Schneier on Security
A blog covering security and security technology.
« Implanting Chips in People at a Distance |
| Fertilizer as a Weapon »
February 7, 2005
Bank Mandates Insecure Browser
The Australian bank Suncorp has just updated its terms and conditions for Internet banking. They have a maximum withdrawal limit, hint about a physical access token, and require customers to use the most vulnerability-laden browser:
"suitable software" means Internet Explorer 5.5 Service Pack 2 or above or Netscape Navigator 6.1 or above running on Windows 98/ME/NT/2000/XP with anti-virus software or other software approved by us.
Posted on February 7, 2005 at 8:00 AM
• 33 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Sounds familiar. For my bank at https://hg.sparikassin.fo/, I can add the following requirements:
1) Run Microsoft VM, not Sun's
2a)Trust an applet signed by a foreign development company that I have never heard about.
2b)Trust the above applet, even if the signature has expired.
If you trust the bank to not be malicious and also not make mistakes, IE is probably okay for just using the bank's site only.
I keep IE hanging around, but I have the proxy server set to 0.0.0.0 and I make exceptions in the no-proxy-for list.
I'd rather people seeked out alternatives web services from people who will take security seriously.
Indeed, when I chose a banking service, I check if it will run on Firefox without any user-agent spoofs. Any that don't, I email and tell them why they lost a new customer.
Citizens Bank does the same thing if you want to transfer money between accounts. It will only work with IE, it used to work with any browser then they started using ASP.NET for some pieces.
It's a little inaccurate to say that they mandate the most insecure browser, as well, since the very section you quoted notes that they allow Netscape Navigator 6.1 "or above". Considering that Mozilla is basically Netscape, and Mozilla Firefox is the recent successor to Mozilla, one could even argue that Mozilla Firefox should be considered a Netscape version above 6.1.
Whether or not the bank sees it that way, I have absolutely no idea. Does anyone know if the bank is actually rejecting Firefox or Mozilla browsers?
[Dundee is threatened by a phisher with a IE exploiting web page]
Sue Charlton: Mick, give him your Information.
Michael J. "Crocodile" Dundee: What for ?
Sue Charlton: He's got an IE-sploit.
Michael J. "Crocodile" Dundee: [chuckling] That's not a Mozilla-Sploit.
Michael J. "Crocodile" Dundee: [Dundee draws opens up Mozilla FireFox]
Michael J. "Crocodile" Dundee: THAT'S a Browser.
[Dundee securlely logs into the australian bank. The IE-Sploit has no effect!]
Michael J. "Crocodile" Dundee: [chuckling to Sue] Just kids having fun. Are you all right ?
This is really not big deal... The do support Netscape Navigator 6.1+. This means that the site is probably accessible using any recent version of any browsers. They are just trying to be compatible with a large number of customers.
In fact, this requirement is good for the customer. If for some reason, while accessing the site using IE 5.5, his account/login information is leaked, the bank will not be able to say that it's because he used "insecure" software.
Note also that if the customer machine has been owned by some malicious person, the browser software the user will be using will no longer be relevant.
Also look at this (http://www.shmoo.com/idn/) link. Using a browser considered safe (latest Firefox release) you are led to believe that your on the paypal site, they even have an example with a valid SSL certificate that looks to be coming from paypal in the status bar. You really need to inspect the certificate closely (double clicking on the lock icon, then your have to click the view button as the first page after the double-click show you www.paypal.com) to see that it's not registered by paypal.
I'd be a lot more troubled if they only required IE. They are not.
I agree with other comments here. There does not appear to be a "mandate" to use an insecure browser, since you can use later versions.
Speaking of mandates, should a bank refuse to support insecure browsers? For example, they could detect the version and then push users to a redirect and say something like "to protect your personal/financial information, please upgrade your browser to..."
This topic sounds like a question of who should be allowed to advocate the use of an insecure browser. However, I think it might be more useful to think in terms of who is accountable for the risk and therefore needs to call for more secure browsers; the bank, the user, the industry, the government?
I don't know if it is the case with those in the article, but I have seen some sites refuse to load using FireFox or a modern Mozilla variant. The problem is that their browser-checking script doesn't know about current Mozilla signatures and thinks it's some old, no-name browser from 1995. Even though you are, indeed, running "Netscape 6 or better", it thinks it knows better than you and you get rejected.
I've noticed that that Australian Stock Exchange site http://www.asx.com.au/ will not work properly with Mozilla or Firefox, which for most people means being stuck with IE.
Given that many visitors have buying and selling of shares over the internet in mind, the ASX is being downright dangerous in forcing many users down the IE path.
Jan: Not many average users have the knowledge to tie down their proxy settings in this way, and internet banking is targeted at the masses (not just IT security bods).
While I may have missed the point, I believe one issue is that while this might be portrayed as a security response by the bank, they in fact allow the use of a configuration (IE5.5SP2 on W98) whose "Service Pack Support Retired" date was 31-Dec-2003 (see the http://support.microsoft.com/gp/lifesupsps)
meaning it has been unsupported for over a year. Do you think there have been no security flaws found in the last 15 months that should be fixed? If they were truly concerned about security, they would not allow this software combination to be used by their customers.
