Monday, March 26, 2007

Security. Yeah right.

From time to time, I'm forced by the cruel Fates to do Internet banking with the NAB (formerly National Australia Bank). When I log in, their website pops up a window complaining that the browser I'm using (Firefox) isn't supported, and I should use one of their supported browsers, Internet Explorer, Firefox(!) or Netscape Navigator.

(Who still uses Netscape Navigator???)

Mac users will be rightfully annoyed that Safari doesn't get a look-in, and Opera users will likewise be feeling left out in the cold.

Unlike some banks which will remain nameless (you know who you are!), at least the NAB gives you the option to ignore their oh-so-helpful suggestion to use IE or the browser you're already using, and their Internet banking works quite well under Firefox on Linux.

If I tick the "Don't bother me with this again" checkbox, I get a day or three of peace until the next minor update to their website, then I start getting those spurious unsupported browser warnings again.

The NAB has recently gone on a security splurge, telling all and sundry how concerned they are with computer security. Then why are they still supporting Internet Explorer, the number one security hole on the Internet bar none? For a couple of dollars a customer, they could send everyone a CD with Firefox on it. Instead, they muck about with half-hearted security fixes like SMS alerts, which will work really well until some phisher simply does a man-in-the-middle attack. It's a band-aid, not a fix.

Here's a simplified way it might work: you start up your security hole browser and go to the NAB website. Unknown to you, Windows' DNS lookup has been compromised, so when you go to, you're actually going to a look-alike site in Bulgaria or North Korea. Everything you type into the phishers' site gets passed on to the real NAB site, except that when you transfer $50 to your Aunt Tilly's bank account for looking after your kitten for the week, the phishing site modifies the data to transfer $5000 into their account, then passes it on to the NAB. The NAB sends you an SMS code, and you dutifully enter it into the phishing site, which sends it on, all nice and clean.

Apart from a small delay, well within the expected variation of Internet speed, you won't notice a thing until you go to transfer some more money tomorrow and discover you're $5000 short.

(This man-in-the-middle attack isn't unique to Windows. It could happen with any operating system that is compromised. But Windows and IE leave so many more opportunities for compromise.)

It's easy to say that you take security seriously. But that doesn't mean that they're prepared to actually take steps to make on-line banking really secure. So long as the browser and operating system are so easy to compromise, phishers will always be ahead of the game.

No comments: