[17379] in bugtraq
Some points of detail on Bank One Online cookies
daemon@ATHENA.MIT.EDU (C Matthew Curtin)
Thu Oct 26 21:27:07 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <86y9zbkydj.fsf@animal.interhack.net>
Date: Thu, 26 Oct 2000 18:53:44 -0400
Reply-To: cmcurtin@INTERHACK.NET
From: C Matthew Curtin <cmcurtin@INTERHACK.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: C Matthew Curtin's message of "Wed, 25 Oct 2000 21:36:43 -0400"
>>>>> "Matt" == C Matthew Curtin <cmcurtin@interhack.net> writes:
Matt> Bank One Online (www.bankoneonline.com) stores customer
Matt> account information -- specifically, credit and/or debit card
Matt> numbers -- in insecure cookies.
We've been getting a lot of questions about this, so I want to make a
few points clear. Unfortunately, it wasn't until after the release of
our initial report that we were able to get some answers that we
needed to get the complete picture.
o The bank card numbers are used as the "Access ID" only in certain
markets. We tested in Columbus, which is vulnerable. Bank One is
in the midst of a rollout to a new system that does not use bank
card numbers as Access IDs, so some markets (such as Chicago) are
not vulnerable to this problem. (I'm taking this on the word of
some folks I spoke to there -- we can't readily test the Chicago
customers' accounts.)
o Users who want to avoid the weakness can ensure that the "Save
Access ID to disk" box is not checked when logging in. This will
prevent the cookie from ever being written to disk.
I'm not sure if someone who visits a site that exploits the IE
"open cookie jar" (MS00-0033) in the same session will have an
active cookie that can be read. My guess is that it will.
o Once a bank card number has been obtained, there is additional work
to be done before it's directly exploitable. That is, to use the
card as a credit or debit card, the attacker has to guess the
expiration date correctly. The odds of doing this before the
account is locked is roughly one-in-13 (three tries before lockout,
generally 36 months for the lifetime of a credit card). Trying to
access the account directly will require guessing a PIN. Chances
of guessing the PIN before the account is frozen are roughly one in
3333 (three chances before lockdown, roughly 10000 possible PINs).
I believe that now we have correctly identified all of the relevant
parts of this problem and the solutions.
--
Matt Curtin, Founder Interhack Corporation http://www.interhack.net/
"Building the Internet, Securely." research | development | consulting
