Online Bank Security - BROKEN !?!?!

6_6_6

Interesting. http://www.youtube.com/watch?v=0SgGMj3Mf88&t=3m14s

colsten

6 6 6 has been given internet access again. Can't last very long until they get banned again.

masonic

If Mr Cameron gets his way there will soon be a mandatory backdoor into all of these protocols anyway, so the existence of other backdoors and vulnerabilities will be somewhat academic.

anoncol

masonic wrote: »

If Mr Cameron gets his way there will soon be a mandatory backdoor into all of these protocols anyway, so the existence of other backdoors and vulnerabilities will be somewhat academic.

If that happens then say goodbye to legit private encryption. Secure backdoors are impossible! But the stupid politicians don't understand tech security so the only real security will be pushed under ground.

Graham1

Banks know that the weakest link is the users (falling for phishing or malware) rather that the technology. Quite a few return RC4 ciphers as item 1 in their priority list during the https negotiation even though they also support stronger ciphers. I don't think users need to worry too much about this as the resources needed to get the encrypted data stream and decrypt it are beyond the scammer's capabilities at the moment.
I expect the banks will act quickly to fix their poorer technology if there is ever a major hack attributed to a weaker cipher.

masonic

Graham1 wrote: »

Banks know that the weakest link is the users (falling for phishing or malware) rather that the technology. Quite a few return RC4 ciphers as item 1 in their priority list during the https negotiation even though they also support stronger ciphers.

You will no doubt be aware that the handshake involves the user first sending the set of all of the cipher suites it is able to use and the server then selecting from that list the highest priority option it also supports. So, there is no concept of prioritisation from the user perspective. However, the user (or more practically the browser vendor) is able to remove support for those weaker options at the risk of not being able to connect to certain sites.

The problems really arise, particularly with the new logjam threat, where a man in the middle meddles with the cipher suite list offered by the user, so that only weak options are sent and forcing the server to choose one of these if it happens to support it. Some of these certainly are within the means of an attacker to break.

I think the lack of support for the more modern protocols and ciphers is indicative of a lack of diligence on the part of the banks. Nobody can use these secure protocols if the banks don't support them. However, it is the responsibility of banks to refund customers in cases of fraud where the customer has not been negligent, so it is up to them how much they want to do to stem those costs. I certainly agree there is much lower hanging fruit.

6_6_6

[FONT=&quot][FONT=&quot][FONT=&quot][FONT=&quot][FONT=&quot][FONT=&quot]https://drownattack.com


[/FONT][/FONT][/FONT][FONT=&quot][FONT=&quot][FONT=&quot][FONT=&quot][FONT=&quot]TL;DR[/FONT][/FONT][/FONT][/FONT][/FONT][FONT=&quot][FONT=&quot][FONT=&quot][FONT=&quot]
[/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][FONT=&quot][FONT=&quot]http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html[/FONT][/FONT]

badger09

Please don't shout:(

mgdavid

coming to this thread a little late - another one for the Ignore List :j

Paul_1977

http://www.dailymail.co.uk/news/article-3475126/Security-alert-NatWest-online-banking.html