paulcam123
Active Member
- Joined
- Oct 19, 2005
- Messages
- 45
- Reaction score
- 0
Web Site Security (including Internet Banking)
Following on from my thread relating to Internet Banking, I will now cover some areas of concern regarding Man-in-the-Middle (MitM) attacks. A MitM could be a network technician in your office, your firewall administrator, Telkom, ISP, etc. It could also in some situations be the person sitting next to you. This information is focussed towards Internet Banking, but applies to other web sites too.
It is important to understand the difference between non-secure (http) and secure (https) connections. http connections are unencrypted, and the can be intercepted/modified by a MitM without your knowledge. You have no proof that the content you are seeing is indeed from the site that you think you are accessing.
With a https connection, you can click on the padlock in the corner and see who you are receiving the content from. If you receive a warning message saying that there is an error with the certificate DO NOT continue. You could be providing your details to someone other than the bank (even if the warning message has the Bank's name on it!). You should never enter a Credit Card Number, Pin Number, etc, on a nonsecure web site.
Standard Bank, for example, opens up a non-secure page when you go to www.standardbank.co.za, and then opens up a secure page when you click on Internet Banking. That non-secure page might not really be the page you think it is, and may do other things, such as run JavaScript onclick, or onload. With FNB, if you go to www.fnb.co.za, it automatically redirects you to https://www.fnb.co.za. But a MitM could change the redirect page (which is nonsecure) to open a http pop-under page, for example. In addition, any other non-secure web pages that you might have open, could have been intecepted, modified, and have Javascript running.
Once you have logged in, different banks use different methods to remember who you are. Some banks store a session-ID in the URL's, or a hidden Form. Other banks use Cookies. Cookies are stored by the browser and sent to the server with every request sent to that server for the specific directory. Some Banks use more than one Cookie.
So lets say that you received a Cookie SESSIONID=12345 from https:www.asdfgh.com for the /asd directory, that cookie would also be sent to the server for http://www.asdfgh.com/asd/test.gif, unless it is set to be a secure cookie. And that http request (including the cookie) could be intercepted by a MitM. So if the MitM could convince your browser to send a http request to a similar URL, your cookie could be sent to a server other than the intended server, from where the Cookie could be retrieved. This would work even if the real server doesnt accept http connections.
So now we know that when you access sites such as Internet Banking Sites, you could have non-secure pages open which have JavaScript running on them. That Javascript could request an image to be downloaded from http://www.asdfgh.com/asd/test.gif at regular intervals (but not necessarly displayed - it could even be a cgi script that doesnt return an image). And if there was a cookie for that page, that was set by the https version of that site, the MitM now has those cookies, which could include Session-ID's. And until that session expires on the server (or you log off), if someone has that Session ID, they may be able to access the secure site, such as your Internet Banking.
In a case like that, the server would think that you and the MitM are the same person, because you are using the same Session-ID, so the MitM would not need to log in, and no SMS/email would be sent. In addition, the MitM could most probably make the requests come from the same IP address. And he would be able to see the IP address of the server that you connected to, so if the Bank had multiple servers, he could work out which one you are using.
So quite simply, in cases where security has been implemented like this, the MitM could access your account without you knowing. In the case of Internet Banking, SMS and email alerts would still be received if any transactions were processed and this was enabled, but the MitM would not log on, so one-time-passwords, SMS alerts, etc, wouldnt help you, because the MitM is simply using your Session.
So put all of this together, and decide whether the web sites that you are accessing are secure!
I should point out that some banks, including ABSA, 20Twenty, Old Mutual Bank, cannot be exploited in this way.
I look forward to your comments.
Following on from my thread relating to Internet Banking, I will now cover some areas of concern regarding Man-in-the-Middle (MitM) attacks. A MitM could be a network technician in your office, your firewall administrator, Telkom, ISP, etc. It could also in some situations be the person sitting next to you. This information is focussed towards Internet Banking, but applies to other web sites too.
It is important to understand the difference between non-secure (http) and secure (https) connections. http connections are unencrypted, and the can be intercepted/modified by a MitM without your knowledge. You have no proof that the content you are seeing is indeed from the site that you think you are accessing.
With a https connection, you can click on the padlock in the corner and see who you are receiving the content from. If you receive a warning message saying that there is an error with the certificate DO NOT continue. You could be providing your details to someone other than the bank (even if the warning message has the Bank's name on it!). You should never enter a Credit Card Number, Pin Number, etc, on a nonsecure web site.
Standard Bank, for example, opens up a non-secure page when you go to www.standardbank.co.za, and then opens up a secure page when you click on Internet Banking. That non-secure page might not really be the page you think it is, and may do other things, such as run JavaScript onclick, or onload. With FNB, if you go to www.fnb.co.za, it automatically redirects you to https://www.fnb.co.za. But a MitM could change the redirect page (which is nonsecure) to open a http pop-under page, for example. In addition, any other non-secure web pages that you might have open, could have been intecepted, modified, and have Javascript running.
Once you have logged in, different banks use different methods to remember who you are. Some banks store a session-ID in the URL's, or a hidden Form. Other banks use Cookies. Cookies are stored by the browser and sent to the server with every request sent to that server for the specific directory. Some Banks use more than one Cookie.
So lets say that you received a Cookie SESSIONID=12345 from https:www.asdfgh.com for the /asd directory, that cookie would also be sent to the server for http://www.asdfgh.com/asd/test.gif, unless it is set to be a secure cookie. And that http request (including the cookie) could be intercepted by a MitM. So if the MitM could convince your browser to send a http request to a similar URL, your cookie could be sent to a server other than the intended server, from where the Cookie could be retrieved. This would work even if the real server doesnt accept http connections.
So now we know that when you access sites such as Internet Banking Sites, you could have non-secure pages open which have JavaScript running on them. That Javascript could request an image to be downloaded from http://www.asdfgh.com/asd/test.gif at regular intervals (but not necessarly displayed - it could even be a cgi script that doesnt return an image). And if there was a cookie for that page, that was set by the https version of that site, the MitM now has those cookies, which could include Session-ID's. And until that session expires on the server (or you log off), if someone has that Session ID, they may be able to access the secure site, such as your Internet Banking.
In a case like that, the server would think that you and the MitM are the same person, because you are using the same Session-ID, so the MitM would not need to log in, and no SMS/email would be sent. In addition, the MitM could most probably make the requests come from the same IP address. And he would be able to see the IP address of the server that you connected to, so if the Bank had multiple servers, he could work out which one you are using.
So quite simply, in cases where security has been implemented like this, the MitM could access your account without you knowing. In the case of Internet Banking, SMS and email alerts would still be received if any transactions were processed and this was enabled, but the MitM would not log on, so one-time-passwords, SMS alerts, etc, wouldnt help you, because the MitM is simply using your Session.
So put all of this together, and decide whether the web sites that you are accessing are secure!
I should point out that some banks, including ABSA, 20Twenty, Old Mutual Bank, cannot be exploited in this way.
I look forward to your comments.
Last edited: