Information Security News mailing list archives
Security group alleges breach in bank's Web site
From: William Knowles <wk () C4I ORG>
Date: Tue, 31 Oct 2000 12:01:48 -0600
http://news.cnet.com/news/0-1007-200-3296517.html?tag=st.ne.1007. By Stefanie Olsen Staff Writer, CNET News.com October 25, 2000, 6:00 p.m. PT Bank One Online customer card numbers are at risk of exposure to malicious hackers, an Internet security group charged Tuesday. The Web site of the fourth-largest U.S. bank lets customers in most cities check their accounts by entering a bank card number and PIN, or personal identification number. By default, this card number is stored to a data file, or cookie, on the customers local server and sent via encryption to Bank Ones site at each account visit. The stored data is meant to make subsequent visits more convenient for consumers, who only need to enter a password thereafter. But debit card or bank card numbers contained in the cookie file could be vulnerable to security breaches, according to Interhack, a Columbus, Ohio-based Internet systems developer and security consultancy. "Because the cookie file is saved on your local machine without encryption, somebody who could read this file has your credit card number," said Interhack founder Matt Curtin. Bank One downplayed any risk to which customers may be exposed. "The proof is in the pudding; we havent had any security breaches since we launched the site in 1998," said Bank One spokesman Tom Kelly. "We know how important security is to our customers, and we constantly evaluate the security of our site," said Kelly, who added the company is aware of Interhacks research. "And we have a number of safeguards built into our systems that protect our customer accounts from hackers." The Chicago-based company has about 600,000 customers who bank online, Kelly said. But Curtin said that snooping in cookie files is common because the files are not often password-protected within local networks. Also, known security bugs within Web browsers can be exploited to let outsiders download cookie files, he said. "The necessary precautions to prevent fraud are not being taken here," said Curtin, who suggested the company change the required numbers for logging onto an account and storing this information. Interhack reported the alleged problem to Bank One last month. Bank One is evaluating the suggestions. "Anytime somebody mentions a security issue we take a look at it," Kelly said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Security group alleges breach in bank's Web site William Knowles (Nov 03)