📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

Online Bank Security - BROKEN !?!?!

Options
123457

Comments

  • 6_6_6
    6_6_6 Posts: 65 Forumite
    edited 29 June 2015 at 1:20AM
    Collect your reward :j
    V0xOT09PV1RFR0FFTUNFQkUyRURFVU5VQU9JQUNSTU9JMFIxTE9ZUllSWUJOSEtQRURTWCU=
  • colsten
    colsten Posts: 17,597 Forumite
    10,000 Posts Seventh Anniversary Photogenic Name Dropper
    6 6 6 has been given internet access again. Can't last very long until they get banned again.
  • masonic
    masonic Posts: 27,301 Forumite
    Part of the Furniture 10,000 Posts Photogenic Name Dropper
    If Mr Cameron gets his way there will soon be a mandatory backdoor into all of these protocols anyway, so the existence of other backdoors and vulnerabilities will be somewhat academic.
  • anoncol
    anoncol Posts: 982 Forumite
    masonic wrote: »
    If Mr Cameron gets his way there will soon be a mandatory backdoor into all of these protocols anyway, so the existence of other backdoors and vulnerabilities will be somewhat academic.

    If that happens then say goodbye to legit private encryption. Secure backdoors are impossible! But the stupid politicians don't understand tech security so the only real security will be pushed under ground.
  • Graham1
    Graham1 Posts: 445 Forumite
    Banks know that the weakest link is the users (falling for phishing or malware) rather that the technology. Quite a few return RC4 ciphers as item 1 in their priority list during the https negotiation even though they also support stronger ciphers. I don't think users need to worry too much about this as the resources needed to get the encrypted data stream and decrypt it are beyond the scammer's capabilities at the moment.
    I expect the banks will act quickly to fix their poorer technology if there is ever a major hack attributed to a weaker cipher.
  • masonic
    masonic Posts: 27,301 Forumite
    Part of the Furniture 10,000 Posts Photogenic Name Dropper
    Graham1 wrote: »
    Banks know that the weakest link is the users (falling for phishing or malware) rather that the technology. Quite a few return RC4 ciphers as item 1 in their priority list during the https negotiation even though they also support stronger ciphers.
    You will no doubt be aware that the handshake involves the user first sending the set of all of the cipher suites it is able to use and the server then selecting from that list the highest priority option it also supports. So, there is no concept of prioritisation from the user perspective. However, the user (or more practically the browser vendor) is able to remove support for those weaker options at the risk of not being able to connect to certain sites.

    The problems really arise, particularly with the new logjam threat, where a man in the middle meddles with the cipher suite list offered by the user, so that only weak options are sent and forcing the server to choose one of these if it happens to support it. Some of these certainly are within the means of an attacker to break.

    I think the lack of support for the more modern protocols and ciphers is indicative of a lack of diligence on the part of the banks. Nobody can use these secure protocols if the banks don't support them. However, it is the responsibility of banks to refund customers in cases of fraud where the customer has not been negligent, so it is up to them how much they want to do to stem those costs. I certainly agree there is much lower hanging fruit.
  • 6_6_6
    6_6_6 Posts: 65 Forumite
    [FONT=&quot][FONT=&quot][FONT=&quot][FONT=&quot][FONT=&quot][FONT=&quot]https://drownattack.com


    [/FONT][/FONT][/FONT][FONT=&quot][FONT=&quot][FONT=&quot][FONT=&quot][FONT=&quot]TL;DR[/FONT][/FONT][/FONT][/FONT][/FONT][FONT=&quot][FONT=&quot][FONT=&quot][FONT=&quot]
    [/FONT]
    [/FONT]
    [/FONT][/FONT]
    [/FONT][/FONT][/FONT][FONT=&quot][FONT=&quot]http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html[/FONT][/FONT]
    Collect your reward :j
    V0xOT09PV1RFR0FFTUNFQkUyRURFVU5VQU9JQUNSTU9JMFIxTE9ZUllSWUJOSEtQRURTWCU=
  • badger09
    badger09 Posts: 11,596 Forumite
    Part of the Furniture 10,000 Posts Name Dropper
    Please don't shout:(
  • mgdavid
    mgdavid Posts: 6,710 Forumite
    Part of the Furniture 1,000 Posts Name Dropper
    coming to this thread a little late - another one for the Ignore List :j
    The questions that get the best answers are the questions that give most detail....
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 351.1K Banking & Borrowing
  • 253.2K Reduce Debt & Boost Income
  • 453.6K Spending & Discounts
  • 244.1K Work, Benefits & Business
  • 599.1K Mortgages, Homes & Bills
  • 177K Life & Family
  • 257.5K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.