Do not login to A&L this morning - HACKED

edited 19 April 2011 at 8:01AM in Budgeting & Bank Accounts
61 replies 11.8K views
12357

Replies

  • BigglesBiggles Forumite
    8.2K Posts
    ✭✭✭✭
    ellejay6 wrote: »
    On phoning A & L I was told that someone had tried to access my accounts on 10th and 12th April ( one attempt at 5 a.m.! ) but as they did not recognise the computer they blocked the account.
    That sounds a little unlikely, as I have accessed all my accounts, at various banks, from sundry computers all over the world and not been blocked because they weren't recognised. It sounds more likely that someone accidentally keyed the wrong account ID and was blocked because it didn't match their password.
    Whether this has anything to do with this security breach or not, I don't know
    There hasn't been any security breach.
  • DegenerateDegenerate Forumite
    2.2K Posts
    Biggles wrote: »
    There hasn't been any security breach.

    So Santander says. People with an understanding of web technology who have analyzed the code on their website and where it led to do not regard their explanation as credible. The best case is that they are guilty of heinously stupid security practices, more likely they have been compromised.
  • edited 20 April 2011 at 4:05PM
    mattcodesmattcodes Forumite
    19 Posts
    edited 20 April 2011 at 4:05PM
    A&L/Santander claim that there was no hack but a 'failure', this remains a point of contention but if they say it is a trusted 3rd party I have little room to dispute that at this stage.

    Initially there was a cert mismatch, which was rectified on Monday, this has not been explained only suggesting their was a "failure", more insight into this would be appreciated. Again an anonymous domain gate-logic with email validated cert (you can have one for 15 pound)! Seeing the lax practices at the 3rd party it wouldnt be surprise me that any of their dev could modify the JS at anytime. These guys simply aren't taking security and (if legit) certainly not 'trust' seriously. Even now when the SSL cert mismatch is cleared up if you follow URLs called you'll see "You are connected to polycache which is run by (unknown)" etc

    After that point, I called it hack because all along it smelt/tasted/looked like a hack, this is the same view a number of people (smarter than I) shared, including a major tech news site (its red) investigating even after Santander's denial late yesterday, their security expert shared my serious concerns.
    [My security expert] reckons it's potentially one more script away from doing something bad. Im gonna call A&L
    I illustrated several issues before in a post, that lead me to believe and others to believe this. It is more concerning that A&L/Santander are endorsing this 3rd party and there are several alarming weakness that remain with this 3rd party setup.

    Example path to an attack: Linode only have a certain number of physical nodes at each POP, signup a certain number of VPS (each is distributed to a different physical node according to their FAQ), wait for Xen hypervisor vulnerability (signup to daily security bulletins), and bingo modify the JS steal what you want, its only $20-$60 per VPS to get onto the same server as the 3rd party. I host with Linode and don't expect such to happen but it is well within the realms of risk-planning (hypervisors have been before exploited). Its an unnecessary widening of the attack vector by a very significant scale.

    The validated by email certs making it impossible to verify any trust, the certs are practically anonymous. There exist other potential attack vectors which are weaker than what you would expect for a serious bank.

    Im writing an article now about how A&L/Santander are setting themselves up for a major security failure with this setup. Its a disgrace that Santander invest millions in IT development and security (400-600 + euros a day consultants) and endorse such filmsy 3rd setup as legitmate.

    At this stage even if I accept Santander's response I've lost all faith in them as a secure setup. Its like having a bullet proof car fit for a prince with triple reinforced windows and run flat tyres, but the left side passenger window is a single pane from the local glass/picture-framing merchant that cost 18 pound per sqm. Beggars belief!

    In Thailand they have a saying when one see's silly business practices or stuff that makes the head explode - TIT - This Is Thailand. I think we need one for santander - TIS - "That Is Santander"
  • ChiefGrasscutterChiefGrasscutter Forumite
    2.1K Posts
    Part of the Furniture Combo Breaker
    ✭✭✭✭
    I suggest you write a serious to the point letter consisely and clearly detailing your specific concerns to the Bank of England requesting that they open an investigation into whether Santander is currently a "fit and proper" organisation to carry out financial business in the UK.
    Such a letter should also clearly identify your own bonefides/experience in the field of security/software so as not to be dismissed as a 'moaner'.
  • masonicmasonic Forumite
    16.5K Posts
    Part of the Furniture 10,000 Posts Photogenic Name Dropper
    ✭✭✭✭✭
    Biggles wrote: »
    There hasn't been any security breach.
    Santander has relinquished control of parts of its "secure" site voluntarily to some shady looking characters. Regardless of whether or not there was a breach, it is not safe to do business with a company set up like this.
  • BigglesBiggles Forumite
    8.2K Posts
    ✭✭✭✭
    masonic wrote: »
    Santander has relinquished control of parts of its "secure" site voluntarily to some shady looking characters. Regardless of whether or not there was a breach, it is not safe to do business with a company set up like this.
    And of course, we know everything about the business partners of all the other banks we deal with.........
  • masonicmasonic Forumite
    16.5K Posts
    Part of the Furniture 10,000 Posts Photogenic Name Dropper
    ✭✭✭✭✭
    Biggles wrote: »
    And of course, we know everything about the business partners of all the other banks we deal with.........
    If it comes down to a choice between a bank where something is dodgy or a bank where everything appears to be secure, I'd choose the latter. As soon as something this dodgy is known about another bank, I'll say it's unsafe to bank there too.
  • DegenerateDegenerate Forumite
    2.2K Posts
    Biggles wrote: »
    And of course, we know everything about the business partners of all the other banks we deal with.........

    You miss the point completely. Santander are sharing their security boundary with operations that register anonymous domains. There can be no legitimate reason for this. We may not know everything about other bank's online business partners, but at least we can be assured that they are legitimate companies with traceable addresses. Anyone could create an identity like these Polycache folks with nothing more than a payment card and a few spare minutes. It's inexcusable.
  • masonicmasonic Forumite
    16.5K Posts
    Part of the Furniture 10,000 Posts Photogenic Name Dropper
    ✭✭✭✭✭
    Out of interest, I took a cursory look at the source of the secure login pages of a couple of other banks and they don't seem to pull any page assets from third party domains. That's how it should be. It makes no sense to have a login page that is strewn across various servers (of questionable reputation) on the wider internet, like the wreckage of a plane crash. It makes the job of properly securing everything impossibly hard, and if there is a weak link somewhere, as there appears to be here, then it will just be a matter of time before it gets exploited.
  • ashleyprideashleypride Forumite
    656 Posts
    Part of the Furniture 500 Posts Combo Breaker
    ✭✭
    Biggles wrote: »
    And of course, we know everything about the business partners of all the other banks we deal with.........

    What we don't know is irrvelevant. What we do know Santander are happy to involve a unknown 3rd party and use obscurification. Nobody in the security community would argue this is anything but a good thing.
This discussion has been closed.
Latest MSE News and Guides