New blow to internet banking security

[InfoSec News <isn () C4I ORG>]

http://www.guardian.co.uk/internetnews/story/0,7369,372676,00.html

[Does anyone else find it odd that an English consultant living on the
Isle of Man is checking his American Bank account?  -WK]


Antony Barnett, public affairs editor
Sunday September 24, 2000

The future of internet banking was thrown into chaos last night after
a British computer expert accessed bank account details of millions of
Americans from his home in the Isle of Man during a routine check on
his US bank account.

Ralph Dressel, a 28-year-old software analyst at Royal Skandia
lnvestment bank, contacted The Observer having obtained bank security
details that allowed him to 'walk' straight into internet bank
accounts at institutions across the US.

Once in, German-born Dressel was free to carry out a wide range of
financial transactions, including transferring funds, changing PIN
numbers and paying bills.

Dressel came across the information via the website of the US company
Fiserv, a software firm which runs internet banking programs for
dozens of banks, including the Abbey National in Britain.

After a few keystrokes he obtained something called the 'access log'
which had all the security information needed to access any of the
internet accounts run by Fiserv. The US company says it runs more than
200 million accounts on-line, looking after more than 15bn of
customers' money.

Dressel said: 'I was just checking details of my US bank account and
was playing around looking to see how secure the system was. I was
amazed there didn't seem to be any protection at all and within five
minutes I had obtained full access to account details of hundreds of
thousands of people. Anybody who has basic internet skills could have
done it. I guess if I wanted to I could have transferred $50m into my
account.'

Dressel contacted the FBI in Boston and his local police station in
the Isle of Man.

Dressel printed details of three accounts from customers which have
been seen by The Observer. These were from the Amalgamated Bank of
Chicago, Bank of Oklahoma and the Sovereign Bank in Connecticut. The
print-outs included account numbers and balances. It also gave options
to change PIN numbers, view the history of the account, pay bills and
transfer funds.

Dressel, who looks after computer security where he works, said: 'This
is a major scandal and needs to be exposed before people start losing
their money.'

This is the latest in a number of security scandals over internet
financial services that have cast doubt over the safety of using
on-line banking. On Friday five people were charged in connection with
attempting to defraud Egg, the web bank set up by Prudential nearly
two years.

Last month Barclays was forced to shut down its on-line banking
service for several hours after customers were confronted with details
of other people's accounts when they logged on. Earlier in the summer
electricity and gas supplier Powergen parted with the financial
details and addresses of thousands of customers without any hacking.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".