Interesting People mailing list archives
Internet home banking unsafe
From: Dave Farber <dave () farber net>
Date: Sat, 09 Nov 2002 21:36:35 -0500
Date: Fri, 08 Nov 2002 22:13:48 +0100 From: Erling Kristiansen <erling.kristiansen () xs4all nl> Subject: Internet home banking unsafe The 28 Oct 2002 edition on the programme "Netwerk" of the Dutch TV station NCRV ran an item on Internet home banking. The programme featured a person accessing his bank account via Internet, and another person with a laptop reading a clear-text transcript of the session. The programme was not very technical, but two hints were given that helped in finding out what was going on: The two persons "were colleagues" (in network terms: were on the same LAN), and the scenario was described as a "man in the middle" attack. I know from own experience that the Dutch home banking system uses a secure web session. A challenge-response authentication device ("token" or e.dentifier) is used to authenticate the user, but this is not relevant to this discussion. Poking around a bit, I found several references to a vulnerability in Internet Explorer 5.0, 5.5 and 6.0. A good explanation can be found at http://www.thoughtcrime.org/ie-ssl-chain.txt I am not an expert in SSL and PKI and such matters. But, in brief, as I understand it, a certification Authority can delegate its authority to somebody else. This is designed to be safe, provided, of course, it is implemented properly. IE skips one step in its implementation of the procedure, essentially allowing somebody who can gain access to the data stream (e.g. by being on the same LAN or having access to a router somewhere along the path) to delegate the certification authority to himself. This, in turn gives the man-in-the-middle access to the data. I am sure this description is not precise, but I hope it catches the essence of the attack. Otherwise, please read the referenced article. I had an e-mail conversation with somebody from the TV programme, who confirmed that "indeed, it is a problem in IE". They did not say this in the programme because "the problem is the responsibility of the banks, not Microsoft". Apparently, their aim was to expose the banks. A few thoughts: It would seem that the problem affects not only home banking but any application using a secure web session. The exploit also highlights that security depends not only on good design, but also on proper implementation. You have to trust the software vendor. Do you?? SPECULATION MODE ON Why is Microsoft reluctant to fix this bug that is present in 3 consecutive versions of IE? In view of the nature of it, it cannot be that difficult to fix. Could it be that they do not want to fix it? Either because they want to exploit it themselves, or because somebody twisted their arm to provide a back door. SPECULATION MODE OFF It is, actually, a very well hidden back door that is not easily discovered unless you have access to the source code, or you know what you are looking for. I wonder how it was discovered. ------------------------------------- You are subscribed as interesting-people () lists elistx com To unsubscribe or update your address, click http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Internet home banking unsafe Dave Farber (Nov 09)