Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security Australia Crime The Almighty Buck

Memory Gaffe Leaves Aussie Bank Accounts Open To Theft 69

Posted by timothy from the willie-sutton-down-under dept.
mask.of.sanity writes "A researcher has found flaws in the way major Australian banks handle customer login credentials which could allow the details to be siphoned off by malware. He built proof of concept malware to pull unencrypted passwords, account numbers and access credentials from volatile memory of popular web browsers every two hours."
This discussion has been archived. No new comments can be posted.

Memory Gaffe Leaves Aussie Bank Accounts Open To Theft More

Memory Gaffe Leaves Aussie Bank Accounts Open To Theft

Comments Filter:

  • Already running? (Score:5, Insightful)

    by Anonymous Coward on Saturday June 01, 2013 @12:03AM (#43880873)

    You have to be infected first for your credentials to be stolen? Couldn't the hacker just have installed a key logger?

    If you can't trust the machine, don't put your sensitive data on the thing.

  • So he's running malware that's sniffing your browsers memory? If your machine is already compromised, there are easier ways to get access to login credentials.

  • Re:and now he be researching the side of jail down (Score:5, Insightful)

    by Frobnicator ( 565869 ) on Saturday June 01, 2013 @12:27AM (#43880961) Journal

    Sadly, he probably will.

    Financial institutions want to keep their vulnerabilities quiet. People who shout them to the world face lawsuits

    If you are smart enough to discover a major exploit, also be smart in how you notify them. There are many great security companies who work as middle-men to help submit the bugs to the corporations and at an appropriate time make the information public so it gets fixed.

    Going through a security company is free, and means you won't get the big splash on news sites or all the public attention, but it also means you can generally avoid hiring a lawyer, or worse, having he cops knock at your door with warrants.

  • Re:Already running? (Score:5, Insightful)

    by You're All Wrong ( 573825 ) on Saturday June 01, 2013 @02:35AM (#43881249)
    So you're saying that if you log in from a new infected machine, your bank obliges you to leak sensitive security information to the keylogger that's been installed there?

    Congratulations for feeling all warm and fuzzy from your bank's security measures whilst gaining very little actual security against real threats - that's what they were hoping you'd feel, you're a good customer.

    *One time* passwords are the *only* thing that *can't* be re-used. By definition. If your bank does not use them, get a new bank.

  • Re:Careful Reporting These (Score:1, Insightful)

    by Anonymous Coward on Saturday June 01, 2013 @03:12AM (#43881343)

    This is why whenever I expose security flaws I do so anonymously. If it isn't fixed within the first couple days I just make it public knowledge and instigate the first attack myself. They had their fair warning, and now they get the shit storm they deserve.

  • I'm starting to be sick (Score:5, Insightful)

    by trifish ( 826353 ) on Saturday June 01, 2013 @03:29AM (#43881375)

    I am really starting to be sick of these "security researchers" who don't know that the 1st law of the computer security is:

    If malware is running on your computer, it is not your computer anymore.

    It follows that no matter what you do, malware will win. Discovering that malware can "siphon" memory is really... uh, groundbreaking.

    What makes me even more sick is the incredibly amount of various BlackHat "security conferences" and supposedly geek-oriented media like Slashdot that let those people present this kind of "discoveries" as legitimate, notable, noteworthy, important and new.

    I am really, really, sick of you.

  • Not really a banks fault though - why is the browser hanging on to post'd data after it's been post'd??

    So that when you hit refresh on the page, the browser can pop up its usual "you'll need to repost to refresh this page, are you sure?" and do the repost if you tell it to.

  • Re:How bloody embarrassing! (Score:5, Insightful)

    by bloodhawk ( 813939 ) on Saturday June 01, 2013 @05:10AM (#43881577)
    While this isn't exactly shining a pleasant light on the quality of the banks code. It is still very much a storm in a teacup, if you have access to scrape the memory of the computer then you could have gotten access to credentials in a far simpler means such as keylogging. The simple fact is if you can't trust the machine you are using you're already boned and no amount of secure coding from the bank is going to save you. Besides which I believe most of those banks (if not all) do 2 factor auth to transfer funds to accounts you haven't previously transferred too. (at least the 2 of them I use do).

  • Re:Careful Reporting These (Score:5, Insightful)

    by darkfeline ( 1890882 ) on Saturday June 01, 2013 @05:24AM (#43881595)

    I hear about these kinds of things all the time. It's utter bullshit; they're literally making it more appealing for people to anonymously sell these exploits on the black market. "No, we don't want to know if our software has an exploit. If you've found one, go ahead and sell it to whoever you want, as long as we don't know, it's cool, we can keep deluding ourselves, thanks."

    It reminds me of, among other counterproductive measures, media conglomerates pushing oppressive DRM on consumers as if to drive them toward piracy or forcing drug addicts to carry their criminal status with them as if to force them back toward poverty and drug abuse. If an alien race were to monitor us, they'd probably assume we're running some sort of elaborate self-extermination campaign.

Slashdot Top Deals

Always look over your shoulder because everyone is watching and plotting against you.

Close