On the normal site, (http://www.utfcu.org) users are asked to provide their username and enter a CAPTCHA. This is a good start. The site redirects you to the secure address (https://...), it knows who you are (the account number) and by using the CAPTCHA, it keeps out the majority of would-be criminals.
On the next screen, if your computer does not have a file (cookie) on it telling the website that you've been here before, the site prompts you with a security question. Another reasonable measure. Shared secrets (if they're actually secret) are a reasonable counter-measure against identity theft.
Finally, before you are allowed to access your account, you must provide your password and the site shows you user phrase. This is a graphic of a phrase that the user previously selected. The idea behind this is that the site is proving to the user that this is the real McCoy and not some phishing site. Once you enter the valid password, you're in
Now, let's compare this to the mobile site at http://mobile.utfcu.org.
First, it's important that you go to https://mobile.utfcu.org. Otherwise the site will give you a nasty-gram. This isn't a flaw, but it's certainly not user friendly.
Once you are there, the site is simple and straightforward for use in mobile browsers. It immediately asks for account # and password, and upon providing this, it lets you in.
WHAT??!!??
Let's review:
- No CAPTCHA
- No Security Question
- No Site authenticity image
So, me, being a concerned member, replied back to the UTFCU twitter account that they used to announce the feature ('cause UTFCU's trying to get wit' the kidz on the new hotness...which they think is Twitter)....
I shouldn't have wasted my time. Here's the conversation:
UTFCU UTFCU now offers mobile banking. Visit our website for details and login instructions!
dfcoates @UTFCU Why is the mobile site lacking in 2 factor autentication and user watermarks, isn't 2 factor mandatory under PCI-DSS / other stds?
UTFCU @dfcoates Good question! Actually, it is multi-factor. It uses the device number from your mobile telephone.
dfcoates @UTFCU not from what I'm seeing...I can use my own PC to hit https://mobile...and it works...how is this not a major security lapse?
[Direct Message] UTFCU are you able to login to your account using that method?
[Direct Message] dfcoates yes...And I can use my ipod touch which also has no esn or phone number
[Direct Message] UTFCU just to verify - you're going to .org, right? Can u send a screenshot from desktop browser window for me to frwd to developer?
[Direct Message] dfcoates No problem, I can send a screen shot, but I'll need a real e-mail address from you (as opposed to twitter).
UTFCU @dfcoates we allow 3 devices to auto-enroll but I will be happy to lower the number of devices on your acct. if you want.
[Direct Message] UTFCU the device number is created by the system and stored in a cookie. We allow 3 auto-enrolls and a maximum of 5 total clients.
UTFCU I can disable mobile banking for your account if you want or send you the number for our VP of IT.
There are a multitude of things wrong here and if you, the reader, would like to opt out here, I don't blame you. I'll let the above facts speak for themselves. If, however, you would like to hear what I think is wrong, follow me!
- It uses the device number from your mobile telephone? Yeah, and it uses this amazing facial recognition software using the pixels in your screen, sure, whatever. Just in case you're wondering, there is no such thing. Your phone doesn't send it's phone number or it's ESN when it connects to a website. The closest you can get to a device number is looking at the IP address and/or hostname where the request is coming from. This is very flawed because users on different get new IP addresses weekly, daily, even hourly. Multiple computers can show the same IP address, and finally, IP addresses can be "spoofed" (hacked). In fact, the website gets very little information about who you are. If you'd like to see what a website receives when you visit, try this page.
Secondly, the site doesn't have to be accessed via a cell phone like device. Feel free to go to https://mobile.utfcu.org right now using your regular browser. Now, it's true that the site could programmatically block users of non-mobile web browsers, but this is flawed for two reasons: 1-Browser ID's can be hacked/faked very easily. 2-Not all mobile browsers are run on phones, take my iPod Touch, for example. It runs the same Safari web browser that is used on the iPhone. Therefore, there is no way to tell the difference between an iPhone and an iPod Touch. - The device number is created by the system and stored in a cookie. We allow 3 auto-enrolls and a maximum of 5 total clients. This might actually work if it weren't for the fact that they have no idea which devices are mine and which are not. Unfortunately, they don't. The enrollment process on the site is to simply log into the mobile site. There is no process to validate the account or accountholder over the phone or over the existing fully featured site. Instead, the site checks to see if you have a cookie if you were previously there. If not, it checks to see if it's issued cookies to you at this IP address before. If it has, and you're below the limit of 3, you can log in. If it hasn't, and you haven't logged in from 5 other locations previously, you also get in.
If this doesn't sound secure, you're right. The site isn't preventing malicious users from hacking your account, they're only preventing users coming from more than 5 locations from hacking your account. This also means that if you wipe private data from your web browser on a regular basis, you're up a creek after the 3rd iteration. So much for keeping your own browser secure....
There's another fundamental flaw here... simply put, cookies are very insecure, and if you have the right tool, like the free Add N Edit Cookies Add On for FireFox, you can copy the cookies they give you to as many machines as you want...so much for the 5 location limit. - I can disable mobile banking for your account if you want or send you the number for our VP of IT. This is classic. This is the old "well, if you don't like it, you can shove off" trick. The thing is, I actually do want mobile banking, and I think a lot of people do. This, for me, was the tipping point and the reason I've been typing for over an hour. It says to me, "we're not going to fix it, so run along home." Unfortunately for them, they've upset an IT professional who has worked intimately with electronic payment processing and PCI secure systems for over 3 years and while banking is slightly different from payment processing, I know a major security flaw when I see one.
- No CAPTCHA = lots of attacks - Now that I've demonstrated that the 3 and 5 limits do nothing, there's nothing except velocity limits to stop an enterprising would-be criminal... great.
- No security question and no site authenticity = phishing phishing phishing.... Just for fun, I looked up domains and found out that utfuc.org and uftcu.org (typo spellings) are completely open to purchase. An enterprising soul could simply copy the HTML on the current mobile site and just let the account numbers and passwords come in.... not so good... and my apologies to UTFCU for probably forcing their hand to buy up those domains to protect their accounts....
To put this in context, if my workplace did this same stunt, we'd be looking at six figure fines from Visa. I suspect the same may be true for credit unions. However, I'd rather they fix it than get fined...remember that credit unions are member owned, and inevitably, a negative event for them is really a negative event for me as a member. I guess my only true recourse is publishing what I know, which is what you see here, and finding a new credit union, because, at least today, UTFCU
1 comments:
Based on your experience in the industry, I'd suggest you get the number from the VP of IT and voice your concerns. From the looks of the Twitter transcripts, it looks like UTFCU was authentically trying to work with you to resolve the problem.
And, if there really is something wrong, I'm sure they would appreciate you bringing to their attention so that they could get it fixed (just as you mentioned you would like to see happen). Remember, you are working with a credit union that is partially owned by yourself and has respect for its members.
I don't think it would be out of line for you to contact the VP, but I also think you ought to give UTFCU a bit more credit than you did. It seems they really are concerned with making things right, but that Twitter might not be the best channel for this discussion to continue. There is only so much that can be said in 140 characters.
Post a Comment