal cases in which customers are found liable for fraud. In these cases banks may refuse refunds by asserting negligence or blaming the customer for fraud. Indeed,
Which? magazine has reported that twenty percent of customers are not refunded after claiming to be fraud victims. In some of these cases the banks may attribute blame on the basis of audit trails which suggest a customer authenticated using online banking
systems. These attacks demonstrate that audit trails associated with such authentication mechanisms are insufficient to attribute blame and may help explain cases in which customers have been charged for fraudulent transactions, even when customers are adamant
that they did not authorise such payments. These attacks are being published to ensure fair judgement of fraud cases, push for public policy changes which hold banks accountable for the systems which they have designed and ultimately help bring an end to unfair
banking practices.
The full details are available:
http://www.bensmyth.com/publications/10-forgotten-your-responsibilities/