My post from a week ago, about the major flaws in the new online banking security systems that banks around the country deployed recently, did not get any attention. The flaw was explained in detail and demonstrated (by actually hacking a bank account) at the Defcon 15 hacker conference in Las Vegas. One person dugg it at Digg.com and that was it. End of story, nobody seems to be interested. Well, it only affects pretty much everybody, at least everybody who uses online banking. Meanwhile did also other blogs that are specialized in application and system security write about the story. DarkReading.com was one of the most known publications who published the story "New Bank Practices Make Hacking Easier" a couple days after I published mine.
Their story died at Digg.com, just as mine, but at least did some more bloggers pick up their story. Here are a few other bloggers who picked it up:
- M. M. Madan: Bank's "Two Factor" Schemes Are Fundamentally Flawed
- AuthenticationWorld.Com: Why more authentication may be harmful to banks
- FIRST.org: New Bank Practices Make Hacking Easier
- Dr. Neal Krawetz/Hackerfactor.com: Black Hat and Defcon Post-Conference (as part of a general DefCon 15 summary
Here is a picture of Brendan O'Connor, who presented the issue at the conference, which makes it easy to understand, why some people might not give him the attention he deserves.It is funny how things work sometimes. On the one hand are people going berserk and crazy about some "big privacy issues" that are bullshit. I just mention Google and the other search engines regarding their updates to their privacy policies.
I guess it has to hurt a bunch of people first, some accounts hacked and life's and businesses ruined that people wake up and ask "WTF is going on here?". The cries will be loud and painful to listen to. People will ask "Did nobody knew about this?" .. Of course did somebody knew about this, but you were not listen, you dumba...!
"Schadenfreude" is not a good thing in this matter, but a bit cynicism does not hurt either.
Quick Update: Here is the 47 pages presentation by Brendan O'Connor from DefCon 15 in PDF format (only 230KB in size), titled "Greater Than One - Defeating 'strong' authentication in web applications".
dc-15-oconnor.pdfThe presentation document goes into much more details than I was in my previous blog post. It also illustrates the issues nicely. Check it out.
Carsten aka Roy/SAC
1 comment:
Digg can put your info forward but you got to make it known elsewhere. I read at symantec that bank accounts are traded at about 100$ each... impressive.
Post a Comment
Hi, thanks for taking the time to comment at my blog.
Due to spam issues comments are not immediately posted on the site and require my manual approval first, before they become visible.
I try to approve comments as quickly as possible and usually within 24 hours.
To be notified about follow up comments that are made after yours, use the subscribe option with your email address and you will receive an email alert, if somebody else comments at this post in the future.
Also check out the rest of the website beyond this blog, visit RoySAC.com. Also see my YouTube channels, SACReleases for intros and demos.
Cheers!
Carsten aka Roy/SAC
Note: Only a member of this blog may post a comment.