My post from a week ago, about the major flaws in the new online banking security systems that banks around the country deployed recently, did not get any attention. The flaw was explained in detail and demonstrated (by actually hacking a bank account) at the Defcon 15 hacker conference in Las Vegas. One person dugg it at Digg.com and that was it. End of story, nobody seems to be interested. Well, it only affects pretty much everybody, at least everybody who uses online banking.
Meanwhile did also other blogs that are specialized in application and system security write about the story. DarkReading.com was one of the most known publications who published the story “New Bank Practices Make Hacking Easier” a couple days after I published mine.
Their story died at Digg.com, just as mine, but at least did some more bloggers pick up their story. Here are a few other bloggers who picked it up:
- M. M. Madan: Bank’s “Two Factor” Schemes Are Fundamentally Flawed
- AuthenticationWorld.Com: Why more authentication may be harmful to banks
- FIRST.org: New Bank Practices Make Hacking Easier
- Dr. Neal Krawetz/Hackerfactor.com: Black Hat and Defcon Post-Conference (as part of a general DefCon 15 summary
Here is a picture of Brendan O’Connor, who presented the issue at the conference, which makes it easy to understand, why some people might not give him the attention he deserves.
It is funny how things work sometimes. On the one hand are people going berserk and crazy about some “big privacy issues” that are bullshit. I just mention Google and the other search engines regarding their updates to their privacy policies.
I guess it has to hurt a bunch of people first, some accounts hacked and life’s and businesses ruined that people wake up and ask “WTF is going on here?“. The cries will be loud and painful to listen to. People will ask “Did nobody knew about this?” .. Of course did somebody knew about this, but you were not listen, you dumba…!
“Schadenfreude” is not a good thing in this matter, but a bit cynicism does not hurt either.
Quick Update: Here is the 47 pages presentation by Brendan O’Connor from DefCon 15 in PDF format (only 230KB in size), titled “Greater Than One – Defeating ‘strong’ authentication in web applications”. dc-15-oconnor.pdf
The presentation document goes into much more details than I was in my previous blog post. It also illustrates the issues nicely. Check it out.
Carsten aka Roy/SAC
Digg can put your info forward but you got to make it known elsewhere. I read at symantec that bank accounts are traded at about 100$ each… impressive.