Forwarded from: security curmudgeon <jericho (at) attrition.org> Cc: Editor (at) BankInfoSecurity.com, reportfraud (at) mibank.com bankinfosecurity.com: Too bad Linda blindly accepted everything she read on the Interwebz. mibank.com: "reportfraud", I am reporting fraud to you as requested. Specifically, the 'fraud' that your bank is trying to commit against customers. : http://www.bankinfosecurity.com/articles.php?art_id=1164 : : By Linda McGlasson : Managing Editor : Bank Info Security : January 19, 2009 : : Phishing, malware and the Nigerian 404 scam. These are among the top : 2009 agenda items for the M&I Corporation in Wisconsin - not just to : fight the threats, but to make customers more aware of them. : : Customer awareness is a huge priority for Wisconsin's largest bank, : says Scott Coghill, CISM, Vice President, Information Security : Department at the Milwaukee-based financial services corporation, : which has $63.5 billion in assets and operates in seven states. : : M&I has a dedicated web page for its customers with an outline of the It does? McGlasson/BankInfoSecurity don't link to it off their page. If I hit https://www.mibank.com/ and search for 'security', i get a generic FAQ style page. If I click on the "M&I Online Guarantee" I get worse. FAQ: Is Online Banking secure? Yes, M&I is committed to providing you with peace of mind when using Online Banking and Bill Payment. Guarantee: The M&I Online Guarantee offers consumers some of the strongest protection available. [..] Security Commitment: We use data encryption to protect you when applying for accounts, conducting transactions or paying bills online. Ok, i'll take your word for it and only use a web browser (and freely available, easy to use browser plugins) to trust you. - This web server allows EXP-* (exportable) ciphersuits. (What were you saying about data encryption?) - Web server reveals version (Apache/1.3.9) and module (Ben-SSL/1.37 (Unix)) - Javascript information disclosure (Michael T Venturella Jr (MTV) created mibankJsLib.js on 05-Oct-05 - Use code from Websidestory, Inc. (websidestory.com) - Initial cookies are not set 'secure' - Initial cookies are not set 'httponly' - One server in their cluster is Hitbox Gateway 9.3.6-rc1 - One server in their cluster is Apache-Coyotoe/1.1 and likely runs ColdFusion - Directory indexing is off, but error message reveals web server vendor/version - Customer user enumeration via error messages (valid name, invalid state), server that handles this is IBM_HTTP_Server .. assuming that connections to "ibanking-services.com" are legitimate, as they are registered to "Metavante Corporation" not "M&I Online Banking" - Copyright out of date - Cross-Site Scripting (XSS) on the search page. Entering "><script>alert('oh gnoez')</script> will result in a popup if entered through www.mibank.com/mibanknew/subsections.cfm?pagename=search : most important security messages and updates. It also offers key tips : in ID theft fraud protection, a section describing how M&I is : protecting its customers, Now i'm really curious, is this page only available to customers? If they paid high dollar to a security company that performed web application testing, I think they would be in for a rude shock since I just hit 12 findings (one high risk!) in fifteen minutes. Care to pay me 10k for the elite audit I performed above before you spend more on a company that will give you worse news? Are they *really* dedicated, or are they just regurgitating the same PR-friendly crap every e-commerce site does in a desperate attempt to cover their ass while they provide insecure banking to the masses? : "We periodically send out flyers in their monthly statements, and we : provide the same information to our call center, branch personnel, : community bankers and other areas of customer contact whenever we post : an alert regarding a new phishing or malware scam that could be of : interest to people," Coghill says. Great, shift all the blame on everyone else, but not the folks running the IT / Security department. The above findings means M&I is not PCI compliant for sure (sorry, XSS finding fails you). Did your PCI ASV find this? If not, why not? If so, why are you still vulnerable? Oh wait, PCI is a scam, nevermind. $63.5 billion in assets? I look forward to seeing you on http://datalossdb.org/ =) : "With the way the economy is today, the bad guys will try to look for : opportunities to take unfair advantage of situations," Coghill says, : requiring strong awareness programs for employees and customers alike. : The awareness program in place is a strong, he adds. "Our goal is to : keep that information current and relevant." All the while, ignoring Security 101 about web application security? : [...] _______________________________________________ Best Selling Security Books & More! http://www.shopinfosecnews.org/Received on Fri Jan 23 2009 - 00:13:40 PST
This archive was generated by hypermail 2.2.0 : Fri Jan 23 2009 - 00:24:43 PST