OT-online banking securitygreenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread
Without knowing why the system tested "normal", I have to say OT-but I haven't seen it Online Banking Breach Sparks Strong Concerns By Kevin Featherly, Newsbytes SAN FRANCISCO, CALIFORNIA, U.S.A., 28 Jan 2000, 9:37 PM CST A security flaw at an online bank conceivably could have affected anyone with a U.S. bank account, even if they did not do their banking online. And the breach was apparently exploited by at least one thief.
The Palo Alto, Calif.,-based online bank X.com (http://www.x.com ), has acknowledged the security breach, according to a report published Friday in the New York Times. The company is a division of La Jara, Colo.,-based First Western National Bank,
An official with X.com could not be reached by Newsbytes for comment. However, the company acknowledged to the New York Times that someone armed with another person's account had diverted money from that other person's bank account into the thief's online bank account.
The problem involved a loophole in the bank's online account set-up system that could have allowed anyone to open an account on X.com, and use it to transfer money from other accounts, without the legitimate account holder's written authorization. All a thief would need to exploit the loophole was the routing number and account number of the raided bank account, a security expert said.
Both those pieces of information can be obtained off any discarded check.
Elias Levy, chief technology officer at SecurityFocus.com, a San Francisco computer-systems security company, is one of the people who discovered and notified X.com of the breach. He said that unauthorized transfers of up to $15,000 were possible, and that the bank told him at least one attempt by a thief was made to move $10,000 into an X.com account. The bank did not say if the attempt was successful, Levy said.
Levy said SecurityFocus.com was alerted to the problem by an X.com customer's e-mail. "We decided to verify it," he said, "because we felt that if it was true, it was a fairly high level security breach."
The company did confirm the problem by setting up an account with X.com, and attempting to perform a transfer from one staff member's bank account into an X.com account created in another SecurityForce employee's name, Levy said. The operation was done with the employees' permission, he said.
Within a couple of days, the money transfer went through, Levy said. SecurityFocus.com then alerted X.com to the problem. But they had already changed their system.
"At that time, we became aware that X.com had changed procedures so that now before you're allowed to perform a transfer, you have to fax them copies of a voided check and a drivers license," Levy said. "And you can only transfer money out of an account that shares the same name as the account that you create with X.com, so this basically acts as an authorization procedure."
But Levy said he was appalled to learn that the reason for the change in procedure was not prompted by an alert by the concerned customer, who had also contact X.com. "The reason they had fixed it was because they had been getting too many complaints from the fraud departments from other banks," Levy said.
The problem is an egregious lapse, said David Kennedy, a computer security expert at ICSA.net, a Carlisle, Penn., firm that provides security for Internet-connected companies. It's so egregious, he suggested, that X.com ought to take Draconian steps to make sure it never happens again.
"They ought to go out of business," Kennedy said. "Frankly, I don't know how long they'll be able to survive as a business anyway."
Levy said that X.com opened for business sometime around December, so the window at the site was open to bandits for about a month.
If bank customers notice that unauthorized fund transfers were made, they can report it to their bank and get most of their money back. "Thankfully," Levy said, "it's kind of like credit card transfers. As a consumer, you're only liable for $50 in unauthorized transfers. But still, if someone takes $15,000 out of your account, you're probably not going to find out until you get your checking account balance. And then, who knows how many checks were bounced?"
Levy doesn't go so far as Kennedy's call for the company to close down, but he does suggest that X.com should have known better.
"In this case, X.com did not do their job of making sure that the person making the (money transfer) request was authorized," he said. "You would think they would have known better."
Levy said that what he found most disturbing was what he was told by the banking firm's staff that there was no breach in the system, that it was functioning as intended. He said X.com officials indicated they thought requiring faxed authorization would turn off potential customers.
"They wanted everything to be done online, over the Web," he said. "They didn't want you to bother to have to write in or fax or anything. And that's where things started to break down. They decided it was a convenience feature."
Levy said that similar problems with some online bankers could be more widespread, and that similar scenarios are likely to repeat.
"I think we're going to see more and more of this as people rush to the Internet and try to hitch the e-commerce bandwagon," he said. "A lot of people are trying to reach their goals as fast as they can and I think security is being left behind."
However, he stopped short of cautioning people away from online banking completely. "I would tell consumer to be cautious, by all means," Levy said.
The bank is online at http://www.x.com .
SecurityFocus.com can be found at http://www.securityfocus.com/ .
ISCA.net is on the Web at http://www.icsa.net/ .
Reported by Newsbytes.com, http://www.newsbytes.com .
21:37 CST Reposted 21:37 CST
(20000128/Press Contact, Elias Levy, SecurityFocus.com, 650 655-2000/WIRES TOP, ONLINE, LEGAL, BUSINESS/) posted yet.
-- mike in houston (firstname.lastname@example.org), January 29, 2000
-- Hokie (Hokie_@hotmail.com), January 29, 2000.