Dexia website security alert

[Jos Kirps <jos () kirps com>]

A few days ago I sent a mail to the Dexia bank (www.dexia.lu) about  
their
website.

They have two logins, one is for the online banking account and one  
is for some
kind of members' area. The problem with the "members' login" was that  
a) it was
not SSL encrypted and b) it used to send bad usernames and passwords in
clear text back to the browser.

So here's the critical point: If you wanted to use your online  
banking but
selected the wrong login by mistake your (correct) username and  
password were
refused (still ok), sent back to the browser in clear text and stored  
in the
browser cache (well...).

I sent them the info via mail (see below), they replied using a  
standard "thank
you for your mail" answer and 24 hours later the login was changed.  
But I didn't
get any further feedback so I mailed them again to get some kind of  
statement,
but they simply replied that "The risk, that you evoked, is really  
weak" aso.

So, after all, they seem to think that this was just "peanuts" and  
not worth
talking about. I, on the other hand, think that this was more than  
critical and
that there could still be passwords stored out there in browser caches.

So what do you think about this?
Has anyone any experience with banks?

Best regards
Jos Kirps

===== the original mail =====

To: contact () dexia-bil lu, technique () dexia-bil lu
From: Jos Kirps <jos () kirps com>
Subject: Dexia website security alert
Date: Tue, 23 Jan 2007 08:39:36 +0100

synopsis:
dexia website member access uses a crappy login that allows to
retrieve member usernames or passwords an eventually even bank
account usernames and passwords.

url:
<http://www.dexia-bil.lu/webquotes/index1.asp?=20
h=3D1&lang=3Den&menu=3Donl&href=3Dprofil_logon2.asp?lang=3Den>

description:
there are two basic problems with this page: a) there is no ssl
encryption and b) if you enter a bad username or password both
username and password are returned in cleartext to the browser. so
everyone can read them on the page source or retrieve them from
the browser cache (tested, works fine).

i think another huge problem is related to the design of the site
entrance page itself - there is a "dexiaplus login" for account holders
and a "members' login" (which is the weak one described above). now
if you are an account holder an chose "members' login" instead of
"dexiaplus login" by mistake (and i think this could definately happen)
and enter your bank account username and password here you'll get
an "access denied" - which is perfectly okay, but - and this is the =20
*really
bad* news - your bank account username and password will be
returned in clear text by the dexia server, and hence stored in your
browser cache where they can easily be retrieved by anyone who
has access to your computer (if it hasn't already been captured via
the network before...).

solutions / suggestions:
ssl encryption on the members' login page, and never return password
field contents in clear text to the browser (especially if you're a =20
bank :-).

note:
even if you get the bank account username and password you'll still
need a TAN code to access an account, so this doesn't give you direct
access to someones online bank account. but it definately gets you *a
lot* closer!!!

finally:
please reply, fix & credit within the usual timeframes.
will be posted on bugtraq afterwards....

don't hesitate to contact me if you have further questions

best regards
jos kirps



------------------------------------------------------
Jos Kirps
-----------------------------------------------------
14, Cité op Gewännchen
4383 Ehlerange
Luxembourg
-----------------------------------------------------
jos () kirps com
http://www.kirps.com
-----------------------------------------------------
joskirps () googlemail com
http://sourceforge.net/users/joskirps
skype: joskirps, jos () kirps com
-----------------------------------------------------