Issues: The security of electronic banking, legacy of the c0w

[InfoSec News <isn () C4I ORG>]

Forwarded By: Berislav Kucan <bhz () net-security org>

Issues: The security of electronic banking, legacy of the c0w
by Thejian, Help Net Security

Last week, 03-09-00 to be exact, a Dutch television show exposed the
Dutch banking organisation ABN AMRO's HomeNet program as being
insecure. Computer science students had found a way to trick this
electronic banking system into redirecting a user's bank transfers to
a different account. As could have been expected, press and consumer
organisations fell en masse for the possibilities the idea of
"hackers"  snooping around in your bank account presented.

The ideas of banks and their vulnerability to attacks always tends to
cause a stir like this. Some incidents might even cause a cyberwar :P
But how big of a problem is the security factor in electronic banking?

E-commerce has been on the rise for quite a while now (and has been
claimed to be on the rise even longer), of course with this
developement, banks can't stay behind. Because of this many of them
have initiated electronic banking projects like HomeNet. The general
idea behind these systems involves a client-server system, in which
the user first specifies the transaction information before either
calling the banks system or access the Internet to transfer this
information to the bank to have it processed.

Obiously, the possibility of anyone tampering with this information is
definately something a bank would like to stay clear of. Trust is a
major issue in the banking world and even the slightest mention of
doubt about the integrity of banks in general and electronic banking
in particular could have desastrous effects on customers' confidence.

However, the reality of computers and their interconnection with other
computers is that perfect security is quite an impossible feat.
Unfortunately this also applies to banks. In a recent MSNBC story,
former Hacker News Network editor and L0pht member Space Rogue is
quoted about the results of security audits performed on banks by this
group as "The audits we have performed tell us [banks] are not
invulnerable" and "Banks have a little more security in place, but
that security is still not at a level where it is unbreakable."

Similar statements by him and other renowned security experts around
the world of course don't do much good to reputation of banks and the
services they provide. But wether this is completely fair.. Banks,
like every other institution trying to tag online in what so nicely is
referred to as "the Internet-revolution" have to cope with several
problems. One of these (and probably the biggest issue in security
nowadays) is, as in the ABN AMRO example, the dependability on other's
standards and code. Wether you like it or not, when it comes to
home-use, the Microsoft Windows operating system is the standard for
computers. Obviously this won't result in ABN AMRO having their
program ported to NetBSD for security purposes. For those familiar
with Windows' track record in server-intrusions, the problem is pretty
clear. Often heard expressions amongst home-users are "Why would
someone be interested in hacking my system?" and "I have nothing of
interest for hackers on my machine, so I don't have to worry about
security".  Statements like these have "Melissa" and "I love you"
written all over them.

On August 1 1998, the hacker group known as the Cult of the Dead Cow
(cDc) released a program by the name of "Back Orifice" (BO).  This
program, a so-called "trojan horse", basically opened the door for any
user, regardless of skill or experience, to completely take over
someones computer. According to the cDc press release, the
realization of BO was an indication of "Microsoft's Swiss cheese
approach to security" and the fact that "Microsoft has leveraged
itself into a position where anyone who wants to can download an app
[or write their own!] and learn a few tricks and make serious shit
happen. " The attitude with which BO was received by the same press
who write about bank "insecurities" now, was however that of the big
bad hackers who intended to expose users private data to the world.
Of course the cDc's proposition of exchanging a version of their
second BO tool, BO2K, for "a million dollars and a monster truck" when
asked by anti-virus vendor Network Associates for a pre-release
version didn't help much in regards of the public opinion either, but
that's quite besides the point. Point IS however that since then more
and more vulnerabilities and programs abusing them have been popping
up.  Recent virus incidents clearly show that the realization of the
need of security is still lacking way behind. Users still open email
attachments with little or no precautions. And that is exactly where
the real problem is.

The HomeNet program was "cracked" by a modified version of one of
these trojan programs. The user has to be tricked into running this
program on their computer first before it can start manipulating
transaction data and actually become a threat. In the example shown on
TV, this was done with a fake email, supposedly coming from the ABN
AMRO helpdesk and an attachment which was said to contain an update to
the system. According to the student performing the demonstration,
this is a responsibility of the bank, because "users are known to
easily install software from vague or unknown resources". And that
statement describes the problem best.

Credit card exposure and fraud are quite common things on the 'Net
nowadays, smart card systems and ATM's are abused on quite regular
basis and the NSA (and others) are accused of having obtained a
backdoor in just about any system (be it financial or not). To get a
bank to shut down services because an obvious
between-keyboard-and-screen problem, is ridiculous and unrealistic. Of
course a better security should be in place at HomeNet (checking of
receivers name against destination account has already been mentioned
as a quick fix), but the real problem lies in the security policy of
users and even in other software like the Windows operating system.
This leads to solutions from educating users to the ever ongoing
discussion about who's responsible for software (security) flaws.

To claim any person or institution insecure on basis of the existence
of these problems, even asking for their closure untill these problems
are solved, would not only effectively shut them down permanently, but
would probably would cause the ICT world to come to a screeching stop.
What (sad but true) instead should be learned from all this, is that a
better security starts at Home first to realize it on the Net later.


Berislav Kucan aka BHZ
bhz () net-security org
http://net-security.org

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".