SA’s Internet Banking “Full of Holes”

[Johannesburg, SOUTH AFRICA] At least three of South Africa’s financial institutions have gaping holes in their “secure” Internet security systems, exposing valuable information to hackers who could infiltrate and corrupt these systems.

Reacting to a tip-off from an industry source,
sa.internet.com researched the claim and found that the source codes from three apparently
secure servers could be accessed and administrator ID’s and passwords obtained.

According to an expert in Internet security, at least one of these source codes allows
“significant” access to customer details.
This expert informed
sa.internet.com on Thursday that the code provides administrator access through to the customer
database on the Web site of one of South Africa’s financial institutions.
This would potentially allow a hacker to change seemingly-secure customer details.

One of South Africa’s four major banks also appears to be at risk, according to the
source, although in this case, the expert was only able to verify that read-access to the
database could be obtained.
“Should the server be compromised,” he commented, “this window will allow a hacker
to view the customer database, obtaining PIN numbers and account details.”

In the third instance, while the source code was obtained, a number of firewalls
prevented access to the database of customer information but still provided insight
into the site architecture.
“In all three cases the extent of the information obtained varied,” the security expert
explained, “ranging from providing information on how the site works to exposing
customer information that clients expect to be securely guarded on the server.”

When sa.internet.com spoke to First National Bank, a spokesman suggested that this
kind of security risk would not apply to their operation.
According to this spokesman, customers who access the online banking option are
immediately rerouted to a secure server on another site, the main FNB site being merely
a brochure-type information resource.
What the spokesman did confirm, however, is that should the FNB brochure Web site
be susceptible to this intrusion, this opens the way for a hacker to change information
and deface the site.
While this is not crippling in itself, he commented, a bank will face adverse publicity
and could incur significant downtime costs.

When
sa.internet.com alerted NBS to the problem, NBS Internet and e-commerce Manager
Lambert van Heerden consulted with the Internet services team before concluding that
there is no risk to the bank’s clients of their information being compromised.
The UserID and password which can be obtained through the source code, he assured
us, only allows general access to a table within the SQL database.

According to van Heerden, to obtain access to the SQL server itself and get further
source codes or information would necessitate a hacker bypassing two additional
firewalls and having the relevant passwords.
NBS Media Liason Kim Baas did, however, confirm that the bank would be
implementing the security patch that is available from Microsoft, but are currently
testing the system to ensure that the patch is compatible.

The patch to which Baas refers aims to eliminate two security vulnerabilities
on Microsoft’s Internet Information Server, a technology employed by most
South African financial institutions.
Microsoft say that these vulnerabilities could allow a malicious user to st

op
the Web site from providing useful service and also allow access to certain
types of apparently secure information.

At the very least, these security vulnerabilities are testament to the fact that
affected institutions need to radically revise their stance on the importance
of information security.
This is especially so in light of the availability of this patch and the fact that
a malicious user can obtain limited access to information that should be,
and can be, secured.

South Africa’s financial institutions have the most to gain from assuring
customers of the sanctity of their security systems – access to any
protected information should be a matter of utmost priority, no matter how
seemingly trivial this information might appear.
As e-commerce vendors look to financial institutions for guidance in
implementing their own security measures, these security systems should
present the image of unassailable fortress-like architecture.
In South Africa this does not appear to be the case.

News Around the Web