Issues: The security of electronic banking, legacy of the c0w

Last week, 03-09-00 to be exact, a Dutch television show exposed the Dutch banking organisation ABN AMRO’s HomeNet program as being insecure. Computer science students had found a way to trick this electronic banking system into redirecting a user’s bank transfers to a different account. As could have been expected, press and consumer organisations fell en masse for the possibilities the idea of “hackers” snooping around in your bank account presented.

The ideas of banks and their vulnerability to attacks always tends to cause a stir like this. Some incidents might even cause a cyberwar 😛 But how big of a problem is the security factor in electronic banking?

E-commerce has been on the rise for quite a while now (and has been claimed to be on the rise even longer), of course with this developement, banks can’t stay behind. Because of this many of them have initiated electronic banking projects like HomeNet. The general idea behind these systems involves a client-server system, in which the user first specifies the transaction information before either calling the banks system or access the Internet to transfer this information to the bank to have it processed.

Obiously, the possibility of anyone tampering with this information is definately something a bank would like to stay clear of. Trust is a major issue in the banking world and even the slightest mention of doubt about the integrity of banks in general and electronic banking in particular could have desastrous effects on customers’ confidence.

However, the reality of computers and their interconnection with other computers is that perfect security is quite an impossible feat. Unfortunately this also applies to banks. In a recent MSNBC story, former Hacker News Network editor and L0pht member Space Rogue is quoted about the results of security audits performed on banks by this group as “The audits we have performed tell us [banks] are not invulnerable” and “Banks have a little more security in place, but that security is still not at a level where it’is unbreakable.”

Similar statements by him and other renowned security experts around the world of course don’t do much good to reputation of banks and the services they provide. But wether this is completely fair.. Banks, like every other institution trying to tag online in what so nicely is referred to as “the Internet-revolution” have to cope with several problems. One of these (and probably the biggest issue in security nowadays) is, as in the ABN AMRO example, the dependability on other’s standards and code. Wether you like it or not, when it comes to home-use, the Microsoft Windows operating system is the standard for computers. Obviously this won’t result in ABN AMRO having their program ported to NetBSD for security purposes. For those familiar with Windows’ track record in server-intrusions, the problem is pretty clear. Often heard expressions amongst home-users are “Why would someone be interested in hacking my system?” and “I have nothing of interest for hackers on my machine, so I don’t have to worry about security”. Statements like these have “Melissa” and “I love you” written all over them.

On August 1 1998, the hacker group known as the Cult of the Dead Cow (cDc) released a program by the name of “Back Orifice” (BO). This program, a so-called “trojan horse”, basically opened the door for any user, regardless of skill or experience, to completely take over someone’s computer. According to the cDc press release, the realization of BO was an indication of “Microsoft’s Swiss cheese approach to security” and the fact that “Microsoft has leveraged itself into a position where anyone who wants to can download an app [or write their own!] and learn a few tricks and make serious shit happen.” The attitude with which BO was received by the same press who write about bank “insecurities” now, was however that of the big bad hackers who intended to expose users’ private data to the world. Of course the cDc’s proposition of exchanging a version of their second BO tool, BO2K, for “a million dollars and a monster truck” when asked by anti-virus vendor Network Associates for a pre-release version didn’t help much in regards of the public opinion either, but that’s quite besides the point. Point IS however that since then more and more vulnerabilities and programs abusing them have been popping up. Recent virus incidents clearly show that the realization of the need of security is still lacking way behind. Users still open email attachments with little or no precautions. And that is exactly where the real problem is.

The HomeNet program was “cracked” by a modified version of one of these trojan programs. The user has to be tricked into running this program on their computer first before it can start manipulating transaction data and actually become a threat. In the example shown on TV, this was done with a fake email, supposedly coming from the ABN AMRO helpdesk and an attachment which was said to contain an update to the system. According to the student performing the demonstration, this is a responsibility of the bank, because “users are known to easily install software from vague or unknown resources”. And that statement describes the problem best.

Credit card exposure and fraud are quite common things on the ‘Net nowadays, smart card systems and ATM’s are abused on quite regular basis and the NSA (and others) are accused of having obtained a backdoor in just about any system (be it financial or not). To get a bank to shut down services because an obvious between-keyboard-and-screen problem, is ridiculous and unrealistic. Of course a better security should be in place at HomeNet (checking of receivers name against destination account has already been mentioned as a quick fix), but the real problem lies in the security policy of users and even in other software like the Windows operating system. This leads to solutions from educating users to the ever ongoing discussion about who’s responsible for software (security) flaws.

To claim any person or institution insecure on basis of the existence of these problems, even asking for their closure untill these problems are solved, would not only effectively shut them down permanently, but would probably would cause the ICT world to come to a screeching stop. What (sad but true) instead should be learned from all this, is that a better security starts at Home first to realize it on the Net later.