October 06, 2015

Researcher warns about Security Loopholes in Denmark's Largest Bank



Monday, October 05, 2015 Khyati Jain 

While accessing your Bank account online, Have you ever thought…

...there could be a Hacker, somewhere in the World, who is after your Money?

Maybe NO. Because, you believe that your bank offers Secure banking solution, Right?

At The Hacker News, we have reported many incidents of cyber attacks, which proves that Banks are more often being targeted by Hackers, despite robust Banking Security mechanisms.

Today we are going to talk about security of one of the Denmark's Largest Bank, reviewed by Sijmen Ruwhof, an Ethical Hacker, and IT Security Consultant.

Ruwhof recently published a blog post, “How I could Hack Internet Bank accounts of Danish Largest Bank in a few minutes”.

His In-depth technical post explains the extent to which Danske Bank, one of the largest Danish Bank, is vulnerable to hacking.

In August, Ruwhof got intrigued with the idea of testing Bank’s security while interacting with a group of Danish hackers at the Chaos Communication Camp (CCC), near Berlin.

According to Ruwhof, Security experts and Whitehat hackers were disappointed with the terrible security implementations adopted by many Danish Banks.

Ruwhof decided to see more of it… and Danske Bank did not disappoint him.

Summary: Danske Bank Security Loopholes


He visited the website and viewed the HTML code of the customer login screen, and while browsing through the code, he had not imagined the kind of shock he got.

A summary of what Ruwhof encountered, goes like this (Its a tale and not a LIST):
  1. JavaScript comments contained internal server information (in a URL encoded format); Confidential Data to be precise.
  2. On decoding, keywords like: HTTP_CONNECTION and HTTP_ACCEPT were mentioned; Not meant for the guests, these keywords are supposed to be present at the server end.
  3. Ruwhof could see IP address of a probable customer (through variable HTTP_CLIENTIP) visiting Danske Bank’s website.
  4. Variable HTTP_USER_AGENT contains an operating system and web browser details; not used by Ruwhof.
  5. Variable HTTP_COOKIE was visible and full of information; credentials of a customer could be hijacked in real time (Ruwhof resisted on breaking the law).
  6. HTTP Basic authentication was not present as variables AUTH_USER and AUTH_PASSWORD were not carrying any data.
  7. Danske Bank doesn’t use a secure HTTPS connection to transport customer banking traffic; as variable HTTPS was OFF and SERVER_PORT carried value 80.
  8. They’re still using COBOL code on their backend; for (Customer Information Control System) CICS and Database handling.

After exploring all this loopholes and being in a state of shock…

....Ruwhof wanted to report about the security vulnerabilities to Danske Bank, in an effort to aware them about the risks associated with their Online Banking service.

What He got in return was Nothing!


Firstly, the Bank didn’t has any contact that supports and responds to such disclosures.

Secondly, after managing to get a customer care number, the executive at the other end said: “Our technical guy will look at your finding.

Then finally, Ruwhof took the Social Network’s route to reach an employee of Danske Bank, where he got success, and reportedly the vulnerabilities were got patched within 24 hours.

Wait, the Story doesn't Ends Here:


After 12 days Danske Bank acknowledged Rowhof and reading that he almost went into the coma, as the Bank thanked him for reporting about a potential vulnerability!
bank-security
On a serious note, Ruwhof said that with his 17 years of experience, he can differentiate between the good and the bad.
Someone at Danske Bank has messed up pretty hard, and they’re now covering the situation. That’s not honest and certainly not transparent.
For at least two weeks, but probably a lot longer, very confidential customer data in the form of session cookies were leaking on Danske Bank’s web site. With these cookies, it should have been possible to hijack internet banking accounts of their customers. They closed the security hole quickly but are now in denial of it.

 

Hacker Attack! Could they Steal from you?


We would suggest the Danske Bank and our readers to have a Good Read of the following links to know the extremities at both the ends.

Therefore, you CAN be the victim bank of cyber attack too!

About the author

 
Researcher and Technical Writer at The Hacker News. An Information Security Consultant and System Auditor, a keen Security Evangelist for all forms of Cyber Security and Denotational Counter Hack Requirements of the Industry, Academia and Society.