Good Security on Banking Site No Match for Poor Security Elsewhere

By Jason Sherrill
Posted on Mar 9, 2010

Marc Rapport's advice in his article at CUTimes.com is a good reminder that even high-caliber security like MemberProtect provides is cannot protect bank and credit union user's who don't exercise good judgment when managing their online identities.

As web developers who use MemberProtect know, our flagship security product goes to extremes to safeguard member data, especially sensitive information like passwords and challenge question answers. But one security problem that it cannot overcome is users who use the same username and password combination for all of their online activities.

As programmers and security consultants, we can tell you far too many stories about sites that were supposedly secure, but actually stored data like usernames & passwords with weak encryption, or in way too many circumstances no encryption at all! While those sites may not contain any sensitive financial or personal information, the usernames and passwords they contain could give a hacker access to other websites that do, such as online banking websites. Let's look at an example that illustrates my point (I've changed the names to protect the websites and people involved).

Mary has an account at her favorite photo sharing site, www.mydoggyphotos.com. She created her username there as marydoe with a password of mydogbingo*1. Mary also has an online banking account with her credit union (let's say it is www.myfavoritecu.com) where her username is also marydoe with a password of mydogbingo*1. My Favorite Credit Union has decent security on their website. They use challenge questions during login, they encrypt all of Mary's data inside their database and they use SSL to encrypt data while in transit. DoggyPhotos.com is a different story. They have none of the security features that My Favorite CU does.

One day a hacker gets lukcy and a SQL Injection bot he's running finds a hole in DoggyPhotos.com. The hacker exploits that hole and successfully extracts the entire contents of the user database. Since security wasn't a big concern when developing the site, DoggyPhotos.com's developers created their own authentication code and stored all user information in plain text. The hacker, being a clever guy, began data mining social sites such as Twitter, Facebook & MySpace. One nugget of information he found about Mary Doe is a tweet that she made about My Favorite Credit Union thanking them for their terrific service. So now the hacker knows that Mary Doe has an account at My Favorite Credit Union.

Armed with this information, the hacker browse to My Favorite Credit Union's website and and attempt to logon using the username and password that Mary also used on DoggyPhotos.com. Not surprisingly to the hacker, the username is the same and it works! But then he is prompted to answer an RBA question asking Mary Doe's mother's maiden name. Drats! This means that now he needs to go over to Geni.com and see if he can find Mary Doe's family tree.

Much to Hacker Joe's delight, Mary Doe does indeed have a Geni.com account and Mary used the same username and password over there. So Hacker Joe logs in, learns that Mary Doe's mother's maiden name is Brown and then proceeds back to My Favorite Credit Union's website to answer the question. Success!

How much of this hacking success story was My Favorite Credit Union's fault? Virtually none. What about Geni.com's? Again, not much. The problem here was a combination of the weak security employed at DoggyPhotos.com and Mary's failure to use a different set of credentials for her online banking service than she uses for her less important sites. That simple step could have prevented Mary's online banking account from being hacked so easily.

Notice that I said the credit union and Geni.com were virtually faultless. That doesn't mean that they couldn't have done more. MemberProtect offers unique security features that would've completely prevented Hacker Joe from accessing Mary's credit union account.