Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Some points of detail on Bank One Online cookies

From: C Matthew Curtin <cmcurtin () INTERHACK NET>
Date: Thu, 26 Oct 2000 18:53:44 -0400
"Matt" == C Matthew Curtin <cmcurtin () interhack net> writes:


  Matt> Bank One Online (www.bankoneonline.com) stores customer
  Matt> account information -- specifically, credit and/or debit card
  Matt> numbers -- in insecure cookies.

We've been getting a lot of questions about this, so I want to make a
few points clear.  Unfortunately, it wasn't until after the release of
our initial report that we were able to get some answers that we
needed to get the complete picture.

 o The bank card numbers are used as the "Access ID" only in certain
   markets.  We tested in Columbus, which is vulnerable.  Bank One is
   in the midst of a rollout to a new system that does not use bank
   card numbers as Access IDs, so some markets (such as Chicago) are
   not vulnerable to this problem.  (I'm taking this on the word of
   some folks I spoke to there -- we can't readily test the Chicago
   customers' accounts.)

 o Users who want to avoid the weakness can ensure that the "Save
   Access ID to disk" box is not checked when logging in.  This will
   prevent the cookie from ever being written to disk.

   I'm not sure if someone who visits a site that exploits the IE
   "open cookie jar" (MS00-0033) in the same session will have an
   active cookie that can be read.  My guess is that it will.

 o Once a bank card number has been obtained, there is additional work
   to be done before it's directly exploitable.  That is, to use the
   card as a credit or debit card, the attacker has to guess the
   expiration date correctly.  The odds of doing this before the
   account is locked is roughly one-in-13 (three tries before lockout,
   generally 36 months for the lifetime of a credit card).  Trying to
   access the account directly will require guessing a PIN.  Chances
   of guessing the PIN before the account is frozen are roughly one in
   3333 (three chances before lockdown, roughly 10000 possible PINs).

I believe that now we have correctly identified all of the relevant
parts of this problem and the solutions.

--
Matt Curtin, Founder   Interhack Corporation   http://www.interhack.net/
"Building the Internet, Securely."   research | development | consulting
Previous By Date Next
Previous By Thread Next

Current thread: