September 26, 2000 InternetNews - International News Archives SA's Internet Banking "Full of Holes" By Rob Rose

[Johannesburg, SOUTH AFRICA] At least three of South Africa's financial institutions have gaping holes in their "secure" Internet security systems, exposing valuable information to hackers who could infiltrate and corrupt these systems.

Reacting to a tip-off from an industry source, sa.internet.com researched the claim and found that the source codes from three apparently secure servers could be accessed and administrator ID's and passwords obtained.

According to an expert in Internet security, at least one of these source codes allows "significant" access to customer details. This expert informed sa.internet.com on Thursday that the code provides administrator access through to the customer database on the Web site of one of South Africa's financial institutions. This would potentially allow a hacker to change seemingly-secure customer details.

One of South Africa's four major banks also appears to be at risk, according to the source, although in this case, the expert was only able to verify that read-access to the database could be obtained. "Should the server be compromised," he commented, "this window will allow a hacker to view the customer database, obtaining PIN numbers and account details."

In the third instance, while the source code was obtained, a number of firewalls prevented access to the database of customer information but still provided insight into the site architecture. "In all three cases the extent of the information obtained varied," the security expert explained, "ranging from providing information on how the site works to exposing customer information that clients expect to be securely guarded on the server."

When sa.internet.com spoke to First National Bank, a spokesman suggested that this kind of security risk would not apply to their operation. According to this spokesman, customers who access the online banking option are immediately rerouted to a secure server on another site, the main FNB site being merely a brochure-type information resource. What the spokesman did confirm, however, is that should the FNB brochure Web site be susceptible to this intrusion, this opens the way for a hacker to change information and deface the site. While this is not crippling in itself, he commented, a bank will face adverse publicity and could incur significant downtime costs.

When sa.internet.com alerted NBS to the problem, NBS Internet and e-commerce Manager Lambert van Heerden consulted with the Internet services team before concluding that there is no risk to the bank's clients of their information being compromised. The UserID and password which can be obtained through the source code, he assured us, only allows general access to a table within the SQL database.

According to van Heerden, to obtain access to the SQL server itself and get further source codes or information would necessitate a hacker bypassing two additional firewalls and having the relevant passwords. NBS Media Liason Kim Baas did, however, confirm that the bank would be implementing the security patch that is available from Microsoft, but are currently testing the system to ensure that the patch is compatible.

The patch to which Baas refers aims to eliminate two security vulnerabilities on Microsoft's Internet Information Server, a technology employed by most South African financial institutions. Microsoft say that these vulnerabilities could allow a malicious user to stop the Web site from providing useful service and also allow access to certain types of apparently secure information.

At the very least, these security vulnerabilities are testament to the fact that affected institutions need to radically revise their stance on the importance of information security. This is especially so in light of the availability of this patch and the fact that a malicious user can obtain limited access to information that should be, and can be, secured.

South Africa's financial institutions have the most to gain from assuring customers of the sanctity of their security systems - access to any protected information should be a matter of utmost priority, no matter how seemingly trivial this information might appear. As e-commerce vendors look to financial institutions for guidance in implementing their own security measures, these security systems should present the image of unassailable fortress-like architecture. In South Africa this does not appear to be the case.

http://www.internetnews.com/intl-news/article/0,,6_469371,00.html

-- Martin Thompson (mthom1927@aol.com), September 26, 2000