Do not login to A&L this morning - HACKED

edited 19 April 2011 at 8:01AM in Budgeting & Bank Accounts
61 replies 11.8K views
12467

Replies

  • poppie123poppie123 Forumite
    954 Posts
    mattcodes wrote: »
    Here's what I've just been told.

    Even if advanced-web-analytics is legit. I can't see the how polycache is legit. On some of the nodes it presents a cert for gate-logic.com, is hosted in a Linode VPS, is registered anonymously etc.. Ive saved copies of code to see what changes when they fix it.




    So are they saying there isn't a problem with their site being compromised as such more that they made an error which they intend to fix?? have i read that right? and more to the point do you believe them?
  • mr_fishbulbmr_fishbulb Forumite
    5.2K Posts
    Part of the Furniture Combo Breaker
    ✭✭✭✭
    That is the question, from what I can tell A&L do usally have the https://www.advanced-web-analytics.com/18557/splash.js code. So if anything has been comprised it is this server.
    Yes, it's the splash screen that tells people to install Trusteer
  • So are they saying there isn't a problem with their site being compromised as such more that they made an error which they intend to fix?? have i read that right? and more to the point do you believe them?
    Something is not right, but if advanced-web-analytics is legit then at least santander servers havent been 'write' compromised. BUT what remains is polycache has gote suspicion written all over it. Between the invalid SSL cert warning yesterday, gate-logic/polycache cert mismatch, domain registered a few weeks ago via godaddy, anonymous domain whois, linode servers. I'd be very surprised that Santander is willing endorsing such companies with what Id call a shady setup (similar to what a bulk spammer would use) considering the point is to create trust not destroy it. Ive got a meeting shortly so I cant verify what changed in depth but seems it same it was yesterday. Will update more when back..
  • 6am6am Forumite
    168 Posts
    Part of the Furniture 100 Posts Combo Breaker
    Why the hell they allow third party scripts to run on online banking pages?? Even if advanced-web-analytics . com is a legitimate site it is outside of bank infrastructure and can be compromised. I checked my Natwest login page and it also loads some scripts from advanced-web-analytics. As far as I can see this script does nothing harmful at the moment, but the point is it might in the future.
  • MSE_GuyMSE_Guy MSE Staff
    1.7K Posts
    I've been Money Tipped! Newshound! Chutzpah Haggler
    This is the discussion thread for the following MSE News Story:
    "The banks says no customer data is at risk after the failure of one of its online systems ..."

    Read the full story:
    Santander calms online banking hack fears

    OfficialStamp.gif
  • cbrpaulcbrpaul Forumite
    756 Posts
    Part of the Furniture 500 Posts Combo Breaker
    ✭✭✭
    holy hacked accounts batman !!!!

    :eek::eek::eek:
  • edited 19 April 2011 at 1:02PM
    mattcodesmattcodes Forumite
    19 Posts
    edited 19 April 2011 at 1:02PM
    This raises serious concerns for me. Lets take the hypothesis that everything Santander says is accurate.

    Polycache is an anonymous domain, i.e. its protected by a domain by proxy service. As is gate-logic etc.. I thought we'd have visibility to increase trust? Does your bank hides its address? Should they allow 3rd parties to act invisibly?

    Polycache is hosted by a VPS provider, this javascript served from there, start from $19.99 per month whilst in theory this provides insulation from other customers, if an attack can exploit the hypervisor (expolits existed before) then one can change the JS. Invest millions in security and throw it out referenced JS on a commodity VPS along with other customers. Basically they are increasing potential attack vector.

    The polycache domain resolves to different geographical data center depending on where you visit from, there could be privacy problem here, will need to check their privacy policy to confirm. Does the privacy policy grant them permission to export your session details to a 3rd party and to a server in different country (dns resolution location dependent)?

    Their DNS is provided by a free DNS provider, albeit they use the premium service, but why increase the risk. Again increase the attack vector.

    (btw, I think linode and dydns are good companies, but yikes not for my bank)

    And most serious Polycache on certain nodes is/was presenting a cert for different another anonymous domain. gate-logic.com. Again anonymous and a cheap cert (validated by email, a bank and its 3rd party that are embedded should never be using a validated by email cert). The cert mismatch was what triggered this and everything after indicated a hack (although after a cert mismatch - holy f - I made of been psychologically biased), but this a bank! a bank! yikes! The certificate again remains practically anonymous - please inspect to see, a cheap $20 certificate. This is what I believe they refer to by "failure" but I'd like to know how that happened, was the server at 3rd party compromised? Who knows..

    They use advanced-web-analytic to provide an async js loader onto polycache, this is unnecessary and smells, tastes and looks like a hack. Actually thinking about it, because they inject the awa JS the latter async benefit are nulled at this stage (waiting confirmation from celebrity JS people), an async loader on the main page is fine. This sort of thing makes me question the competence of their developers.

    The script loaded makes references to several other banks, this to me seems strange, I caught up today but will need to investigate if there is any leakage here.

    I actually think there is something deeper here and will continue to explore. If there story checks out then they are using a pretty !!!!!! 3rd party. Compromise polycache etc.. (via any of the several angles) and this will be pretty damn serious next time round.
  • DegenerateDegenerate Forumite
    2.2K Posts
    Anonymous domain regs, VPS hosted accounts - all this adds up to the fact that even if Santander have not been compromised, they're so incompetent with their web security that no-one should trust them.
  • vinh1000vinh1000 Forumite
    1K Posts
    called them up and Santander are confused as they have not heard of this
  • I didn't read any of this information until this morning ( 20th ) so knew nothing about it until I tried to log on to Alliance & Leicester today. I went thru. the usual log on rquirements and then was told my account was blocked.On phoning A & L I was told that someone had tried to access my accounts on 10th and 12th April ( one attempt at 5 a.m.! ) but as they did not recognise the computer they blocked the account. Whether this has anything to do with this security breach or not,I don't know, but it certainly is making me have second thoughts about internet banking.
This discussion has been closed.
Latest News and Guides

Cyber Monday deals

Here’s what the Deals Team have spotted

MSE Deal

How to find cheap PCR tests

The rule change comes into force tomorrow

MSE Guide