Security

Banks display terrible judgement in handling apparent massive security breach in US

More information on the Goldleaf hacking incident, and the lack of information is astounding as I look at these three stories.  Worse is the remedial action, which will result in many customers leaving to Bank of America, or Wells Fargo being large banks that appear to customers, to have better control, and therefore better trust.

Hackers gain access to server hosting bank Web sites

Customers who tried to gain access to the sites were redirected to a phony Web site that asked for a user name and password. If a customer entered them, the site then asked for credit card and ATM personal-identification numbers.

Goldleaf spokesman Scott Meyerhoff said the security breach affected about 150 to 175 bank Web sites for anywhere from a minute to an hour and a half. He said the breach was the first in the company’s history.

300+ Bank homepages hacked and redirected!

Goldleaf Technologies, a unit of Goldleaf Financial Solutions, Inc. which provides homepage services for financial institutions and banks had one of its servers hacked last Thursday on May 25th.

The AP Wire was one of the few that characterized the incident as a security breach and were quoted by a Goldleaf spokesperson that 150 to 175 sites were affected.  When I asked Goldleaf’s spokesperson, he characterized the AP information as wrong and told me that a little more than half of the 600 hosted bank sites were modified to redirect traffic which puts the total number of Banks affected at over 300.  The homepages of those banks were modified so that they would direct all online banking traffic to a malicious site in Madrid Spain to collect login credentials from unsuspecting customers.

While this is technically similar to phishing, it isn’t the same thing because phishing normally involves spoofed email that purport to be from the bank when they’re really from criminals that send emails with legitimate looking URLs that instead send you to a malicious webpage.  In this case, the actual bank homepage is what’s redirecting you to the malicious site which could only happen if the bank’s homepage was compromised.  This tends to be a bit more dangerous since customers usually expect some safety when they’re surfing the real banking site.

Massive, under-reported online banking breach raises serious disclosure and remedy questions

What exactly was communicated isn’t known.  What we do know is that most of the information that has so far been made public (outside of Ou’s post) is at best misleading and at worst, wreaks of spin control.

What 300 banks?  We don’t know.  Where are their press releases?  No idea.  Was it really a minute to an hour and half? Or was it longer? We don’t know.

Some banks, the ones we know of, notified their customers by both regular mail and email. First State Bank, one of the affected banks, sent two separate notices.  The first one, signed by First State E-Banking offficer Christa Walton, has the audacity to include a link that points people to a remedy Web page that isn’t even within First State’s domain: an absolute no-no that is exactly the same trick used by phishers.

But it gets worse.  Apparently the solution was to reset customers passwords back to their orignal password.  Original password?? What is that and which customer would remember?  This additional information, and commentary from the Zdnet blog.

Extracted verbatim from remedial email to customers, from First State Bank.
……Your Online Banking password has been defaulted back to your original password; when you established your Online Banking service….you may not have access to your original login information, First State Bank has established a help center that you may contact at 1-800-527-6335 or by email at info@first-state.net…..A temporary Online Banking login website has been established at .  This temporary site is safe……

Forget for a minute that most people don’t have a clue what their original password is (heck, I can’t even remember my current ones).  When receiving an email like this from a financial institution, if you’re even half as sensitized to the phishing problem as I am, then you’d probably do what I do when I get an email like this one: delete it without even looking. In this case, the email goes beyond the faux pas of providing an off-domain site (that asks for user credentials); it provides an 800 number to call for more information or help. What are email recipients supposed to do with that? Call it? Over their dead bodies (hopefully).  I can see it now….hundreds of people calling an 800 number that they got from an email whose source can’t be authenticated and then calling that number, divulging all sorts of other compromising data to some unathenticated source.

Relevance to Bankwatch:
Banks must have a clear contingency plan for dealing with extreme emergencies.  It should specifically not do any of the things outimed here that First State did.  In a hacking incident this is a critical emergency, and providing a new URL to customers, and linking to it is absolutely the worst way to deal with it.  The email verbatim above reads like a phishing email.

Technorati Tags: , ,