Internet Banking Security

[paulcam123]

Apparently, Standard Bank has another security vulnerability that would allow a "man-in-the-middle" to access your account when you log onto your Internet Banking. It would be easy for an experienced firewall administrator at work, or your ISP, to access your account.

If you use the One-time-passwords feature by SMS, the attacker would not be able to make payments, except to beneficiaries. Not everyone is exposed to this risk, but probably the majority of users are.

Standard Bank has been advised of the problem. This problem has possibly existed for a while. I have no idea how many hackers, if any, are currently using this vulnerability.

 

[wikk3d88]

Apparently, Standard Bank has another security vulnerability that would allow a "man-in-the-middle" to access your account when you log onto your Internet Banking. It would be easy for an experienced firewall administrator at work, or your ISP, to access your account.

If you use the One-time-passwords feature by SMS, the attacker would not be able to make payments, except to beneficiaries. Not everyone is exposed to this risk, but probably the majority of users are.

Standard Bank has been advised of the problem. This problem has possibly existed for a while. I have no idea how many hackers, if any, are currently using this vulnerability.

old news

some vodacom employees were arrested, court case pending etc etc

 

[paulcam123]

Then why doesn't the bank fix the problem, and why do people still use the service?

 

[paulcam123]

The case you refer to involved Vodacom employees intercepting SMS's. Very ingenious! But it could only be done by Cellular network employees. This vulnerability is so simple that it could be done by any network administrator or ISP, and should have been prevented by careful coding.

Standard Bank web site advises customers that "No third party can access any of your personal information". This is clearly not true.

 

[Nerfherder]

Smells like a Troll.

What are you on about, do you even know.

 

[paulcam123]

You think I would risk being sued for defamation by posting something that is not true about a big company with big lawyers?

Call Standard Bank Internet Banking call center, and ask for Lee, and then ask him if it has been reported.

Unfortunately, I can't post the details - that would just make life too easy for hackers (and make me liable for the damage they do), but I can prove it. It doesn't involve installing any certificates or other software on the PC, works with IE and Firefox, and doesn't give any warning messages to the user.

 

[Necuno]

You think I would risk being sued for defamation by posting something that is not true about a big company with big lawyers?

Call Standard Bank Internet Banking call centre, and ask for Lee, and then ask him if it has been reported.

Unfortunately, I can't post the details - that would just make life too easy for hackers (and make me liable for the damage they do), but I can prove it. It doesn't involve installing any certificates or other software on the PC, works with IE and Firefox, and doesn't give any warning messages to the user.

seriously if you want some attention go try some place else

 

[paulcam123]

Ok then, carry on using it, but don't come crying when someone else is accessing your account. Don't say you weren't warned. I will certainly be discouraging my customers from using it.

 

[AnomalyNexus]

Then why doesn't the bank fix the problem, and why do people still use the service?

Because Man-in-the-middle works everywhere. It's not specific to Std Bank.

 

[paulcam123]

Yes, Man-in-the-middle works everywhere, but a correctly implemented SSL site prevents the man-in-the-middle from collecting anything other than encrypted data which is useless to him.

 

[thedoc!]

Whats with the hostility guys, am I missing the point here?

 

[ambo]

Yes, Man-in-the-middle works everywhere, but a correctly implemented SSL site prevents the man-in-the-middle from collecting anything other than encrypted data which is useless to him.

Care to provide some slightly more useful details about this attack? I'm not read up on all the latest developments on SSL but man-in-the-middle is a fairly old attack and IIRC most of them involve the end user ignoring SSL certificate errors.

 

[paulcam123]

Yes, Ambo, that is correct. The simple approach would be to email the user a certificate (hoping that he would accept it), or get it onto his computer somehow, or to hope that the user is stupid enough to ignore the IE warning message. In that case, it is his own fault - a bit like leaving your car unlocked in Hilbrow.

This vulnerability is different. The user would experience no unusual symptoms, popups, errors, emails, etc. No software, data, key loggers, or anything else would be installed on the client computer. He can click on the padlock and verify the information - it will all be perfect.

As for giving more information, I am cautious. I believe that it is in the public interest to know that there is a problem, but it is not in the public interest for me to post enough information for it to be exploited. It would only take about 30 minutes, and 20 lines of code, to create a simple exploit.

However, if you are interested, live nearby, and you are experienced in networking and web programming, I could demonstrate & explain it to you. Once someone else has verified it, it might be taken a bit more seriously.

 

[rurapente]

There's no need to worry about it. Just make sure your PC is secure, your phone is online and has no mysterious and permanent network loss and ALWAYS make sure you type the URL, not following a link from anywhere or anything.

And trust me. This is an old problem and if you're using common sense not one you need to worry about.

 

[paulcam123]

I doubt whether it is an old problem - the bank didnt know about it. But if you can show me a URL that discusses it, I would be very interested.

It doesn't involve sim swaps, phishing, warning messages, malware or anything else that common sense would prevent.

As for the bank, they have escalated it to the head of Internet Banking, and will receive the "urgency it requires" - I think that means they will get back to me next week.

 

[rurapente]

it is an old problem. trust me

 

[Technically]

For those that are not hackers and want to see how bad Standard Banks online backing security really is... try this.

Log in to your online banking. Then turn your router off, unplugg the phone cable so there is not internet to your computer. Then turn it back on again. Now contiune to use your Internet banking.

Now you see why people really should not have internet banking.

 

[MidnightWizard]

Too Easy

It doesn't involve sim swaps, phishing, warning messages, malware or anything else that common sense would prevent.
As for the bank, they have escalated it to the head of Internet Banking, and will receive the "urgency it requires" - I think that means they will get back to me next week.

I always wonder -- IF these exploits are so simple and easy why are more perps not making use of them.

Surely they are not all DOF ( the perps that is )

I assume that this is something on the server side

You do realise that the banks "insurers" will now be watching this thread with some interest. :erm:

Banks charge 1.03% commission for handling cash -- this was explained to me as the cost of cash "insurance".

I was told that Internet banking is the cheapest from the bank client perspective.......... / however -->


White collar fraud seems to be more of a loss to banks than cash-in-transit heists

I wonder how they cover "card" fraud.

MW

 

[dudleygb]

at the end of the day, its pretty safe, as anyone wanting to make an illegal transfer would have to have your banking details and your linked cellphone, so a beneficary can be created.

 

[rurapente]

For those that are not hackers and want to see how bad Standard Banks online backing security really is... try this.

Log in to your online banking. Then turn your router off, unplugg the phone cable so there is not internet to your computer. Then turn it back on again. Now contiune to use your Internet banking.

Now you see why people really should not have internet banking.

Whats the problem? as far as im concerned your session will continue to work fine unless you passed the timeout period?