Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Internet home banking unsafe

From: Dave Farber <dave () farber net>
Date: Sat, 09 Nov 2002 21:36:35 -0500

Date: Fri, 08 Nov 2002 22:13:48 +0100
From: Erling Kristiansen <erling.kristiansen () xs4all nl>
Subject: Internet home banking unsafe

The 28 Oct 2002 edition on the programme "Netwerk" of the Dutch TV station
NCRV ran an item on Internet home banking. The programme featured a person
accessing his bank account via Internet, and another person with a laptop
reading a clear-text transcript of the session.

The programme was not very technical, but two hints were given that helped
in finding out what was going on: The two persons "were colleagues" (in
network terms: were on the same LAN), and the scenario was described as a
"man in the middle" attack.  I know from own experience that the Dutch home
banking system uses a secure web session. A challenge-response
authentication device ("token" or e.dentifier) is used to authenticate the
user, but this is not relevant to this discussion.

Poking around a bit, I found several references to a vulnerability in
Internet Explorer 5.0, 5.5 and 6.0. A good explanation can be found at
http://www.thoughtcrime.org/ie-ssl-chain.txt

I am not an expert in SSL and PKI and such matters. But, in brief, as I
understand it, a certification Authority can delegate its authority to
somebody else. This is designed to be safe, provided, of course, it is
implemented properly. IE skips one step in its implementation of the
procedure, essentially allowing somebody who can gain access to the data
stream (e.g. by being on the same LAN or having access to a router somewhere
along the path) to delegate the certification authority to himself. This, in
turn gives the man-in-the-middle access to the data.  I am sure this
description is not precise, but I hope it catches the essence of the attack.
Otherwise, please read the referenced article.

I had an e-mail conversation with somebody from the TV programme, who
confirmed that "indeed, it is a problem in IE". They did not say this in the
programme because "the problem is the responsibility of the banks, not
Microsoft". Apparently, their aim was to expose the banks.

A few thoughts:

It would seem that the problem affects not only home banking but any
application using a secure web session.
The exploit also highlights that security depends not only on good
design, but also on proper implementation. You have to trust the
software vendor. Do you??

SPECULATION MODE ON
Why is Microsoft reluctant to fix this bug that is present in 3
consecutive versions of IE? In view of the nature of it, it cannot be
that difficult to fix.
Could it be that they do not want to fix it? Either because they want to
exploit it themselves, or because somebody twisted their arm to provide
a back door.
SPECULATION MODE OFF

It is, actually, a very well hidden back door that is not easily
discovered unless you have access to the source code, or you know what
you are looking for. I wonder how it was discovered.

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To unsubscribe or update your address, click
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: