The Incompetence of Major Corporations in Australia

Discussion in 'Business & Enterprise Computing' started by SiliconAngel, Feb 7, 2014.

  1. SiliconAngel

    SiliconAngel Member

    Joined:
    Jun 27, 2001
    Messages:
    615
    Location:
    Perth, Western Australia
    Consider the following statement: "I'm a web developer and I'm building a portal for a new financial services industry startup with major backing that bridges the gap between key banking products from all the major vendors and financial product resellers. Customers can plug right into those banks, getting financial data on a range of areas that only certified and authorised brokers can access. Obviously we need to consider security, so I'm going to publish my own SSL certificate and then we'll get clients to change the security settings in Java to allow both the SSL and plain HTTP parts of the site to be trusted explicitly, so they can access everything without it breaking. Oh and we'll make sure they know to click through the 'untrusted certificate' warnings so their experience isn't tarnished by their unsophisticated understanding of the tech."

    If you think that's a serious statement, alarm bells should be ringing and you should be about ready to hand me my own backside.

    The good news is, I'm not a web developer and I'm not creating any such portal. The bad news is, this sort of thing is pretty common practice in Australia, and I think it's about time it stopped - in fact, pretty much this exact scenario is playing out right now, but not from a startup.

    Today I was thrust into the middle of yet another failure on the part of two large corporations that has gone unnoticed with zero ramifications for the organisations in question, despite the them being in breach of Best Practices and numerous security agreements and exposing their customers to security vulnerabilities.

    Yes, I'm going to name them, because if these banks were operating like this in the USA or Europe there would already be risk advisories from all the major security groups. Before any moderators have an apoplectic fit, please check with Agg before locking down this thread.

    The banks in question are BankWest and Commonwealth Bank. The security certificate on BankWest's Lendnet site hasn't been published by a trusted source (apparently it has been published by an untrusted certificate authority originating at Commonwealth Bank), but instead of dealing with this by working with CBA to acquire a valid certificate ASAP their official response is to advise customers to add security exceptions for both their HTTPS and non-secure HTTP sites, including ignoring security warnings about allowing non-secure http exceptions. They go on to advise clients to ignore warnings about untrusted certificates.

    [​IMG]

    [​IMG]

    Personally, Iā€™m extremely concerned about this ā€“ these are two large banks which are thumbing their noses at the security of their customers; not just the security of their transactions with the banks, but by requiring they add exceptions for nonsecure domains (both the unsecure http site and the not-actually-secure https site with the untrusted certificate) they are also exposing their clients to security risks indefinitely for anyone choosing to attack them by making use of those unsecured security exceptions - it is pretty easy to impersonate a domain name with a directed attack (we know this happens on a pretty regular basis in Australia already) and training people to ignore and mindlessly click through security warnings is the very opposite of responsible security practice. No bank in the US would get away with such behaviour without a strong reprimand from the security and finance industries.

    IMO the IT community of Australia needs to send a very strong message to BankWest and any corporation that runs their operations like this ā€“ such practices are unacceptable, they risk the security of thousands (maybe tens of thousands) of individuals and businesses, and they are a breach of numerous security Best Practices and security agreements. DO NOT force customers to reduce the security of their systems; fix your problems, even if that means taking your website offline until you sort out your own mess.

    I don't know about the rest of you, but in my experience it actually isn't that uncommon to see even large businesses with untrusted or expired certificates in Australia, nor to see them come up with workarounds that force customers to make changes at their end to fix an issue the vendor has created. Do you think we have a culture of acceptance here? Is there not a big enough stick with which to discipline organisations like this? Is there simply not enough media coverage? Do we lack sufficient regulatory legislation? Or do the larger markets with greater competition in the US and Europe discourage such poor practices because customers can more easily leave for more secure, trustworthy and professional competitors, leading to greater self-regulation?

    Or maybe you think I've got this wrong? Maybe you think this sort of thing is perfectly innocuous and poses no risks whatsoever? Clearly the banks think so. If so, please enlighten me!

    Your considered opinions are very much encouraged :)
     
  2. the[K]id

    the[K]id Member

    Joined:
    Jun 18, 2002
    Messages:
    598
    Location:
    Perth, 6023
    As a bankwest customer my opinion is I will be asking them wtf they are doing and how they expect me to trust them with my money when this is the level of quality they are working at.

    Why can't things like this go viral on social media for once, instead of the usual whining about Coles checkout queues or the like.
     
  3. Sphinx2000

    Sphinx2000 Member

    Joined:
    Sep 16, 2001
    Messages:
    6,814
    Location:
    Brisbane
    Lol, too poor to organise a proper security certificate? Telling customers to add exceptions?:lol:
    Hope this isn't for stuff like... erm.. online banking.. :thumbdn:
     
  4. ECHO

    ECHO Member

    Joined:
    Jun 17, 2002
    Messages:
    636
    Location:
    Canberra
  5. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    57,172
    Location:
    brisbane
    you aren't just posting the body text of a scam email here are you?

    This is from Bankwest's Internet Banking login??? Lendnet whatever that is, is that even internet banking?

    another edit, the process you are going to isn't much different to the BS that payroll people are going through with the ATO right now, each state is different and they have all sorts of things they need to update or you backdate - total pita. but I don't really think the sky is falling.... yet.

    [​IMG]
     
    Last edited: Feb 8, 2014
  6. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
    Not surprised, I left ANZ due to its netbank not allowing passwords outside 5-8 characters long and no special characters.

    Mega derp
     
  7. OP
    OP
    SiliconAngel

    SiliconAngel Member

    Joined:
    Jun 27, 2001
    Messages:
    615
    Location:
    Perth, Western Australia
    They do have a certificate, but it is not published by an internationally trusted authority and it is inherently poor (your own link advises that the certificate version is so old it is graded 'F'). Old certificates like this are worthless - there are numerous ways to spoof certificates like this easily in active use today. A certificate that can be easily impersonated isn't even worthy of the classification.

    And to be honest, even if they got a valid certificate today that wouldn't be good enough - they've still required all Lendnet customers to reduce their security settings - are they going to contact every one of those at some point in the future and give them free support time to assist them to re-secure Java and their browser? What happens if one of their customers is successfully targeted by a man-in-the-middle attack that compromises their network and possibly steals their data as a direct result of these enforced security vulnerabilities? Is the bank culpable? I'd say it's pretty clear cut, but good luck to any SMB taking a large bank to court for damages.

    LOL no - those are screenshots of the advisory from BankWest on how to fix problems with Lendnet. I had to assist a client (finance advisers) to implement this yesterday, and raised my concerns with them at the time. The reality is they rely on Lendnet for their business though, so not much they can do about it - Bankwest have them (and every other customer who requires access to the portal for the operation of their business) over a barrel.

    Not in the sense that you mean, no. It is a business portal, for finance advisers and brokers. If it affected their retail Internet banking portals I would have said it affected hundreds of thousands of people ;)

    No, the sky's not falling. It's just bad practice, it is irresponsible, it is unprofessional and the risks it poses are actually quite severe - if you've ever had to clean up a corporate domain that's been compromised by an insidious virus/malware attack or (much worse) that's been hacked, you will understand that it is imperative that all security best practices and standards be adhered to, that the network is secured, that patches are run on all systems as soon as they are released and that everything is monitored continually. This sort of thing blows a great gaping hole in your security and if the organisation demands that they need access to such a service there isn't a great deal you can do about it.

    One possibility is to only make the changes on a firewalled and virtualised terminal server that you get all staff to use for access to vulnerable portals like this - you can easily take it offline and scrub it back to a known good state with almost zero down-time that way, without exposing tens to hundreds of client workstations (and their environment) to the risks (there are other risks, of course, but you're at least minimising the probability of a successful attack).

    Unfortunately not everyone can afford to go to such lengths to protect themselves from vulnerabilities being forced upon them by industry partners who are either grossly incompetent or knowingly cutting corners.

    Which is the point of me raising the point in the first place - this sort of thing should have been relegated to the early days of the Internet back in the 90's (at the latest) when you could understand things being missed by organisations desperate to jump into their new online presence. That this is still happening in 2014 is utterly inexcusable.
    Yea, even Microsoft won't let you have passwords more than 16 characters long for outlook.com/liveID which many people are now using to authenticate their Windows accounts...
     
  8. AthlonMan

    AthlonMan (Banned or Deleted)

    Joined:
    Oct 8, 2002
    Messages:
    11,416
    Location:
    QLD.
    Wtf :lol: Really?
     
  9. shredder

    shredder Member

    Joined:
    Dec 26, 2001
    Messages:
    10,937
    Location:
    Dec 27, 1991
    IT is the wild west of professions. There's no unified professional body or authority to take argument on their behalf, or to set standards. Can't see it happening in a hurry either, because the industry grows too fast to keep up with let alone oversee.

    You look at other professions and they have a history and professional organisations, they stand and speak as one together, and have authority over their profession. For IT, that isn't even visible in the distance.

    I trust there's some sort of natural selection process in IT that will cause shonky operators and processes to simply fail over time, and allow best practise to slowly infiltrate via sheer neccessity. What else would do it?
     
    Last edited: Feb 8, 2014
  10. tin

    tin Member

    Joined:
    Jul 31, 2001
    Messages:
    6,411
    Location:
    Narrabri NSW
    You think that's bad:
    CBA: Case Insensitive. Here was me entering my password with correct case for years, until one day I noticed it let me in with Caps Lock on.
    Westpac: 6 char exactly. No more. No less. Must have 1 number and 1 letter.
     
  11. looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    24,411
    and if you type an incorrect password when you log in to online banking in it actually tells you how many characters the password must be.
     
  12. AthlonMan

    AthlonMan (Banned or Deleted)

    Joined:
    Oct 8, 2002
    Messages:
    11,416
    Location:
    QLD.
    Shit, if you guess it wrong three times does it give you a hint too? :lol:
     
  13. ikonz0r

    ikonz0r Member

    Joined:
    Dec 23, 2001
    Messages:
    2,543
    Location:
    Brisvegas
    I think you need to breathe a little. I understand prevention is better than a cure but i'm sure with the profits they make they have a team of people ready to tackle any vulnerabilities. If not - why not prove them wrong? You would probably make the 6 o'clock news.

    Being a web developer myself, I often have this argument with people who get fucked over by dodgy web developers. Yeah there are some organisations you can be a part of but overall the industry is completely unregulated for exactly that reason - it evolves far to quickly. It's not like building where a new type of material may come out every 15 years which needs to be used to a particular standard.

    I just can't see it happening anytime soon.

    Eitherway - until it's broken why fix it :Pirate:
     
  14. blankpaper

    blankpaper Member

    Joined:
    Feb 1, 2013
    Messages:
    941
    Holy shit you're dead right, just tried it then with mine.
     
  15. maddhatter

    maddhatter Member

    Joined:
    Jun 27, 2001
    Messages:
    4,798
    Location:
    Mackay, QLD.
    yer, but CBA has two part auth, you still need to authorize transactions via SMS...
     
  16. Toliandar

    Toliandar Member

    Joined:
    Aug 8, 2010
    Messages:
    216
    It sounds like Bendigo Bank's online banking is a step up from the major banks judging by the experiences here.
     
  17. blankpaper

    blankpaper Member

    Joined:
    Feb 1, 2013
    Messages:
    941
    and if someone steals your phone with kaching on it? chances of losing your money increase bit quite a bit
     
  18. maddhatter

    maddhatter Member

    Joined:
    Jun 27, 2001
    Messages:
    4,798
    Location:
    Mackay, QLD.
    I would think kaching and the netbank app do not store your password / maintain a logon session / timeout fairly rapidly.

    So you'd need to steal the phone, know the phones pin code and the netbank pin code / password.

    I'd say you're pretty safe...
     
  19. blankpaper

    blankpaper Member

    Joined:
    Feb 1, 2013
    Messages:
    941
    I think I'll pass thanks :)
     
  20. colmaz

    colmaz Member

    Joined:
    Jan 8, 2007
    Messages:
    411
    Location:
    Perth, WA
    Yeah, just confirmed with mine. It's isn't a condition for a new password either.
    I only get that for new accounts/BPay that I transfer. That might be enough prevent someone from getting my money though, unless they stole my phone as well
    Um, with the old Netbank app which you needed to type in both your ID and password, it didn't save sessions. If the app lost focus, it would log out (from memory) With Kaching however, there have been a few times I've been able to get back in after switching away from the app a few minutes later. Long enough for someone who saw me in the app to steal my phone and then transfer money.

    Excuse me whilst I uninstall Kaching from my phone
     

Share This Page