Anyway, forget the browser, this site requires the use of the operating system from a convicted monopolist. This site requires the use of "anti-virus software...approved by us" without providing a list of approved anti-virus software and without detailing how this is enforced (I assume there is no enforcement other than denying claims for losses after the fact).
This is very unfortunate - almost all the other banks in Australia now support other browsers; I have no issues with Bendigo Bank (a medium-sized bank) or Commonwealth Bank (one of the four big banks in Australia) with Firefox, although the Commonwealth Bank have only just recently (6-12 months) had their Internet Banking services usable with a browser other than Internet Explorer.
I think part of it comes down to poor planning and developing, rather than short-sightedness (which is still a problem).
Watch as Firefox and Safari get more market share, and see some of these bigger financial institutions start to turn around their thinking.
Just to throw in on my bank: www.netbank.com (NetBank) works just dandy with Firefox, and has since forever. And their e-mail is even plain-text, no HTML!
I've been pretty unimpressed with internet banking facilities in Australia in general. My present bank (http://www.cua.com.au) has only recently allowed access via Firefox, so I am happier now. They also use a variety of interesting security 'techniques' on accessing their site (worth a look, I wonder how useful the 'mouse move' is) and will not allow transfers to external accounts unless you go into a branch to register them in advance, which I used to think was a pain, but I see the benfit now.
They percieve (probably correctly) that a user faced with a plain-HTML web-page will thing the bank is not technically litterate enough to produce a 'good' web-site.
The result? Flashy web-sites that support a limited number of browsers, full of potential security flaws.
The problem is more widespread than just banks:
Until users DEMAND security, even at the expense of functionality and eye-candy, companies will not supply it.
Getting users to demand security means educating them, which means un-doing the brainwashing of billions of dollars of advertising.
Im optimistic: it eventually happened with seatbelts.
Staying anonymous for this one.
As an employee of another Australian bank, this policy astounds me. The 'Four Pillars' are losing millions of dollars every month, by *far* the largest problem that customers are having are:
1) Spyware/keyloggers stealing their usernames/passwords
2) Phishing attempts which exploit the 'url-spoofing-vulnerability-of-the-day'.
If suncorp want to mandate IE, then I can only assume they'll be joining the rest of us in scrambling for stronger authentication.
This is a furphy - it allows IE 6.0 from XP SP2 just as much as it allows IE 5.5 SP2. From my reading, it should allow Firefox as it's a derivative of the Netscape 6.1 code base.
I know the guys who do the security at SCM. Bruce, you can call SCM and ask to speak to them (hint... first name is Murray) and get the internal view. I know this is a blog, and not a piece of journalism, but pure MS bashing for the sake of it is not helpful, particularly as SCM is not one of the banks that only supports IE.
SCM takes web application security very seriously, performs code reviews, pen tests, risk assessments, and actions mitigations as suggested from subject matter experts. They are actually very good at security, particularly concerning their size in the marketplace. They've done all of the above for some time, not just when it became popular to tackle these issues in the last year or so.
SCM are a case study of how to do it right (or as well as you can).
Oddly, when I try the site's browser test (https://internetbanking.suncorpmetway.com.au/sml/BrowserTest.asp)
with Firefox 1.0, it reports "You are using a Netscape 5.0 browser capable of 128-bit SSL encryption". Ergo, you have the wrong browser. On the other hand, if I fool it by telling it that my Firefox 1.0 browser is actually Netscape 7.2 (via a proxy), then it seems happy.
Anyway, when you try and setup an Internet banking account (https://internetbanking.suncorpmetway.com.au/) the site says "For optimum performance we recommend the use of Microsoft Internet Explorer 6.0 Service Pack 1 and above, or Netscape Navigator 7.0 and above". The IE 5.5 SP2 and Navigator 6.1 browsers are listed as minimum versions.
I think this very clearly shows that the bank does NOT mandate an older less-secure browser, but that it also lacks clarity/support regarding the Mozilla codebase.
Again, it seems the issue is really who should define the requirement for secure browsers, or "reasonable" security for financial data? Should we rely on the bank management, the bank infosec managers, the banking industry, one government, a group of governments, the users?
What if customers actually think their bank has "mandated" IE 5.5 SP2 for Internet banking and customers experience identity theft? Who should pay? Keep that in mind when you read section 23.12 of their Internet Banking user agreement regarding liability (https://internetbanking.suncorpmetway.com.au/sml/terms.asp):
"We are not responsible for the operation of any computer or electronic system (other than our systems) you use to transact using Internet Banking or the operation of any telephone system."
I thought finding vulnerabilities was supposed to make us *more* secure, not less secure. Shouldn't we be more worried about latent vulnerabilities in all the other browsers?
The major problem with the policies was not that the bank mandated the use of a particular browser, it was far more subtle.
