PureBytes Links
Trading Reference Links
|
Daily News
Serious Online
Banking Breach
By Kevin Featherly, Newsbytes.
January 31, 2000
A security flaw at an online bank conceivably
could have affected anyone with a U.S. bank
account, even if they did not do their banking
online. And the breach was apparently exploited
by at least one thief.
The Palo Alto, Calif.,-based online bank X.com
(http://www.x.com ), has acknowledged the
security breach, according to a report published
Friday in the New York Times. The company is a
division of La Jara, Colo.,-based First Western
National Bank,
An official with X.com could not be reached by
Newsbytes for comment. However, the company
acknowledged to the New York Times that
someone armed with another person's account
had diverted money from that other person's
bank account into the thief's online bank
account.
The problem involved a loophole in the bank's
online account set-up system that could have
allowed anyone to open an account on X.com,
and use it to transfer money from other accounts,
without the legitimate account holder's written
authorization. All a thief would need to exploit the
loophole was the routing number and account
number of the raided bank account, a security
expert said.
Both those pieces of information can be
obtained off any discarded check.
Elias Levy, chief technology officer at
SecurityFocus.com, a San Francisco
computer-systems security company, is one of
the people who discovered and notified X.com
of the breach. He said that unauthorized
transfers of up to $15,000 were possible, and
that the bank told him at least one attempt by a
thief was made to move $10,000 into an X.com
account. The bank did not say if the attempt was
successful, Levy said.
Levy said SecurityFocus.com was alerted to the
problem by an X.com customer's e-mail. "We
decided to verify it," he said, "because we felt
that if it was true, it was a fairly high level security
breach."
The company did confirm the problem by setting
up an account with X.com, and attempting to
perform a transfer from one staff member's bank
account into an X.com account created in
another SecurityForce employee's name, Levy
said. The operation was done with the
employees' permission, he said.
Within a couple of days, the money transfer went
through, Levy said. SecurityFocus.com then
alerted X.com to the problem. But they had
already changed their system.
"At that time, we became aware that X.com had
changed procedures so that now before you're
allowed to perform a transfer, you have to fax
them copies of a voided check and a drivers
license," Levy said. "And you can only transfer
money out of an account that shares the same
name as the account that you create with X.com,
so this basically acts as an authorization
procedure."
But Levy said he was appalled to learn that the
reason for the change in procedure was not
prompted by an alert by the concerned
customer, who had also contact X.com. "The
reason they had fixed it was because they had
been getting too many complaints from the fraud
departments from other banks," Levy said.
The problem is an egregious lapse, said David
Kennedy, a computer security expert at
ICSA.net, a Carlisle, Penn., firm that provides
security for Internet-connected companies. It's so
egregious, he suggested, that X.com ought to
take Draconian steps to make sure it never
happens again.
"They ought to go out of business," Kennedy
said. "Frankly, I don't know how long they'll be
able to survive as a business anyway."
Levy said that X.com opened for business
sometime around December, so the window at
the site was open to bandits for about a month.
If bank customers notice that unauthorized fund
transfers were made, they can report it to their
bank and get most of their money back.
"Thankfully," Levy said, "it's kind of like credit
card transfers. As a consumer, you're only liable
for $50 in unauthorized transfers. But still, if
someone takes $15,000 out of your account,
you're probably not going to find out until you get
your checking account balance. And then, who
knows how many checks were bounced?"
Levy doesn't go so far as Kennedy's call for the
company to close down, but he does suggest
that X.com should have known better.
"In this case, X.com did not do their job of
making sure that the person making the (money
transfer) request was authorized," he said. "You
would think they would have known better."
Levy said that what he found most disturbing
was what he was told by the banking firm's staff
that there was no breach in the system, that it
was functioning as intended. He said X.com
officials indicated they thought requiring faxed
authorization would turn off potential customers.
"They wanted everything to be done online, over
the Web," he said. "They didn't want you to
bother to have to write in or fax or anything. And
that's where things started to break down. They
decided it was a convenience feature."
Levy said that similar problems with some online
bankers could be more widespread, and that
similar scenarios are likely to repeat.
"I think we're going to see more and more of this
as people rush to the Internet and try to hitch the
e-commerce bandwagon," he said. "A lot of
people are trying to reach their goals as fast as
they can and I think security is being left behind."
However, he stopped short of cautioning people
away from online banking completely. "I would
tell consumer to be cautious, by all means," Levy
said.
The bank is online at http://www.x.com .
SecurityFocus.com can be found at
http://www.securityfocus.com/ .
ISCA.net is on the Web at http://www.icsa.net/ .
Reported by Newsbytes.com
|