Memory Gaffe Leaves Aussie Bank Accounts Open To Theft 69
mask.of.sanity writes "A researcher has found flaws in the way major Australian banks handle customer login credentials which could allow the details to be siphoned off by malware. He built proof of concept malware to pull unencrypted passwords, account numbers and access credentials from volatile memory of popular web browsers every two hours."
Careful Reporting These (Score:5, Informative)
In the 80s, my comp sci partner and I discovered a similar case at Acadia University. We reported it to the head of the computer center. He told us it wouldn't work, it couldn't be done. I left that meeting feeling betrayed. My partner decided to write a proof of concept. He was successful and to prove it logged in as the main admin account. Days later he decided to try it again to see if they still hadn't fixed it or changed the password. They were waiting. He was expelled from Acadia. He was a brilliant honors student.
It's worse these days. They will charge you for cybercrimes, or treason, and sentence you to decades in prison. Or hold you without trial. Be careful when you do the right thing and report these. Just report them, don't "proof of concept" or you could be charged. It's unfair and immoral but it's what they'll do to you, mostly out of their own shame and embarrassment.
How bloody embarrassing! (Score:5, Informative)
Aussie IT is a bit Mickey Mouse all around, sadly -- especially in the banks, oddly (you'd expect a higher standard where billions of dollars are concerned, but no...)
As for the researcher, they didn't actually 'hack' into anything, merely scraped their own computer for data, so I wouldn't expect them to face any problems over revealing the exploit. Probably hasn't won them any friends in the banking sector though...
horses and barns (Score:4, Informative)
If malware has access to the RAM of another process, the horse has left the barn.