Thursday, November 13, 2008

Online banking is teh broken

It's kind of been all security, all the time here, but I'm still kind of way behind on big security news. It's that online banking is possibly very broken, the banks likely don't know, and the result is that you simply can't know that your online bank account can't be emptied.

Now I was trained by the finest minds in the Fed.Gov to be paranoid, but this case doesn't need anything so extreme. What you need is the Internet equivalent of "drive defensively." If someone steals one of your credit card numbers, this is seen as a cost of doing business by the card issuers, and you're likely not exposed to a lot of liability (operative word is "likely"). If someone can get into your bank account, then there's much, much more ripple effect; since most of us have more than one credit card, you have options if one suddenly hits its limit because of fraudsters. If your bank account is cleaned out at 9:00 on friday evening, it's going to be interesting for you, and not in a good way.

Here chez Borepatch we simply won't do online banking, because I'm not convinced that banks have sufficient security in their online systems to stop massive fraud, or have processes in place to identify and react to it. In short, I'm quite unwilling to be a guinea pig for their new Web 2.0 e-Portal.

You shouldn't, either. The reasons include:

The Internet applications that banks are putting online are rushed into production, and therefore are probably not well tested. The Executive VP of online banking is in a hurry to "take the company 'e'", so time's a-wasting. It's hard enough to do basic functionality testing (do all the widgets work?), let alone figure out if security is well implemented. At the extreme, security isn't an afterthought; it isn't thought of at all.

The web 2.0 technologies that techies love so much (and which provide such a cool user experience) are brand new. People really don't know what the security implications of these technologies are. But everyone uses them anyway. How secure is the app? How would someone find out? How would you find out? Unfortunately, the answers are [sound of crickets chirping].

Credit card companies have been dealing with card fraud for decades. They understand how to find patterns much, much better than banks do. If you include telephone credit card ordering, the card issuers have been dealing with fraudulent orders for 30 or 40 years. Some of the most spohisticated data mining applications are in use at Visa and Master Card. Banks are new to this - if someone figures out how to transfer cash from online accounts, do they know how to identify this? Not clear at all.

It's getting worse, not better. Jeremiah Grossman is one of the smartest web security guys around, and he's done some very interesting analysis. If you're still hot to bank online, you should follow the link and watch his presentation on how the Bad Guys are making tons of money from exploiting the lousy security here.
The premise for the “Get Rich or Die Trying” presentation was looking forward at the next 3-5 years considering that we’re probably going to see less fertile ground for [several attack techniques] to be taken advantage of – that is if the good guys do their job well. So the bad guys will likely focus more attention on business logic flaws, which QA overlooks, scanners can’t identify, IDS/IPS can’t defend, and more importantly issues potentially generating 4, 5, 6 or even [7] figures a month in illicit revenue. In many ways though this is sort of like predicting the present since just about every example we gave was grounded with a real-world public reference and backed by statistics. We also wanted this presentation was very different than what most are used to at BlackHat that tend to be deeply technical, hard to follow, and often dry. And while everyone in webappsec is transfixed on JavaScript malware issues, we chose another direction.

We designed a presentation meant to be a lot of fun, that taught things anyone could do, and perhaps by the end might have people questioning their ethics. Judging from much of the feedback I think we might have succeeded on the last point. :)
The slide show will show you how to stuff the ballot box in online polls, how getting someone's password is increasingly easy (Hello, Gov. Palin), how to get someone's GPS location from their cell phone (over the web), and (most importantly) how someone can hack your bank account.

The common theme? Lousy security in the web applications. Slide 39 is simply unbelievable, about an actual online banking service that they were hired to test:
How to hack 600 banks ...

- We changed acct_id to an arbitrary but valid account #, and the error said Account #X belongs to Bank #Y

- We then changed the bank_id to #Y, and the error said Bank #Y belong to client #Z

- We changed the client_id to #Z, and you could drop into anyone else's bank account, on any bank, on any client
The banking service's response? Comment out some of the HTML, "until someone can get around to fix things." Yikes. Some things you really really can't fix with duct tape.

So, what should you do? Well, if you don't bank online, well done! You don't need to do anything. If you do bank online, then drive defensively. Meaning stop. Really. The system security is simply not ready for prime time and the technology is moving much faster than anyone's understanding of how to security it. Epic security fail.

But maybe you can help your girlfriend win the "cutest dog in Austin" poll.

UPDATE 14 November 2008 10:53: Chris Byrne has some interesting comments. I'll post more this evening, but if you're interested in the topic, you should read the comments.


AnarchAngel said...

Funny enough, I'm the chief architect responsible for the exact subject of your post (among other areas of responsibility), for one of the worlds largest banks.

Unfortunately, because of that fact I can't make specific public statements. I will say however that I bank online, and have no reservation about the technical systems involved.

When security breaches occur (and they certainly do occur from time to time) they are almost invariably the result of human error. Most often it's the customer, occasionally it's the staff member; and only VERY rarely is it the result of a malicious action.

Overall however, online banking is actually MORE secure than in person banking; because the opportunities for human error or malicious action are FAR fewer; and when it does occur, it's easier to track and to correct.

AnarchAngel said...

Oh and I should note, very critically, my lack of reservations do not apply when banking through third party software, "partner" sites etc...

NEVER, under any circumstances, provide any third party with your EFT information (ABA routing and transfer number, and account number). They can clean you out, and there's very little we can do about it.

Lissa said...

Hmmm. So you're saying . . . that using my debit card as a credit for the majority of my shopping gives me the worst of both worlds?


AnarchAngel said...


Very definitely. Never let your debit card out of your sight, or use the number online.

You are not liable for fraud executed against your credit card.

Unfortunately, electronic funds transfers and debit card transactions are not nearly as protected. It is up to the discretion of the issuing bank as to how much they can recover for you on a fraudulent transaction, if any.