English   Deutsch   Русский   中文    

Security in the banking world – still full of (unpleasant) surprises

Oct 22, 2012 by Martin Kuppinger

I remember a conversation I had years back with the person responsible for online banking security at one of the larger banks. The conversation was about secure online banking. I learned that banks are not necessarily willing to go the maximum for security. They simply look at the risk and then decide about what they are willing to invest in online banking security. Given that I’m an advocate for using risk-based approaches in IT security I understand this position.

However I’m still, after all these years, not fully convinced that some of the banks are doing this approach right. The point is that it appears to me that they are too reactive on these things. They calculate the current costs and compare them with the current loss and damage. However, given that the number of attacks is increasing and that it takes quite a while to roll out new security technologies in online banking, it should be about comparing the current costs and the expected (potentially considerably higher) loss and damage. That would change the equation. Good risk management is always proactive.

Why am I writing about this? Just recently I stumbled upon  two on-line articles which are about financial institutions with weaknesses in their security approaches for online banking and  online trading.

One post was written by Dale Olds, now at VMware and before that a Novell veteran. He wrote about an online trading service which – in earnest, not kidding! – asked for his bank account credentials to act on behalf of him.

The other article was published yesterday on The H, a security website. It talks about what Santander banks stores in cookies and claims that they even sometimes store passwords in plain text in session cookies, in memory  at runtime but not on disk. However, a well-constructed bit of malware could access that information at runtime. The German portal heise.de, related to The H, found “only” information like name and customer number in the cookies of the German branch of that bank.

Regardless of what is stored when, what struck me most was the reaction of Santander bank cited in the article of The H:

A Santander spokesperson told The H: “The data items stored within our cookies, if compromised, would not allow access to our online services on their own and our primary login processes do not rely on cookie data. We review the use of our cookies and the data contained within them, and if necessary will review the IDs used by our customers to limit any future risks. We take the security of our customer data very seriously. Customers can change their IDs at any time themselves and are reminded not to use the ‘remember me’ function on public or shared computers.”
There are two points in that statement which really struck me: If there is sensitive information held in cookies, that is at least part of what attackers need to login. Sensitive plain text data always increases the attack surface. A bank shouldn’t downplay that.

The second point is about the last sentence. This is sort of the poor attempt to abdicate from the bank’s responsibility. “Why didn’t the customer change his IDs regularly? Why did he make other mistakes? We are not guilty…”

I’m fully aware that it isn’t that easy to find the balance between cost, security, and usability in online banking and online trading. But it is feasible. And blaming the customer definitely is the wrong approach. Not as wrong as asking for online banking credentials in a trading application, but wrong anyway.

Google+

top
Author info

Martin Kuppinger
Founder and Principal Analyst
Profile | All posts
KuppingerCole Blog
By:
KuppingerCole Select
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
Register now
Spotlight
Internet of Things
It is its scale and interoperability that fundamentally differentiate the Internet of Things from existing isolated networks of various embedded devices. And this scale is truly massive. Extrapolating the new fashion of making each and every device connected, it is estimated that by 2020, the number of “things” in the world will surpass 200 billion and the IoT market will be worth nearly $9 trillion.
KuppingerCole EXTEND
KC EXTEND shows how the integration of new external partners and clients in your IAM can be done while at the same time the support of the operational business is ensured.
Links
 KuppingerCole News

 KuppingerCole on Facebook

 KuppingerCole on Twitter

 KuppingerCole on Google+

 KuppingerCole on YouTube

 KuppingerCole at LinkedIn

 Our group at LinkedIn

 Our group at Xing

 GenericIAM
Imprint       General Terms and Conditions       Terms of Use       Privacy policy
© 2003-2015 KuppingerCole