RealTime IT News

SA's Internet Banking "Full of Holes"

[Johannesburg, SOUTH AFRICA] At least three of South Africa's financial institutions have gaping holes in their "secure" Internet security systems, exposing valuable information to hackers who could infiltrate and corrupt these systems.

Reacting to a tip-off from an industry source, sa.internet.com researched the claim and found that the source codes from three apparently secure servers could be accessed and administrator ID's and passwords obtained.

According to an expert in Internet security, at least one of these source codes allows "significant" access to customer details. This expert informed sa.internet.com on Thursday that the code provides administrator access through to the customer database on the Web site of one of South Africa's financial institutions. This would potentially allow a hacker to change seemingly-secure customer details.

One of South Africa's four major banks also appears to be at risk, according to the source, although in this case, the expert was only able to verify that read-access to the database could be obtained. "Should the server be compromised," he commented, "this window will allow a hacker to view the customer database, obtaining PIN numbers and account details."

In the third instance, while the source code was obtained, a number of firewalls prevented access to the database of customer information but still provided insight into the site architecture. "In all three cases the extent of the information obtained varied," the security expert explained, "ranging from providing information on how the site works to exposing customer information that clients expect to be securely guarded on the server."

When sa.internet.com spoke to First National Bank, a spokesman suggested that this kind of security risk would not apply to their operation. According to this spokesman, customers who access the online banking option are immediately rerouted to a secure server on another site, the main FNB site being merely a brochure-type information resource. What the spokesman did confirm, however, is that should the FNB brochure Web site be susceptible to this intrusion, this opens the way for a hacker to change information and deface the site. While this is not crippling in itself, he commented, a bank will face adverse publicity and could incur significant downtime costs.

When sa.internet.com alerted NBS to the problem, NBS Internet and e-commerce Manager Lambert van Heerden consulted with the Internet services team before concluding that there is no risk to the bank's clients of their information being compromised. The UserID and password which can be obtained through the source code, he assured us, only allows general access to a table within the SQL database.

According to van Heerden, to obtain access to the SQL server itself and get further source codes or information would necessitate a hacker bypassing two additional firewalls and having the relevant passwords. NBS Media Liason Kim Baas did, however, confirm that the bank would be implementing the security patch that is available from Microsoft, but are currently testing the system to ensure that the patch is compatible.

The patch to which Baas refers aims to eliminate two security vulnerabilities on Microsoft's Internet Information Server, a technology employed by most South African financial institutions. Microsoft say that these vulnerabilities could allow a malicious user to st