The bank does not publish a full list of software which it considers "suitable", but makes it clear that if you use "unsuitable" software (by their own, not-published) definition, then they will take no responsibility for lost funds.
Meaning that if someone cleans out your account, the bank can say, "HAH! Linux user! Firefox user! No money for you!"
Some major banks in Indonesia also. e.g.: 1) Bank Centra Asia --
"...Saat ini BCA hanya menyediakan sarana internet banking yang lebih cocok diakses dengan menggunakan Microsoft Internet Explorer versi 5 atau terbaru." [http://www.klikbca.com/privacy.html], 2) Bank International Indonesia -- "...This site is designed for Microsoft Internet Explorer 4.01 and Netscape 4.72 or higher and 800x600 screen resolution."
I don't know if this is a backflip or a SNAFU, but I've just been told by Suncorp that the "or other software approved by us" clause in their terms includes
MacOS, Linux, Firefox, and more, but that the full list cannot be made available as it "is quite long and changes often".
Since you are required to click-through the terms to use the banking site, you are essentially agreeing (with some undetermined level of enforceability) that you will only use software from a secret list that changes without notice.
Luckily my bank (Nordea in Finland) allows me to use any secure browser, they even recommend Opera for users with slow connection - and provide a download link for the latest release.
But they are among the pioneers of internet banking, so they know their business.
A couple of months ago Wells Fargo started warning me that after x days (it counted down) I wouldn't be able to use my non-supported browser (Opera) and would have to change to either IE or Netscape. The claim was that they required 128-bit encryption, and that there was no guarantee that other browsers would support it.
I don't know what's changed, but when I logged in just now w/ Opera, I got no "you're going to have to switch" message. When I clicked on their "check your browser" link, it told me I was using Mozilla 1.7.5 and that it was supported. (Interestingly, I have Opera set to identify as IE 6.0. Wells identifies IE 6 as IE 6, not Moz.)
The Wells Fargo official list of supported browsers is Netscape 7.x, IE 5.x-6.x, and Safari 1.0-1.2 (version 85.6 and higher, except for 100).
You know, if they would just admit that they're too lazy to QC against more than one or two browsers, I could accept that. I'd think they were idiots, but less so than I do for recommending I use IE for security reasons.
Aha, here's an interesting case highlighting the real issue:
"A Miami businessman is suing Bank of America over $90,000 he says was stolen from his online banking account in a case that highlights the thorny question of who is responsible when a customer's computer is hacked into."
"Banks technically aren't responsible for what happens on your PC. But banks can't reasonably expect consumers to protect themselves from cybercriminals."
Add www.bankofamerica.com to the list. IE and Mozilla family only. No Opera. Changing user agent doesn't work. I've complained a number of times, always pointing out a current un-fixed IE vulnerability, and they send back an automatic response about security being number one blah blah blah.
The things about those lists of supported browser's usually means: if you use any other browser or software don't count on getting any usefull answers from our customer support if it won't work.
That is at least what I've experienced from my Internet bank. But they have had their share of problems especially early on (1997-1998) regarding client side software for digital signatures and the browsers "support" for reading from a smart card PKCS#11.
My bank in Israel ( http://www.yashir1.co.il ) does not mandate anything. However, the account information is shown on an ActiveX control.
That means you must use Windows and you must use IE.
One branch of Citibank financial services (cards.citidrect.com) had the same problem; I couldn't use Firefox 1.0, despite the requirement being:
The browser you are currently using does not support the security standards used by CitiDirect. We recommend Microsoft� Internet Explorer 6.0 (or 5.01 and higher) to run this application. If you use another browser, it must be capable of 128-bit SSL encryption.
I was very annoyed. I was too busy to actually see if a user-agent changer would work.
well, i'm developing an internet banking solution for one of the major banks here in Slovenia, and we're forced into a similar position - ie. mandating IE, although I shudder at the thought. The story is simple - Bank of Slovenia is now mandating electronic signatures for all the transactions made by companies through internet banking (not for physical persons). None of the browsers support XML digital signatures natively - you have two options - ActiveX or Java applet. With ActiveX you need to use IE, but you get support for all the smartcards that are supported on the OS (through CryptoApi). With JavaApplet you seem to have two options - use disk based certificates (not strong enough as judged by the Bank of Slovenia), or try to tie in into Firefox/Mozilla crypto code - which needs an add-in as far as I know, and then also need special smartcard support for them. The bank opted for the ActiveX solution at this point, so we're a bit stuck. Anyone has any alternative ideas?
The terms and conditions go on to say:
"We are not liable for any loss, damage or consequential loss or damage if you use or attempt to access Internet banking without using suitable software"
It would be a very brave person who connected with a Linux or OSX system. Unless they provide *written* confirmation that the system is "suitable".
I've created a workaround Greasemonkey script for Firefox ( http://userscripts.org/scripts/show/12163 ), but I really resent having had to. And yes, changing financial institutions is the correct thing to do, but I haven't got around to it yet.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.