The Register® — Biting the hand that feeds IT

Feeds

Santander downplays risk of 'personal data-stuffed' cookies

'If compromised', cookies would not allow access to online services 'on their own'

By John Leyden, 16th October 2012
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

The Spanish banking giant Santander has downplayed growing concerns over its alleged inclusion of "sensitive data" in its cookies.

The bank did not deny including personal data in cookies.

In a post on widely read security mailing list Full Disclosure, an anonymous contributor details a number of alleged problems on Santander UK's consumer eBanking site.

He claims that Santander online banking "unnecessarily stores sensitive information within cookies". Depending on which areas of online banking the customer uses, he claims this data allegedly includes the user's name, PAN (credit card number), bank account number and sort code, Alias and UserID.

"Of particular concern is the full PAN, which PCI DSS states should be rendered unreadable anywhere it is stored," the whistleblower stated.

He adds that he had gone public after experiencing problems getting the bank to play attention to (now fixed) cross-site scripting problems he had previously unearthed on its website.

The source alleges that Santander is violating its own cookie policy, which states that session cookies "do not contain personal information, and cannot be used to identify you" as well as the credit card industry's PCI DSS regulations (PDF).

Santander issued a statement strongly denying allegations that anything was amiss. It said that data stored in its cookies posed no risk to account security.

The data items stored within our cookies, if compromised, would not allow access to our online services on their own and our primary login processes do not rely on cookie data.

We review the use of our cookies and the data contained within them, and if necessary will review the IDs used by our customers to limit any future risks.

We take the security of our customer data very seriously. Customers can change their IDs at any time themselves and are reminded not to use the 'remember me' function on public or shared computers.

The Full Disclosure critic argues that Santander's handling of cookies does pose a risk, in cases where customers fail to close their browser after an e-banking session. "Additionally, whilst the cookies expire at the end of a session, they are not overwritten on logout," he explains. "This mean any user who does not close their browser, even if they log out correctly, will still have these cookies present until they close their browser, [t]hus increasing the window for exposure."

In the UK, Santander is the third biggest bank and a major provider of mortgages, with a combined total of more than 25 million British customers. The Full Disclosure posting was brought to our attention by three Reg readers who described it as unverified but potentially noteworthy. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (31)
Highly Rated
Stratman

Another security flaw with Santander...

...is when you press the Log Out button, it doesn't log you out.

Instead, you're taken to a page emblazoned with loads of picture 'offers', hidden in which is a small are you sure? There is a real possibility that unobservant folks may well leave their banking session open, with the attendant whole world of shit © Private Pyle.

If I press Log Out on any site let alone a banking one, I expect to be logged out , not second guessed by some website designer.

7
0
Ian McNee

Cookies with user account passwords in plaintext confirmed...

...the H-Online have tested this: http://www.h-online.com/security/news/item/Santander-s-online-banking-keeps-passwords-in-cookies-1730364.html

And these are the people who, if money is fraudulently removed from our accounts, instinctively insist that we must have divulged a card PIN or similar.

Yes, the banks are an easy target - mainly because they are an arrogant money-grabbing bunch of bastards.

5
0
Anonymous Coward
Anonymous Coward

One of my banks states you should close the browser once you've finished your session. To me this is saying 'we're a bit shit and couldn't be bothered securing our stuff properly, so could you tidy up after us please'. Why do I stay with them? Well I have multiple banks - they are all shit in some unique way, but it's good to have a diversified portfolio.

5
0

More from The Register

breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13
breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
39
Microsoft borks botnet takedown in Citadel snafu
Stupid Redmond kicked over our honeypots, wail white hats
19