FNB website exposed private information
The card tracking feature on the FNB website exposed the personal details of customers
The card tracking feature on the FNB website exposed the personal details of customers
-
Join the MyBroadband community
South Africa’s biggest forum. Discuss, discover, and connect with thousands of members.
-
Question of the Day: Which is the most hair-raising South African mountain pass you've driven?
FNB website exposed private information
- Thread starter rpm
- Start date
JerryMungo
Honorary Master
- Joined
- Jul 18, 2008
- Messages
- 37,596
- Reaction score
- 6,316
Now that's a bit of an assumption.fnb said:
Fulcrum29
Honorary Master
koeksGHT
Dealer
lol, I had to IP block fnb from spamming my courier tracking
IP : 196.11.134.77 Neighborhood
Host : mxincontact.fnb.co.za OK
Country : South Africa
IP : 196.11.134.77 Neighborhood
Host : mxincontact.fnb.co.za OK
Country : South Africa
whats a big fail here for FNB is that they were alerted about this in July but only acted on it now because mybb queried it.
not too big on security are they ?
out of interest can someone sue them if they were able to prove fnb knew about the issue early on and said person was a victim of identity theft or similar based solely on the information they were able to get from this flaw ?
not too big on security are they ?
out of interest can someone sue them if they were able to prove fnb knew about the issue early on and said person was a victim of identity theft or similar based solely on the information they were able to get from this flaw ?
DrJohnZoidberg
Honorary Master
I really don't understand how this happens.
Do the developers who wrote these services just not care?
The first thing I think of when writing anything that will expose personal details online is security. Yes, it takes a bit of extra time but that's what good developers do.
Do the developers who wrote these services just not care?
The first thing I think of when writing anything that will expose personal details online is security. Yes, it takes a bit of extra time but that's what good developers do.
It is also untrue that they have had no other complaints. I have been unsuccessfully trying for some weeks to get answers re poor security relating to the online card debacle(amongst other security issues). FNB's biggest sin is that they are neither open nor honest about their security.
Sinbad
Honorary Master
- Joined
- Jun 5, 2006
- Messages
- 88,630
- Reaction score
- 41,141
Dude, that's the outgoing NAT for pretty much the whole bank's web browsing.
koeksGHT
Dealer
Spamming a very direct URL with parameters. These are my own logs for tracking.
MagicDude4Eva
Banned
Another OWASP-A4 (https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References) - this is just sloppy development and inexperience. And when it happens you man up and fix it.
You will be surprised how man websites have this issue. You will probably find that in al OWASP-A4 cases, hackers have exploited this already and data-mined it. Once a site allows insecure direct object references it will be fairly easy for an intruder to SQL inject into other systems.
You will be surprised how man websites have this issue. You will probably find that in al OWASP-A4 cases, hackers have exploited this already and data-mined it. Once a site allows insecure direct object references it will be fairly easy for an intruder to SQL inject into other systems.
Space_Chief
Honorary Master
- Joined
- Aug 22, 2012
- Messages
- 12,949
- Reaction score
- 4
Devs probably spent too much time on MyBB's Current News and PD section and did not pay due diligence to security.
Let me tell you all how this happens!
BEE. These companies and banks are forced to use BEE companies. It is a fact that all these BEE IT companies hire only ****! It is only the owner making money and no one else. So, you hire these companies and along comes the so-called 'experts' with no experience and puts a website like this together.
This is how your personal identifiable information ends up in the hands of hackers, proudly sponsored by your own Bank!
BEE. These companies and banks are forced to use BEE companies. It is a fact that all these BEE IT companies hire only ****! It is only the owner making money and no one else. So, you hire these companies and along comes the so-called 'experts' with no experience and puts a website like this together.
This is how your personal identifiable information ends up in the hands of hackers, proudly sponsored by your own Bank!
ToxicBunny
Oi! Leave me out of this...
Thats a bit of a stretch considering pretty much ALL of FNB's online presence is dev'ed in house and not by some random BEE IT company.
This is nothing more than piss poor coding and very lax code review and security review standards.
Well, according to my experience with the bank, they outsource a number of IT functions. In fact, in-house staff focus more on PC problems.
In fact, WesBank, part of the group, also outsource all development to another company. Their staff are situated inside the bank though and Wesbank also have their own IT department that works mainly on staff PC issues. But, hey, that is just me.....
Last edited:
ToxicBunny
Oi! Leave me out of this...
As far as I'm aware all the major banks have in house dev teams for most of their online presence. Yes they will outsource the design aspect possibly, but then it comes back in house to be dev'd and completed.
They do definitely outsource a number of IT Functions.. pretty much every company does that these days.
I disagree.. I think passing the buck to their vendors is complete and utterly disingenuous because the vendors will develop stuff according to spec.
When working with vendors, you either work with industry specific player (eg. Financial or telecoms systems expert vendor) or a general vendor. Since this is not exactly a financial specific application I reckon maybe, if it wasn't in house dev then it was a general IT vendor.
While secure code/practices are things that must be done.. People tend to be lax/lack experience when they do not work with sensitive data (non-financial) and then the ownership & risk needs to be addressed on the client side. So whatever before might be guilty.. But the proper person to hound is the it product owner on FNB side who approved it.
Ps. This usually happens when u use multiple vendors and/or in house ones who have not done thorough training on secure coding. To claim is BEE related is short sighted.. It's training issue as well as product owner responsibility and client to verify its compliance to security standards.
When working with vendors, you either work with industry specific player (eg. Financial or telecoms systems expert vendor) or a general vendor. Since this is not exactly a financial specific application I reckon maybe, if it wasn't in house dev then it was a general IT vendor.
While secure code/practices are things that must be done.. People tend to be lax/lack experience when they do not work with sensitive data (non-financial) and then the ownership & risk needs to be addressed on the client side. So whatever before might be guilty.. But the proper person to hound is the it product owner on FNB side who approved it.
Ps. This usually happens when u use multiple vendors and/or in house ones who have not done thorough training on secure coding. To claim is BEE related is short sighted.. It's training issue as well as product owner responsibility and client to verify its compliance to security standards.