New online banking security flaw found
By removing the encryption in internet connections, it seems to become possible to see and manipulate bank transactions at all big Dutch banks, according to research from NU.nl and security company SecureLabs. Measures have now been taken to minimize the chance of this abuse of the system, and the make it easier to catch the criminals behind it. During the research, SecureLabs and NU.nl used a Wifi hotspot, and installed a program on it. Stealing money is then demonstrated in three steps. First, the hotspot removes the secure connection to the user, while the connection to the bank is encrypted. If the internet banking site is accessed via a browser, then the hotspot replaces the bank's icon through a lock, which makes it hardly possible to realize that there is no secured connection. The last step is that the software automatically amends the IBAN- bank account number of the beneficiary after a transaction. The user then gets to see the intended account number. Various banks were tested, and the method seems to be universal. Experts from SecureLabs have also tested a similar attack with booking sites and web shops. The attack demonstrated depends specifically on wireless networks. "This attack is simple in form. You could also execute this on a hacked router on the internet, and then all clients from, for example, a provide could be affected", says Ronald Kingma of SecureLabs. After the research was conducted, contact was made with the National Cyber Security Center (NCSC) of the National Counter-Terrorism and Security Coordinator to help solve the problem. Most banks already support HSTS with internet banking, and the intention is that all banks will do this. Not every web browser supports HSTS yet. Microsoft will only start supporting it in the next version of Internet Explorer, though it is unclear when this will be available. Google Chrome, Apple Safari and Mozilla Firefox do, however, support the protocol. NU.nl tested the method on a busy hotspot internet connection to see how many sessions could be performed. In one test, more than 100 sessions for internet banking were started in one afternoon. Although it seems like a simple attack, there have been no reports of money being stolen through this technique. Banks have become more alert to the leak, however. The banks are all saying that they will insure eventual damages, if conditions are met. The Payment Association Netherlands is warning people to stop using Internet Explorer for online banking. There have also been wider warnings about the problem, which only applies to web browsers. Apps for internet banking were also tested, and did not seem to be affected by the same problem. SecureLabs is developing a program that will be able to detect fake hotspots, to help counter the problem.