Security in the banking world – still full of (unpleasant) surprises

22.10.2012 by Martin Kuppinger

I remember a conversation I had years back with the person responsible for online banking security at one of the larger banks. The conversation was about secure online banking. I learned that banks are not necessarily willing to go the maximum for security. They simply look at the risk and then decide about what they are willing to invest in online banking security. Given that I’m an advocate for using risk-based approaches in IT security I understand this position.

However I’m still, after all these years, not fully convinced that some of the banks are doing this approach right. The point is that it appears to me that they are too reactive on these things. They calculate the current costs and compare them with the current loss and damage. However, given that the number of attacks is increasing and that it takes quite a while to roll out new security technologies in online banking, it should be about comparing the current costs and the expected (potentially considerably higher) loss and damage. That would change the equation. Good risk management is always proactive.

Why am I writing about this? Just recently I stumbled upon  two on-line articles which are about financial institutions with weaknesses in their security approaches for online banking and  online trading.

One post was written by Dale Olds, now at VMware and before that a Novell veteran. He wrote about an online trading service which – in earnest, not kidding! – asked for his bank account credentials to act on behalf of him.

The other article was published yesterday on The H, a security website. It talks about what Santander banks stores in cookies and claims that they even sometimes store passwords in plain text in session cookies, in memory  at runtime but not on disk. However, a well-constructed bit of malware could access that information at runtime. The German portal heise.de, related to The H, found “only” information like name and customer number in the cookies of the German branch of that bank.

Regardless of what is stored when, what struck me most was the reaction of Santander bank cited in the article of The H:

A Santander spokesperson told The H: “The data items stored within our cookies, if compromised, would not allow access to our online services on their own and our primary login processes do not rely on cookie data. We review the use of our cookies and the data contained within them, and if necessary will review the IDs used by our customers to limit any future risks. We take the security of our customer data very seriously. Customers can change their IDs at any time themselves and are reminded not to use the ‘remember me’ function on public or shared computers.”

There are two points in that statement which really struck me: If there is sensitive information held in cookies, that is at least part of what attackers need to login. Sensitive plain text data always increases the attack surface. A bank shouldn’t downplay that.

The second point is about the last sentence. This is sort of the poor attempt to abdicate from the bank’s responsibility. “Why didn’t the customer change his IDs regularly? Why did he make other mistakes? We are not guilty…”

I’m fully aware that it isn’t that easy to find the balance between cost, security, and usability in online banking and online trading. But it is feasible. And blaming the customer definitely is the wrong approach. Not as wrong as asking for online banking credentials in a trading application, but wrong anyway.


  • Jonathan Sander

    Martin, I agree wholeheartedly. It's an odd dissonance that the same organizations will spend lots of money and time on simplifying and automating the identity and access of their employees and contractors, but then turn around and play a blame the user game with their customers. There's no doubt that cost pressures are great. It will be a whole new game once people start seeing that security and privacy features could actually be used as competitive advantages. People are becoming more and more aware of online security and they will start gravitating to those that offer the more secure mousetrap.

    This is far from limited to banking, though – lest we seem to be flogging one more than others. This is also becoming a real problem in government sectors. As people do more and more online with their local, state, and federal government services, the attack surface grows and grows. And the attacks are getting very creative: http://www.scmagazine.com/redirect-flaw-on-gov-si

  • http://www.ipb.citibank.com.sg/ Randall Cooper

    Well, no security system is completely fool-proof, so nasty surprises will pop up every now and then. The only thing that really be done is be as prepared as possible and have a contingency plan for when something does go wrong.

  • http://www.aafs.com.au/ Isaac Ferry

    Like Randall said, there is no such thing as a perfect security system. We should also take our own steps to ensure that we'll have access to our finances when we need the money.

Services
© 2014 Martin Kuppinger, KuppingerCole