Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Australia Crime The Almighty Buck

Memory Gaffe Leaves Aussie Bank Accounts Open To Theft 69

mask.of.sanity writes "A researcher has found flaws in the way major Australian banks handle customer login credentials which could allow the details to be siphoned off by malware. He built proof of concept malware to pull unencrypted passwords, account numbers and access credentials from volatile memory of popular web browsers every two hours."
This discussion has been archived. No new comments can be posted.

Memory Gaffe Leaves Aussie Bank Accounts Open To Theft

Comments Filter:
  • by Anonymous Coward on Friday May 31, 2013 @10:59PM (#43880857)

    In the 80s, my comp sci partner and I discovered a similar case at Acadia University. We reported it to the head of the computer center. He told us it wouldn't work, it couldn't be done. I left that meeting feeling betrayed. My partner decided to write a proof of concept. He was successful and to prove it logged in as the main admin account. Days later he decided to try it again to see if they still hadn't fixed it or changed the password. They were waiting. He was expelled from Acadia. He was a brilliant honors student.

    It's worse these days. They will charge you for cybercrimes, or treason, and sentence you to decades in prison. Or hold you without trial. Be careful when you do the right thing and report these. Just report them, don't "proof of concept" or you could be charged. It's unfair and immoral but it's what they'll do to you, mostly out of their own shame and embarrassment.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      This is why whenever I expose security flaws I do so anonymously. If it isn't fixed within the first couple days I just make it public knowledge and instigate the first attack myself. They had their fair warning, and now they get the shit storm they deserve.

    • by darkfeline ( 1890882 ) on Saturday June 01, 2013 @04:24AM (#43881595)

      I hear about these kinds of things all the time. It's utter bullshit; they're literally making it more appealing for people to anonymously sell these exploits on the black market. "No, we don't want to know if our software has an exploit. If you've found one, go ahead and sell it to whoever you want, as long as we don't know, it's cool, we can keep deluding ourselves, thanks."

      It reminds me of, among other counterproductive measures, media conglomerates pushing oppressive DRM on consumers as if to drive them toward piracy or forcing drug addicts to carry their criminal status with them as if to force them back toward poverty and drug abuse. If an alien race were to monitor us, they'd probably assume we're running some sort of elaborate self-extermination campaign.

    • Whatever his intentions, he broke the law. It's important to remember that you can be prosecuted for breaking the law even if you consider yourself a "white hat." Instead, he should have sent the demonstration code in hardcopy without ever actually intruding on the system he was trying to help improve.
      • by Velex ( 120469 )

        Yes, but that's not even good enough. You and I both know how these arrogant pinheads work. They have a social status and nothing more. If some damned kid can just show them up, what would that mean about them? Sure we can call the kid a "genius" or a "wiz" and dress him up in other terms to attempt to shield the pinhead's social status, but at the end of the day the fact remains that the pinhead got shown up by a damned kid barely out of diapers.

        It seems the only correct answer is to either do nothing

        • Why don't you climb down off that high horse and join the rest of us in the real world, where breaking the law is a risky move and publishing a cookbook showing how to penetrate somebody else's computer network is considered antisocial behavior?
  • and now he can be researching the in side of jail down under hands on.

    • by Frobnicator ( 565869 ) on Friday May 31, 2013 @11:27PM (#43880961) Journal

      Sadly, he probably will.

      Financial institutions want to keep their vulnerabilities quiet. People who shout them to the world face lawsuits

      If you are smart enough to discover a major exploit, also be smart in how you notify them. There are many great security companies who work as middle-men to help submit the bugs to the corporations and at an appropriate time make the information public so it gets fixed.

      Going through a security company is free, and means you won't get the big splash on news sites or all the public attention, but it also means you can generally avoid hiring a lawyer, or worse, having he cops knock at your door with warrants.

  • Already running? (Score:5, Insightful)

    by Anonymous Coward on Friday May 31, 2013 @11:03PM (#43880873)

    You have to be infected first for your credentials to be stolen? Couldn't the hacker just have installed a key logger?

    If you can't trust the machine, don't put your sensitive data on the thing.

    • And yet regardless, he's not getting in. If I so much as log into my online banking from another computer let alone another state or country, I have to enter multiple security question answers as well. Almost every bank does it that way. If yours doesn't, get a new bank.
      • by You're All Wrong ( 573825 ) on Saturday June 01, 2013 @01:35AM (#43881249)
        So you're saying that if you log in from a new infected machine, your bank obliges you to leak sensitive security information to the keylogger that's been installed there?

        Congratulations for feeling all warm and fuzzy from your bank's security measures whilst gaining very little actual security against real threats - that's what they were hoping you'd feel, you're a good customer.

        *One time* passwords are the *only* thing that *can't* be re-used. By definition. If your bank does not use them, get a new bank.
    • Based on how this works, I've hashed out a method to spy on the president:

      1. Sneak into the White House
      2. Hide under the oval office desk.
      3. Now the tricky part -- listen to conversations.

    • by gl4ss ( 559668 )

      You have to be infected first for your credentials to be stolen? Couldn't the hacker just have installed a key logger?

      If you can't trust the machine, don't put your sensitive data on the thing.

      well, it sort of matters if you can log back into the bank again with those credentials after you've signed out. that means you're note really signed out.

      that is a big deal, actually.

  • by beaverdownunder ( 1822050 ) on Friday May 31, 2013 @11:05PM (#43880883)

    Aussie IT is a bit Mickey Mouse all around, sadly -- especially in the banks, oddly (you'd expect a higher standard where billions of dollars are concerned, but no...)

    As for the researcher, they didn't actually 'hack' into anything, merely scraped their own computer for data, so I wouldn't expect them to face any problems over revealing the exploit. Probably hasn't won them any friends in the banking sector though...

    • by bloodhawk ( 813939 ) on Saturday June 01, 2013 @04:10AM (#43881577)
      While this isn't exactly shining a pleasant light on the quality of the banks code. It is still very much a storm in a teacup, if you have access to scrape the memory of the computer then you could have gotten access to credentials in a far simpler means such as keylogging. The simple fact is if you can't trust the machine you are using you're already boned and no amount of secure coding from the bank is going to save you. Besides which I believe most of those banks (if not all) do 2 factor auth to transfer funds to accounts you haven't previously transferred too. (at least the 2 of them I use do).
      • Westpac are reported not to be vulnerable to this hack, but their online banking usernames are a 8 digit number and the password are only six characters. The available characters are [a-z] and [0-9]. This is the login page [westpac.com.au].
        • by skegg ( 666571 )

          But I presume you only get 3 attempts before the account is locked-out. Even 10 attempts would be safe.

  • So he's running malware that's sniffing your browsers memory? If your machine is already compromised, there are easier ways to get access to login credentials.
  • by jonwil ( 467024 ) on Saturday June 01, 2013 @12:29AM (#43881089)

    My bank uses POST in the login form which means that sniffing memory for URLs (which is what this malware seems to do) wont get you a login.
    Plus, in order to actually transfer money to someone you haven't transferred money to before you have to input a second password.

    The biggest failing of the bank in question is that it has a 10 char maximum on passwords for some stupid reason.

    • The biggest failing of the bank in question is that it has a 10 char maximum on passwords for some stupid reason.

      I've always assumed that anyone that limits the password to an arbitrarily small number, or limits what characters you can use, does so because of incompetence. And so it makes me wonder what other security vulnerabilities there are.

      • by DarkOx ( 621550 )

        I agree its major red flag. Yes there needs to some limit; you don't ever want to take user input of undefined maximum length, but in the case of passwords a sane max is like 255 bytes, which might be a bit shorter than 255 chars if you are running utf8, and is probably still enough if you need to use a two byte character encoding.

        When you lengths like 8 or 10 it leads one to assume passwords probably are being stored insecurely; after all if they were hashing passwords like they should be the final storag

      • It is really dumb to limit the password to something so small as 8 or 10 char. Or disallowing non-alpha numberics like $ + - @ # % .

