We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

Do not login to A&L this morning - HACKED

12357

Comments

  • Biggles
    Biggles Posts: 8,209 Forumite
    1,000 Posts Combo Breaker
    ellejay6 wrote: »
    On phoning A & L I was told that someone had tried to access my accounts on 10th and 12th April ( one attempt at 5 a.m.! ) but as they did not recognise the computer they blocked the account.
    That sounds a little unlikely, as I have accessed all my accounts, at various banks, from sundry computers all over the world and not been blocked because they weren't recognised. It sounds more likely that someone accidentally keyed the wrong account ID and was blocked because it didn't match their password.
    Whether this has anything to do with this security breach or not, I don't know
    There hasn't been any security breach.
  • Degenerate
    Degenerate Posts: 2,166 Forumite
    Biggles wrote: »
    There hasn't been any security breach.

    So Santander says. People with an understanding of web technology who have analyzed the code on their website and where it led to do not regard their explanation as credible. The best case is that they are guilty of heinously stupid security practices, more likely they have been compromised.
  • mattcodes
    mattcodes Posts: 19 Forumite
    edited 20 April 2011 at 4:05PM
    A&L/Santander claim that there was no hack but a 'failure', this remains a point of contention but if they say it is a trusted 3rd party I have little room to dispute that at this stage.

    Initially there was a cert mismatch, which was rectified on Monday, this has not been explained only suggesting their was a "failure", more insight into this would be appreciated. Again an anonymous domain gate-logic with email validated cert (you can have one for 15 pound)! Seeing the lax practices at the 3rd party it wouldnt be surprise me that any of their dev could modify the JS at anytime. These guys simply aren't taking security and (if legit) certainly not 'trust' seriously. Even now when the SSL cert mismatch is cleared up if you follow URLs called you'll see "You are connected to polycache which is run by (unknown)" etc

    After that point, I called it hack because all along it smelt/tasted/looked like a hack, this is the same view a number of people (smarter than I) shared, including a major tech news site (its red) investigating even after Santander's denial late yesterday, their security expert shared my serious concerns.
    [My security expert] reckons it's potentially one more script away from doing something bad. Im gonna call A&L
    I illustrated several issues before in a post, that lead me to believe and others to believe this. It is more concerning that A&L/Santander are endorsing this 3rd party and there are several alarming weakness that remain with this 3rd party setup.

    Example path to an attack: Linode only have a certain number of physical nodes at each POP, signup a certain number of VPS (each is distributed to a different physical node according to their FAQ), wait for Xen hypervisor vulnerability (signup to daily security bulletins), and bingo modify the JS steal what you want, its only $20-$60 per VPS to get onto the same server as the 3rd party. I host with Linode and don't expect such to happen but it is well within the realms of risk-planning (hypervisors have been before exploited). Its an unnecessary widening of the attack vector by a very significant scale.

    The validated by email certs making it impossible to verify any trust, the certs are practically anonymous. There exist other potential attack vectors which are weaker than what you would expect for a serious bank.

    Im writing an article now about how A&L/Santander are setting themselves up for a major security failure with this setup. Its a disgrace that Santander invest millions in IT development and security (400-600 + euros a day consultants) and endorse such filmsy 3rd setup as legitmate.

    At this stage even if I accept Santander's response I've lost all faith in them as a secure setup. Its like having a bullet proof car fit for a prince with triple reinforced windows and run flat tyres, but the left side passenger window is a single pane from the local glass/picture-framing merchant that cost 18 pound per sqm. Beggars belief!

    In Thailand they have a saying when one see's silly business practices or stuff that makes the head explode - TIT - This Is Thailand. I think we need one for santander - TIS - "That Is Santander"
  • I suggest you write a serious to the point letter consisely and clearly detailing your specific concerns to the Bank of England requesting that they open an investigation into whether Santander is currently a "fit and proper" organisation to carry out financial business in the UK.
    Such a letter should also clearly identify your own bonefides/experience in the field of security/software so as not to be dismissed as a 'moaner'.
  • masonic
    masonic Posts: 25,476 Forumite
    Part of the Furniture 10,000 Posts Photogenic Name Dropper
    Biggles wrote: »
    There hasn't been any security breach.
    Santander has relinquished control of parts of its "secure" site voluntarily to some shady looking characters. Regardless of whether or not there was a breach, it is not safe to do business with a company set up like this.
  • Biggles
    Biggles Posts: 8,209 Forumite
    1,000 Posts Combo Breaker
    masonic wrote: »
    Santander has relinquished control of parts of its "secure" site voluntarily to some shady looking characters. Regardless of whether or not there was a breach, it is not safe to do business with a company set up like this.
    And of course, we know everything about the business partners of all the other banks we deal with.........
  • masonic
    masonic Posts: 25,476 Forumite
    Part of the Furniture 10,000 Posts Photogenic Name Dropper
    Biggles wrote: »
    And of course, we know everything about the business partners of all the other banks we deal with.........
    If it comes down to a choice between a bank where something is dodgy or a bank where everything appears to be secure, I'd choose the latter. As soon as something this dodgy is known about another bank, I'll say it's unsafe to bank there too.
  • Degenerate
    Degenerate Posts: 2,166 Forumite
    Biggles wrote: »
    And of course, we know everything about the business partners of all the other banks we deal with.........

    You miss the point completely. Santander are sharing their security boundary with operations that register anonymous domains. There can be no legitimate reason for this. We may not know everything about other bank's online business partners, but at least we can be assured that they are legitimate companies with traceable addresses. Anyone could create an identity like these Polycache folks with nothing more than a payment card and a few spare minutes. It's inexcusable.
  • masonic
    masonic Posts: 25,476 Forumite
    Part of the Furniture 10,000 Posts Photogenic Name Dropper
    Out of interest, I took a cursory look at the source of the secure login pages of a couple of other banks and they don't seem to pull any page assets from third party domains. That's how it should be. It makes no sense to have a login page that is strewn across various servers (of questionable reputation) on the wider internet, like the wreckage of a plane crash. It makes the job of properly securing everything impossibly hard, and if there is a weak link somewhere, as there appears to be here, then it will just be a matter of time before it gets exploited.
  • Biggles wrote: »
    And of course, we know everything about the business partners of all the other banks we deal with.........

    What we don't know is irrvelevant. What we do know Santander are happy to involve a unknown 3rd party and use obscurification. Nobody in the security community would argue this is anything but a good thing.
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 348.2K Banking & Borrowing
  • 252.1K Reduce Debt & Boost Income
  • 452.3K Spending & Discounts
  • 240.7K Work, Benefits & Business
  • 617K Mortgages, Homes & Bills
  • 175.6K Life & Family
  • 253.9K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.