I was linked into an online bank account!

imoneyop

jonnyb wrote: »

I don't see this as a major security flaw by the bank.

The only reason that the OP could access the link was because some computer illiterate individual managed to copy and paste a live link from her account page, and send it to him. If she had not done that, there would be no problem.

It is a security flaw.

The live link should never have allowed the page to be displayed without checking that the correct session cookies/ip address (or whatever they use for security) was in place. The only person able to view that page should have been the customer - anyone else should have been shown a log in page (or similar)

getoblast

Perhaps a warning should go out to people not to copy and paste their online bank details?

getoblast

I've emailed the link of this topic to the lady concerned and asked if she would like to comment.

getoblast

I’ve just spoken with the IT internet security helpdesk at Nationwide online banking and they said that they think the only way it could be possible to link and gain access to another persons online bank details from another PC in another location is when their session is still open.

However, when I spoke to the lady last night she had ended her session and whilst I was speaking to her I emailed back the link clicked on and accessed her account with and she could not access her own details, yet I still could.

It’s staggering to think that all anyone would have to do is randomly check the link at times when it is most likely that a person may be logged into a session of their online bank account.

Surely this can’t be right?

imoneyop

getoblast wrote: »

I’ve just spoken with the IT internet security helpdesk at Nationwide online banking and they said that they think the only way it could be possible to link and gain access to another persons online bank details from another PC in another location is when their session is still open.

Even in this case it should not be possible. As I said before, their system should be creating session cookies on her machine, so even if she was logged on it wouldn't let you access it - as you wouldn't have the cookie.

If what the Nationwide helpdesk say is true then it looks like another hefty fine might be coming Nationwide's way.

getoblast

I don't know much about how it should be or how it shouldn’t be, all I know is that it is possible as I managed to gain accesses to this online account without any difficulties... in fact you could say I was directed to it!

And if there are fines involved then so they should be for allowing this to happen.

buglawton

Perhaps some of the more techy people can comment: In the past one reason for such a security hole is that data is cached in intermediate computers and the accidental view is via that cache. Such holes are supposed to be well known and plugged by now. But the real mystery on this one is the fact that https appears to be in use.
Surely with https, unique keys have to be exchanged in order for the page to be decrypted. How can a different PC have got access to the correct key?

It was probably not wise to publish that link as it offers hackers around the world a profile of the link structure for a security hole that is as yet not plugged.

imoneyop

buglawton wrote: »

It was probably not wise to publish that link as it offers hackers around the world a profile of the link structure for a security hole that is as yet not plugged.

Agreed, getoblast it might be an idea to edit your earlier post that had the link in it so that the link is removed.

getoblast

I have now edited the link, but cledor may need to do the same as this member has quoted the details in their post.

Kilty_2

Looks like it's checking sessions fine to me, if I try to access it even in a different browser window on the same machine it throws it out, back to the login screen.