Bugtraq mailing list archives
Some points of detail on Bank One Online cookies
From: C Matthew Curtin <cmcurtin () INTERHACK NET>
Date: Thu, 26 Oct 2000 18:53:44 -0400
"Matt" == C Matthew Curtin <cmcurtin () interhack net> writes:
Matt> Bank One Online (www.bankoneonline.com) stores customer Matt> account information -- specifically, credit and/or debit card Matt> numbers -- in insecure cookies. We've been getting a lot of questions about this, so I want to make a few points clear. Unfortunately, it wasn't until after the release of our initial report that we were able to get some answers that we needed to get the complete picture. o The bank card numbers are used as the "Access ID" only in certain markets. We tested in Columbus, which is vulnerable. Bank One is in the midst of a rollout to a new system that does not use bank card numbers as Access IDs, so some markets (such as Chicago) are not vulnerable to this problem. (I'm taking this on the word of some folks I spoke to there -- we can't readily test the Chicago customers' accounts.) o Users who want to avoid the weakness can ensure that the "Save Access ID to disk" box is not checked when logging in. This will prevent the cookie from ever being written to disk. I'm not sure if someone who visits a site that exploits the IE "open cookie jar" (MS00-0033) in the same session will have an active cookie that can be read. My guess is that it will. o Once a bank card number has been obtained, there is additional work to be done before it's directly exploitable. That is, to use the card as a credit or debit card, the attacker has to guess the expiration date correctly. The odds of doing this before the account is locked is roughly one-in-13 (three tries before lockout, generally 36 months for the lifetime of a credit card). Trying to access the account directly will require guessing a PIN. Chances of guessing the PIN before the account is frozen are roughly one in 3333 (three chances before lockdown, roughly 10000 possible PINs). I believe that now we have correctly identified all of the relevant parts of this problem and the solutions. -- Matt Curtin, Founder Interhack Corporation http://www.interhack.net/ "Building the Internet, Securely." research | development | consulting
Current thread:
- Bank One Online puts bank card numbers at risk of exposure C Matthew Curtin (Oct 27)
- Some points of detail on Bank One Online cookies C Matthew Curtin (Oct 27)