[ISN] Mass web banking hack probed

From: InfoSec News (isnat_private)
Date: Mon Jul 09 2001 - 01:23:30 PDT

  • Next message: InfoSec News: "[ISN] U.S. military backs open-source security"

    http://www.securityfocus.com/news/222 
    
    By Kevin Poulsen
    July 6, 2001 12:00 AM PT
    
    The FBI is investigating a June computer intrusion into a web banking
    company that may have compromised customer accounts at hundreds of
    U.S. financial institutions, SecurityFocus has learned.
    
    The attack against S1 Corporation's Community and Regional eFinance
    Solutions Group, renamed from Q UP after an acquisition last year,
    gave the hacker access to an internal network at the company's
    Atlanta-based 'Data Center', which handles the web banking needs of
    approximately 300 small banks and federal credit unions across the
    country.
    
    The hacker is believed to have cracked the network on June 19th. The
    company's information security staff discovered the intrusion the next
    day, and monitored the hacker until June 23rd, when they locked him
    out. FBI agents began investigating at S1's Austin, Texas office --
    where the network is managed -- on Monday, sources said.
    
    An FBI spokesperson could not be reached after business hours
    Thursday. S1 spokesperson Paul Citarella would neither confirm nor
    deny the intrusion, citing customer confidentiality. "We, like all
    organizations, get hacked all the time, or have attempted hacks all
    the time," said Citarella.
    
    But several sources familiar with the investigation, all speaking on
    condition of anonymity, said the company is taking the attack
    seriously, and has already begun notifying client banks that customer
    account information may have been compromised.
    
    One source said the hacker accessed files in a particular subdirectory
    on the company's Windows NT network called 'webdata,' which is
    dedicated to housing web banking customers' login names, paired with
    an encrypted version of their passwords.
    
    If the hacker reverse engineered the software responsible for logging
    customers in and out of the system, he could easily crack the
    encryption algorithm and read the passwords. Armed with that
    information, the attacker could access customer accounts over the web,
    potentially obtaining private information, or even plundering bank
    accounts.
    
    'Drop in the bucket'
    
    The intrusion underscores the vulnerability of Internet banking
    applications, which can suffer the same security holes as web sites
    and online storefronts, but seldom receive the same public scrutiny --
    in part because of a culture of strict secrecy among financial
    institutions, and tight nondisclosure agreements that keep would-be
    whistle-blowers silent.
    
    "When you write your story, make sure people understand that this is a
    drop in the bucket," said one consultant -- a specialist in evaluating
    the security of online banking software. "I've broken into every
    single web banking application I've tried. Sometimes I can just jump
    from account to account, and I wouldn't be able to target a person.
    With others I can get your social security number and any other
    information about you."
    
    The biggest risk, said the consultant, is in electronic bill payment
    functions, which provide a conduit for a cyber thief to siphon cash
    out of a victim's account. "Once I get access to their accounts, the
    first thing I do is set up bill pay to send out money to a mail drop."
    
    The consultant said new FDIC banking regulations are needed to enforce
    high security standards on Internet banking systems.
    
    Loyal Moses, formerly an information security analyst with S1, and now
    a critic of the company's security practices, said web-based banking
    can be made safe, but agreed that regulation was desperately needed.
    
    "As it is now, anybody could write an Internet banking application,
    take it down to the local bank, and if they like it, great, you're in
    business," said Moses, currently a security auditor at Grant Thornton,
    LLP. "It's just like when junk bonds were introduced, there was no
    regulation. Now you need to file certain papers to sell junk bonds.
    The same thing needs to happen with financial institutions."
    
    In addition to its Data Center, S1 Corporation's Community and
    Regional eFinance Solutions Group provides web banking software to
    small financial institutions for use in-house. Those institutions were
    not affected by the Data Center hack.
    
    
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email isn-unsubscribeat_private
    



    This archive was generated by hypermail 2b30 : Mon Jul 09 2001 - 01:45:47 PDT