        But one of the common vulnerabilities is buffer overrun. So they want to limit the read to some fixed number instead of looking for the trailing null, in an unlimited loop. So the right thing to do is set the limit to some moderately large number, like 128, allocate space, write nulls into it and then read the data into that buffer. Why it can't be really big like 1K or 2K? We

    • by WD ( 96061 )

      You're joking, right? Please tell me that you don't think you're protected from banking malware because your bank uses POST instead of GET.

  • horses and barns (Score:4, Informative)

    by stenvar ( 2789879 ) on Saturday June 01, 2013 @01:24AM (#43881217)

    If malware has access to the RAM of another process, the horse has left the barn.

  • by Anonymous Coward

    This would probably affect every single Internet site in existence. And there is no solution, nor can there be

    There is a company in Australia selling JavaScript that encrypts form field - I assume this guy is associated to that company & trying to drum up a sale, while hiding the fact they are selling snake oil.

    • by Anonymous Coward
      I beg to differ ! This is half the browsers fault and the other half Banks/sites ... The browsers should not store the memory that long, and the sites should atleast use similar coding as to the way in that dudes video with the Jscript encoding. Sure there is other ways to grab those details but in way what your saying sounds the same as "There is a cure for for liver cancer, but don't get THAT because there's other cancers that can kill you!"
    • by Anonymous Coward

      I actually do this as well on a site I'm about to release. I use Javascript RSA library from some students at standford (http://www-cs-students.stanford.edu/~tjw/jsbn/). What I do is, hide the signup & login forms if the user has javascript disabled. I create an SSH Private/Public key pair for the user server side and pass the rsa_e & rsa_n modulus (public key) to the Javascript library. When the user exits a particular field such as a password field or more importantly an credit card related field,

  • by trifish ( 826353 ) on Saturday June 01, 2013 @02:29AM (#43881375)

    I am really starting to be sick of these "security researchers" who don't know that the 1st law of the computer security is:

    If malware is running on your computer, it is not your computer anymore.

    It follows that no matter what you do, malware will win. Discovering that malware can "siphon" memory is really... uh, groundbreaking.

    What makes me even more sick is the incredibly amount of various BlackHat "security conferences" and supposedly geek-oriented media like Slashdot that let those people present this kind of "discoveries" as legitimate, notable, noteworthy, important and new.

    I am really, really, sick of you.

  • *All* of those banks insist on two factor authentication for money transfers. I use 2 of them and every single person I know (here in Australia) is either issued an RSA token or has SMS alerts on money transfers (an SMS is sent to you with a code that must be entered before the transfer will take place). So even with the password, you can't transfer money out of an Australian bank.
  • Australian government is now seizing bank accounts by declaring them 'inactive' if they haven't had a transaction in three years. Financial planner found $150K vanished and they also shafted a pensioner who got back from heart surgery to find his account seized. Probably hit other people who won't know yet, or elderly whose relatives won't even know the money is missing. Sure it'll be put to good use refurnishing bureaucrats offices: http://www.couriermail.com.au/news/queensland/brisbane-woman-has-had-more- [couriermail.com.au]
    • Three years? I wonder how long one must be missing to be declared dead. Seems to me the bank account should wait for probate or the equivalent.

  • :) Oh I would have paid.
  • It would be great if financial companies were required to make a publicly accessible testing site, in order to qualify for benefits from government, like insurance. The testing site would be a mock-up of the current system. Just copy the code over keep a separate database, it wouldn't have to be large because it won't do the same volume and we don't all need unique accounts. I mean, there is testing and production systems already, right? So, after pushing to production you also push to public testing.

  • few people commenting saying that it's no danger since all Aussie banks use 2-factor SMS etc. They seem to think the password is worth nothing, That's fine however i doubt these people actually know how transfer fraud works. Meaning you need the password just as much as you need the SMS-code, And if you have access to the machine or at least password, It increases your chances to be able to port the SIM-CARD. It usually works like this FYI - 1. Got login pass for Bank, even better if they use same for e-
  • ... I'm with a credit union? :p

You know you've landed gear-up when it takes full power to taxi.

Working...