Security group alleges breach in bank's Web site

[William Knowles <wk () C4I ORG>]

http://news.cnet.com/news/0-1007-200-3296517.html?tag=st.ne.1007.

By Stefanie Olsen
Staff Writer, CNET News.com
October 25, 2000, 6:00 p.m. PT

Bank One Online customer card numbers are at risk of exposure to
malicious hackers, an Internet security group charged Tuesday.

The Web site of the fourth-largest U.S. bank lets customers in most
cities check their accounts by entering a bank card number and PIN, or
personal identification number. By default, this card number is stored
to a data file, or cookie, on the customers local server and sent via
encryption to Bank Ones site at each account visit.

The stored data is meant to make subsequent visits more convenient for
consumers, who only need to enter a password thereafter. But debit
card or bank card numbers contained in the cookie file could be
vulnerable to security breaches, according to Interhack, a Columbus,
Ohio-based Internet systems developer and security consultancy.

"Because the cookie file is saved on your local machine without
encryption, somebody who could read this file has your credit card
number," said Interhack founder Matt Curtin.

Bank One downplayed any risk to which customers may be exposed.

"The proof is in the pudding; we havent had any security breaches
since we launched the site in 1998," said Bank One spokesman Tom
Kelly.

"We know how important security is to our customers, and we constantly
evaluate the security of our site," said Kelly, who added the company
is aware of Interhacks research. "And we have a number of safeguards
built into our systems that protect our customer accounts from
hackers."

The Chicago-based company has about 600,000 customers who bank online,
Kelly said.

But Curtin said that snooping in cookie files is common because the
files are not often password-protected within local networks. Also,
known security bugs within Web browsers can be exploited to let
outsiders download cookie files, he said.

"The necessary precautions to prevent fraud are not being taken here,"
said Curtin, who suggested the company change the required numbers for
logging onto an account and storing this information.

Interhack reported the alleged problem to Bank One last month.

Bank One is evaluating the suggestions. "Anytime somebody mentions a
security issue we take a look at it," Kelly said.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".