Feeds

Online trading site was left wide open

Consultant reveals how even banks ignore security

Combat fraud and increase customer satisfaction

The conventional wisdom that banking organisations are more diligent with security was skewered in a presentation at the RSA conference this week.

Security consultancy Comsec outlined how they discovered that an online stock trading website they were asked to test was riddled with security holes. A rush job meant that basic security measures, such as the use of a secure login, were absent from the multimillion dollar system.

Comsec consultant Yuval Birman was called in to conduct a penetration test on the unnamed high-value trading exchange by an Israeli Bank. After capturing authentication packages sent when logging into the site he quickly established that it wasn't using SSL for logins - the packets were too small. Cracking the "authentication method" was child's play.

An offset of 10 was added to the hexadecimal value of login names. "When we reported our initial findings back to the bank and the exchange they were worried that transactions were happening across an open socket with no SSL encryption," Birman explained. "But what was far worse was that it would be possible to log-on as one user and implement high-value transactions as another user. The authentication, and not the encryption flaws, were the more important."

The system had no strong authorisation. But when developers brought two-factor authentication technology into the system they goofed again. They took an example of how to read the serial number of a token, which doesn't have anything to do with the random-sequence number generated by the token as the basis of a security application. Those who defined the project, rather than coders, are more to blame for the debacle, according to Birman.

"I'm not sure the developer is to blame. It's better to blame the person who defined the project. They specified fast response time as a key requirement of the project. They didn't say the project had to be secure, Birman said. "They sold the systems to banks at a stage when it was too late to make fixes. Developers were in a rush," he added.

They were given neither the budget or the resources to tackle the project methodically, and there was a notable lack of security testing on the system, he said.

After Comsec reported the initial problems it identified in the system a new version of the client software was produced. But Comsec discovered that potential hackers didn't have to upgrade to gain access to the system. Eventually the security bugs in the system were ironed out.

Buval made the comments during a presentation at the RSA Conference in London on Tuesday. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.