[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[RT] Weren't we all just talking about x.com?



PureBytes Links

Trading Reference Links

Daily News
                      Serious Online
                      Banking Breach
                      By Kevin Featherly, Newsbytes.
                      January 31, 2000

                      A security flaw at an online bank conceivably
                      could have affected anyone with a U.S. bank
                      account, even if they did not do their banking
                      online. And the breach was apparently exploited
                      by at least one thief.

                      The Palo Alto, Calif.,-based online bank X.com
                      (http://www.x.com ), has acknowledged the
                      security breach, according to a report published
                      Friday in the New York Times. The company is a
                      division of La Jara, Colo.,-based First Western
                      National Bank,

                      An official with X.com could not be reached by
                      Newsbytes for comment. However, the company
                      acknowledged to the New York Times that
                      someone armed with another person's account
                      had diverted money from that other person's
                      bank account into the thief's online bank
                      account.

                      The problem involved a loophole in the bank's
                      online account set-up system that could have
                      allowed anyone to open an account on X.com,
                      and use it to transfer money from other accounts,
                      without the legitimate account holder's written
                      authorization. All a thief would need to exploit the
                      loophole was the routing number and account
                      number of the raided bank account, a security
                      expert said.

                      Both those pieces of information can be
                      obtained off any discarded check.

                      Elias Levy, chief technology officer at
                      SecurityFocus.com, a San Francisco
                      computer-systems security company, is one of
                      the people who discovered and notified X.com
                      of the breach. He said that unauthorized
                      transfers of up to $15,000 were possible, and
                      that the bank told him at least one attempt by a
                      thief was made to move $10,000 into an X.com
                      account. The bank did not say if the attempt was
                      successful, Levy said.

                      Levy said SecurityFocus.com was alerted to the
                      problem by an X.com customer's e-mail. "We
                      decided to verify it," he said, "because we felt
                      that if it was true, it was a fairly high level security
                      breach."

                      The company did confirm the problem by setting
                      up an account with X.com, and attempting to
                      perform a transfer from one staff member's bank
                      account into an X.com account created in
                      another SecurityForce employee's name, Levy
                      said. The operation was done with the
                      employees' permission, he said.

                      Within a couple of days, the money transfer went
                      through, Levy said. SecurityFocus.com then
                      alerted X.com to the problem. But they had
                      already changed their system.

                      "At that time, we became aware that X.com had
                      changed procedures so that now before you're
                      allowed to perform a transfer, you have to fax
                      them copies of a voided check and a drivers
                      license," Levy said. "And you can only transfer
                      money out of an account that shares the same
                      name as the account that you create with X.com,
                      so this basically acts as an authorization
                      procedure."

                      But Levy said he was appalled to learn that the
                      reason for the change in procedure was not
                      prompted by an alert by the concerned
                      customer, who had also contact X.com. "The
                      reason they had fixed it was because they had
                      been getting too many complaints from the fraud
                      departments from other banks," Levy said.

                      The problem is an egregious lapse, said David
                      Kennedy, a computer security expert at
                      ICSA.net, a Carlisle, Penn., firm that provides
                      security for Internet-connected companies. It's so
                      egregious, he suggested, that X.com ought to
                      take Draconian steps to make sure it never
                      happens again.

                      "They ought to go out of business," Kennedy
                      said. "Frankly, I don't know how long they'll be
                      able to survive as a business anyway."

                      Levy said that X.com opened for business
                      sometime around December, so the window at
                      the site was open to bandits for about a month.

                      If bank customers notice that unauthorized fund
                      transfers were made, they can report it to their
                      bank and get most of their money back.
                      "Thankfully," Levy said, "it's kind of like credit
                      card transfers. As a consumer, you're only liable
                      for $50 in unauthorized transfers. But still, if
                      someone takes $15,000 out of your account,
                      you're probably not going to find out until you get
                      your checking account balance. And then, who
                      knows how many checks were bounced?"

                      Levy doesn't go so far as Kennedy's call for the
                      company to close down, but he does suggest
                      that X.com should have known better.

                      "In this case, X.com did not do their job of
                      making sure that the person making the (money
                      transfer) request was authorized," he said. "You
                      would think they would have known better."

                      Levy said that what he found most disturbing
                      was what he was told by the banking firm's staff
                      that there was no breach in the system, that it
                      was functioning as intended. He said X.com
                      officials indicated they thought requiring faxed
                      authorization would turn off potential customers.

                      "They wanted everything to be done online, over
                      the Web," he said. "They didn't want you to
                      bother to have to write in or fax or anything. And
                      that's where things started to break down. They
                      decided it was a convenience feature."

                      Levy said that similar problems with some online
                      bankers could be more widespread, and that
                      similar scenarios are likely to repeat.

                      "I think we're going to see more and more of this
                      as people rush to the Internet and try to hitch the
                      e-commerce bandwagon," he said. "A lot of
                      people are trying to reach their goals as fast as
                      they can and I think security is being left behind."

                      However, he stopped short of cautioning people
                      away from online banking completely. "I would
                      tell consumer to be cautious, by all means," Levy
                      said.

                      The bank is online at http://www.x.com .

                      SecurityFocus.com can be found at
                      http://www.securityfocus.com/ .

                      ISCA.net is on the Web at http://www.icsa.net/ .

                      Reported by Newsbytes.com