We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
Do not login to A&L this morning - HACKED
Comments
-
On phoning A & L I was told that someone had tried to access my accounts on 10th and 12th April ( one attempt at 5 a.m.! ) but as they did not recognise the computer they blocked the account.Whether this has anything to do with this security breach or not, I don't know0
-
There hasn't been any security breach.
So Santander says. People with an understanding of web technology who have analyzed the code on their website and where it led to do not regard their explanation as credible. The best case is that they are guilty of heinously stupid security practices, more likely they have been compromised.0 -
A&L/Santander claim that there was no hack but a 'failure', this remains a point of contention but if they say it is a trusted 3rd party I have little room to dispute that at this stage.
Initially there was a cert mismatch, which was rectified on Monday, this has not been explained only suggesting their was a "failure", more insight into this would be appreciated. Again an anonymous domain gate-logic with email validated cert (you can have one for 15 pound)! Seeing the lax practices at the 3rd party it wouldnt be surprise me that any of their dev could modify the JS at anytime. These guys simply aren't taking security and (if legit) certainly not 'trust' seriously. Even now when the SSL cert mismatch is cleared up if you follow URLs called you'll see "You are connected to polycache which is run by (unknown)" etc
After that point, I called it hack because all along it smelt/tasted/looked like a hack, this is the same view a number of people (smarter than I) shared, including a major tech news site (its red) investigating even after Santander's denial late yesterday, their security expert shared my serious concerns.[My security expert] reckons it's potentially one more script away from doing something bad. Im gonna call A&L
Example path to an attack: Linode only have a certain number of physical nodes at each POP, signup a certain number of VPS (each is distributed to a different physical node according to their FAQ), wait for Xen hypervisor vulnerability (signup to daily security bulletins), and bingo modify the JS steal what you want, its only $20-$60 per VPS to get onto the same server as the 3rd party. I host with Linode and don't expect such to happen but it is well within the realms of risk-planning (hypervisors have been before exploited). Its an unnecessary widening of the attack vector by a very significant scale.
The validated by email certs making it impossible to verify any trust, the certs are practically anonymous. There exist other potential attack vectors which are weaker than what you would expect for a serious bank.
Im writing an article now about how A&L/Santander are setting themselves up for a major security failure with this setup. Its a disgrace that Santander invest millions in IT development and security (400-600 + euros a day consultants) and endorse such filmsy 3rd setup as legitmate.
At this stage even if I accept Santander's response I've lost all faith in them as a secure setup. Its like having a bullet proof car fit for a prince with triple reinforced windows and run flat tyres, but the left side passenger window is a single pane from the local glass/picture-framing merchant that cost 18 pound per sqm. Beggars belief!
In Thailand they have a saying when one see's silly business practices or stuff that makes the head explode - TIT - This Is Thailand. I think we need one for santander - TIS - "That Is Santander"0 -
I suggest you write a serious to the point letter consisely and clearly detailing your specific concerns to the Bank of England requesting that they open an investigation into whether Santander is currently a "fit and proper" organisation to carry out financial business in the UK.
Such a letter should also clearly identify your own bonefides/experience in the field of security/software so as not to be dismissed as a 'moaner'.0 -
-
Santander has relinquished control of parts of its "secure" site voluntarily to some shady looking characters. Regardless of whether or not there was a breach, it is not safe to do business with a company set up like this.0
-
And of course, we know everything about the business partners of all the other banks we deal with.........0
-
And of course, we know everything about the business partners of all the other banks we deal with.........
You miss the point completely. Santander are sharing their security boundary with operations that register anonymous domains. There can be no legitimate reason for this. We may not know everything about other bank's online business partners, but at least we can be assured that they are legitimate companies with traceable addresses. Anyone could create an identity like these Polycache folks with nothing more than a payment card and a few spare minutes. It's inexcusable.0 -
Out of interest, I took a cursory look at the source of the secure login pages of a couple of other banks and they don't seem to pull any page assets from third party domains. That's how it should be. It makes no sense to have a login page that is strewn across various servers (of questionable reputation) on the wider internet, like the wreckage of a plane crash. It makes the job of properly securing everything impossibly hard, and if there is a weak link somewhere, as there appears to be here, then it will just be a matter of time before it gets exploited.0
-
And of course, we know everything about the business partners of all the other banks we deal with.........
What we don't know is irrvelevant. What we do know Santander are happy to involve a unknown 3rd party and use obscurification. Nobody in the security community would argue this is anything but a good thing.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply

Categories
- All Categories
- 348.2K Banking & Borrowing
- 252.1K Reduce Debt & Boost Income
- 452.3K Spending & Discounts
- 240.7K Work, Benefits & Business
- 617K Mortgages, Homes & Bills
- 175.6K Life & Family
- 253.9K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 15.1K Coronavirus Support Boards