No safe place on the Web
08 November 2004 | 13370 views | 0
Source: Finextra Research
The recent security breach at UK Internet bank Cahoot prompted a sympathetic response from a publicity-shy Finextra Web developer.
It's commonly accepted that software tends to expand to fill the available space, but the more code there is, the more the potential exploits for the hacker.
In the mid nineties I would sit in front of a humble 386-based Windows PC running Word, playing a CD, accessing my email and experimenting with some new fangled thing called the World Wide Web. I would encounter the occasional bug and the occasional virus. My Macintosh-wielding colleagues in the next office did similar things and would mock my "clunky, virus-attracting" PC. In the mid noughties I do roughly the same tasks at roughly the same speed on a machine that would have seemed impossibly powerful back then. I was a little short of disk space back then and I am now. And yes my colleagues with Macs still mock my "clunky" PC as well as pointing out the number of viruses I am at risk from.
While today’s software may be crammed full of fantastic extra features, it also seems just as buggy as the stuff I used ten years ago. Modern systems tend to have more lines of code and although this doesn't map directly to the number of bugs, it is true to say that the bigger and more complex it is, the more likely it is to have soft spots and undetected security loopholes.
I could live with the occasional crashing application but unfortunately these days there's a whole raft of people dedicated to finding these inherent weaknesses and using them to their advantage.
Take for example the legions of zombie PCs, running unpatched copies of Windows and operated by Net novices who are perhaps wondering why their operating system seems a little sluggish. Chances are their machines have been hijacked and are busily carrying out some of the mass spamming or denial of service attacks that are creating havoc on a daily basis. It's easily done, just plug a vulnerable PC into an Internet connection and it can be a matter of minutes before it's "owned".
Given the problems of keeping one home computer up and running, you begin to feel genuine sympathy for the people tasked with protecting complex IT systems.
Even here at Finextra, our server logs regularly pick up evidence of malicious third-party probes and ‘DDOS-lite’ style attacks. We have to be constantly vigilant - it only takes a slight mistake in implementation to open a backdoor to those who hack for profit, status or just curiosity.
Internet banks have a particularly hard time. They operate around the clock and must perform the delicate balancing act of meeting customer expectations for ultra-tight security while pandering to demands for convenience and easy access. When they fail, the reputational damage can be severe.
So it is with Cahoot, the UK-based Web bank which last week was forced to admit to a major security breach that allowed customers to access other people's accounts without using a password. The problem, apparently caused by a routine systems upgrade, went undiscovered for 12 days. The Cahoot Web site was eventually taken offline for a day for ‘maintenance’ purposes.
Poor practice aside, Cahoot’s biggest mistake may have been to try to cover up the gaffe. On Internet message boards, disgruntled customers took the bank to task for failing to inform them of the dangers.
This posting on the BBC Web site was typical.
“Um .. I'm a Cahoot customer and this is the first I've heard about it! I realised their site went down for maintenance on Thursday but I never received any communication from them informing me why or that there was a potential security risk. It annoys me that I have to rely on the media to inform me about security flaws with my own bank account.”
Says another: “It's quite astounding to me that Cahoot has not informed its own customers of this severe breach of privacy. There is not even a notice on the login page.”
For businesses and individuals operating on the Web, security weaknesses are a fact of life and nobody – not even an Internet bank – can guarantee 100% protection. Given these problems, the reputational damage suffered as a result of a security breach need not be crushing – it all depends on how you manage the fall-out.