Do not login to A&L this morning - HACKED

12467

Comments

  • poppie123
    poppie123 Posts: 957 Forumite
    First Anniversary Combo Breaker
    mattcodes wrote: »
    Here's what I've just been told.

    Even if advanced-web-analytics is legit. I can't see the how polycache is legit. On some of the nodes it presents a cert for gate-logic.com, is hosted in a Linode VPS, is registered anonymously etc.. Ive saved copies of code to see what changes when they fix it.




    So are they saying there isn't a problem with their site being compromised as such more that they made an error which they intend to fix?? have i read that right? and more to the point do you believe them?
  • mr_fishbulb
    mr_fishbulb Posts: 5,224 Forumite
    First Anniversary Combo Breaker
    ashleypride wrote: »
    That is the question, from what I can tell A&L do usally have the https://www.advanced-web-analytics.com/18557/splash.js code. So if anything has been comprised it is this server.
    Yes, it's the splash screen that tells people to install Trusteer
  • mattcodes
    mattcodes Posts: 19 Forumite
    So are they saying there isn't a problem with their site being compromised as such more that they made an error which they intend to fix?? have i read that right? and more to the point do you believe them?
    Something is not right, but if advanced-web-analytics is legit then at least santander servers havent been 'write' compromised. BUT what remains is polycache has gote suspicion written all over it. Between the invalid SSL cert warning yesterday, gate-logic/polycache cert mismatch, domain registered a few weeks ago via godaddy, anonymous domain whois, linode servers. I'd be very surprised that Santander is willing endorsing such companies with what Id call a shady setup (similar to what a bulk spammer would use) considering the point is to create trust not destroy it. Ive got a meeting shortly so I cant verify what changed in depth but seems it same it was yesterday. Will update more when back..
  • 6am
    6am Posts: 178 Forumite
    First Anniversary Combo Breaker First Post
    Why the hell they allow third party scripts to run on online banking pages?? Even if advanced-web-analytics . com is a legitimate site it is outside of bank infrastructure and can be compromised. I checked my Natwest login page and it also loads some scripts from advanced-web-analytics. As far as I can see this script does nothing harmful at the moment, but the point is it might in the future.
  • Former_MSE_Guy
    Former_MSE_Guy Posts: 1,650 Forumite
    I've been Money Tipped! Newshound! Chutzpah Haggler
    This is the discussion thread for the following MSE News Story:
    "The banks says no customer data is at risk after the failure of one of its online systems ..."

    Read the full story:
    Santander calms online banking hack fears

    OfficialStamp.gif
  • cbrpaul
    cbrpaul Posts: 756 Forumite
    First Post First Anniversary Combo Breaker
    holy hacked accounts batman !!!!

    :eek::eek::eek:
  • mattcodes
    mattcodes Posts: 19 Forumite
    edited 19 April 2011 at 2:02PM
    This raises serious concerns for me. Lets take the hypothesis that everything Santander says is accurate.

    Polycache is an anonymous domain, i.e. its protected by a domain by proxy service. As is gate-logic etc.. I thought we'd have visibility to increase trust? Does your bank hides its address? Should they allow 3rd parties to act invisibly?

    Polycache is hosted by a VPS provider, this javascript served from there, start from $19.99 per month whilst in theory this provides insulation from other customers, if an attack can exploit the hypervisor (expolits existed before) then one can change the JS. Invest millions in security and throw it out referenced JS on a commodity VPS along with other customers. Basically they are increasing potential attack vector.

    The polycache domain resolves to different geographical data center depending on where you visit from, there could be privacy problem here, will need to check their privacy policy to confirm. Does the privacy policy grant them permission to export your session details to a 3rd party and to a server in different country (dns resolution location dependent)?

    Their DNS is provided by a free DNS provider, albeit they use the premium service, but why increase the risk. Again increase the attack vector.

    (btw, I think linode and dydns are good companies, but yikes not for my bank)

    And most serious Polycache on certain nodes is/was presenting a cert for different another anonymous domain. gate-logic.com. Again anonymous and a cheap cert (validated by email, a bank and its 3rd party that are embedded should never be using a validated by email cert). The cert mismatch was what triggered this and everything after indicated a hack (although after a cert mismatch - holy f - I made of been psychologically biased), but this a bank! a bank! yikes! The certificate again remains practically anonymous - please inspect to see, a cheap $20 certificate. This is what I believe they refer to by "failure" but I'd like to know how that happened, was the server at 3rd party compromised? Who knows..

    They use advanced-web-analytic to provide an async js loader onto polycache, this is unnecessary and smells, tastes and looks like a hack. Actually thinking about it, because they inject the awa JS the latter async benefit are nulled at this stage (waiting confirmation from celebrity JS people), an async loader on the main page is fine. This sort of thing makes me question the competence of their developers.

    The script loaded makes references to several other banks, this to me seems strange, I caught up today but will need to investigate if there is any leakage here.

    I actually think there is something deeper here and will continue to explore. If there story checks out then they are using a pretty !!!!!! 3rd party. Compromise polycache etc.. (via any of the several angles) and this will be pretty damn serious next time round.
  • Degenerate
    Degenerate Posts: 2,166 Forumite
    Anonymous domain regs, VPS hosted accounts - all this adds up to the fact that even if Santander have not been compromised, they're so incompetent with their web security that no-one should trust them.
  • [Deleted User]
    [Deleted User] Posts: 0 Forumite
    called them up and Santander are confused as they have not heard of this
  • ellejay6
    ellejay6 Posts: 1 Newbie
    I didn't read any of this information until this morning ( 20th ) so knew nothing about it until I tried to log on to Alliance & Leicester today. I went thru. the usual log on rquirements and then was told my account was blocked.On phoning A & L I was told that someone had tried to access my accounts on 10th and 12th April ( one attempt at 5 a.m.! ) but as they did not recognise the computer they blocked the account. Whether this has anything to do with this security breach or not,I don't know, but it certainly is making me have second thoughts about internet banking.
This discussion has been closed.
Meet your Ambassadors

Categories

  • All Categories
  • 343K Banking & Borrowing
  • 250K Reduce Debt & Boost Income
  • 449.6K Spending & Discounts
  • 235.1K Work, Benefits & Business
  • 607.7K Mortgages, Homes & Bills
  • 173K Life & Family
  • 247.7K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 15.9K Discuss & Feedback
  • 15.1K Coronavirus Support Boards