Information Security News mailing list archives
New blow to internet banking security
From: InfoSec News <isn () C4I ORG>
Date: Mon, 25 Sep 2000 03:35:03 -0500
http://www.guardian.co.uk/internetnews/story/0,7369,372676,00.html [Does anyone else find it odd that an English consultant living on the Isle of Man is checking his American Bank account? -WK] Antony Barnett, public affairs editor Sunday September 24, 2000 The future of internet banking was thrown into chaos last night after a British computer expert accessed bank account details of millions of Americans from his home in the Isle of Man during a routine check on his US bank account. Ralph Dressel, a 28-year-old software analyst at Royal Skandia lnvestment bank, contacted The Observer having obtained bank security details that allowed him to 'walk' straight into internet bank accounts at institutions across the US. Once in, German-born Dressel was free to carry out a wide range of financial transactions, including transferring funds, changing PIN numbers and paying bills. Dressel came across the information via the website of the US company Fiserv, a software firm which runs internet banking programs for dozens of banks, including the Abbey National in Britain. After a few keystrokes he obtained something called the 'access log' which had all the security information needed to access any of the internet accounts run by Fiserv. The US company says it runs more than 200 million accounts on-line, looking after more than 15bn of customers' money. Dressel said: 'I was just checking details of my US bank account and was playing around looking to see how secure the system was. I was amazed there didn't seem to be any protection at all and within five minutes I had obtained full access to account details of hundreds of thousands of people. Anybody who has basic internet skills could have done it. I guess if I wanted to I could have transferred $50m into my account.' Dressel contacted the FBI in Boston and his local police station in the Isle of Man. Dressel printed details of three accounts from customers which have been seen by The Observer. These were from the Amalgamated Bank of Chicago, Bank of Oklahoma and the Sovereign Bank in Connecticut. The print-outs included account numbers and balances. It also gave options to change PIN numbers, view the history of the account, pay bills and transfer funds. Dressel, who looks after computer security where he works, said: 'This is a major scandal and needs to be exposed before people start losing their money.' This is the latest in a number of security scandals over internet financial services that have cast doubt over the safety of using on-line banking. On Friday five people were charged in connection with attempting to defraud Egg, the web bank set up by Prudential nearly two years. Last month Barclays was forced to shut down its on-line banking service for several hours after customers were confronted with details of other people's accounts when they logged on. Earlier in the summer electricity and gas supplier Powergen parted with the financial details and addresses of thousands of customers without any hacking. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- New blow to internet banking security InfoSec News (Sep 25)