Feeds

Online trading site was left wide open

Consultant reveals how even banks ignore security

Securing Web Applications Made Simple and Scalable

The conventional wisdom that banking organisations are more diligent with security was skewered in a presentation at the RSA conference this week.

Security consultancy Comsec outlined how they discovered that an online stock trading website they were asked to test was riddled with security holes. A rush job meant that basic security measures, such as the use of a secure login, were absent from the multimillion dollar system.

Comsec consultant Yuval Birman was called in to conduct a penetration test on the unnamed high-value trading exchange by an Israeli Bank. After capturing authentication packages sent when logging into the site he quickly established that it wasn't using SSL for logins - the packets were too small. Cracking the "authentication method" was child's play.

An offset of 10 was added to the hexadecimal value of login names. "When we reported our initial findings back to the bank and the exchange they were worried that transactions were happening across an open socket with no SSL encryption," Birman explained. "But what was far worse was that it would be possible to log-on as one user and implement high-value transactions as another user. The authentication, and not the encryption flaws, were the more important."

The system had no strong authorisation. But when developers brought two-factor authentication technology into the system they goofed again. They took an example of how to read the serial number of a token, which doesn't have anything to do with the random-sequence number generated by the token as the basis of a security application. Those who defined the project, rather than coders, are more to blame for the debacle, according to Birman.

"I'm not sure the developer is to blame. It's better to blame the person who defined the project. They specified fast response time as a key requirement of the project. They didn't say the project had to be secure, Birman said. "They sold the systems to banks at a stage when it was too late to make fixes. Developers were in a rush," he added.

They were given neither the budget or the resources to tackle the project methodically, and there was a notable lack of security testing on the system, he said.

After Comsec reported the initial problems it identified in the system a new version of the client software was produced. But Comsec discovered that potential hackers didn't have to upgrade to gain access to the system. Eventually the security bugs in the system were ironed out.

Buval made the comments during a presentation at the RSA Conference in London on Tuesday. ®

Mobile application security vulnerability report

More from The Register

next story
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.