Mass web banking hack probed

[InfoSec News <isn () c4i org>]

http://www.securityfocus.com/news/222 

By Kevin Poulsen
July 6, 2001 12:00 AM PT

The FBI is investigating a June computer intrusion into a web banking
company that may have compromised customer accounts at hundreds of
U.S. financial institutions, SecurityFocus has learned.

The attack against S1 Corporation's Community and Regional eFinance
Solutions Group, renamed from Q UP after an acquisition last year,
gave the hacker access to an internal network at the company's
Atlanta-based 'Data Center', which handles the web banking needs of
approximately 300 small banks and federal credit unions across the
country.

The hacker is believed to have cracked the network on June 19th. The
company's information security staff discovered the intrusion the next
day, and monitored the hacker until June 23rd, when they locked him
out. FBI agents began investigating at S1's Austin, Texas office --
where the network is managed -- on Monday, sources said.

An FBI spokesperson could not be reached after business hours
Thursday. S1 spokesperson Paul Citarella would neither confirm nor
deny the intrusion, citing customer confidentiality. "We, like all
organizations, get hacked all the time, or have attempted hacks all
the time," said Citarella.

But several sources familiar with the investigation, all speaking on
condition of anonymity, said the company is taking the attack
seriously, and has already begun notifying client banks that customer
account information may have been compromised.

One source said the hacker accessed files in a particular subdirectory
on the company's Windows NT network called 'webdata,' which is
dedicated to housing web banking customers' login names, paired with
an encrypted version of their passwords.

If the hacker reverse engineered the software responsible for logging
customers in and out of the system, he could easily crack the
encryption algorithm and read the passwords. Armed with that
information, the attacker could access customer accounts over the web,
potentially obtaining private information, or even plundering bank
accounts.

'Drop in the bucket'

The intrusion underscores the vulnerability of Internet banking
applications, which can suffer the same security holes as web sites
and online storefronts, but seldom receive the same public scrutiny --
in part because of a culture of strict secrecy among financial
institutions, and tight nondisclosure agreements that keep would-be
whistle-blowers silent.

"When you write your story, make sure people understand that this is a
drop in the bucket," said one consultant -- a specialist in evaluating
the security of online banking software. "I've broken into every
single web banking application I've tried. Sometimes I can just jump
from account to account, and I wouldn't be able to target a person.
With others I can get your social security number and any other
information about you."

The biggest risk, said the consultant, is in electronic bill payment
functions, which provide a conduit for a cyber thief to siphon cash
out of a victim's account. "Once I get access to their accounts, the
first thing I do is set up bill pay to send out money to a mail drop."

The consultant said new FDIC banking regulations are needed to enforce
high security standards on Internet banking systems.

Loyal Moses, formerly an information security analyst with S1, and now
a critic of the company's security practices, said web-based banking
can be made safe, but agreed that regulation was desperately needed.

"As it is now, anybody could write an Internet banking application,
take it down to the local bank, and if they like it, great, you're in
business," said Moses, currently a security auditor at Grant Thornton,
LLP. "It's just like when junk bonds were introduced, there was no
regulation. Now you need to file certain papers to sell junk bonds.
The same thing needs to happen with financial institutions."

In addition to its Data Center, S1 Corporation's Community and
Regional eFinance Solutions Group provides web banking software to
small financial institutions for use in-house. Those institutions were
not affected by the Data Center hack.



ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.