Friday, January 02, 2009

How to crack online banking

It's time to check your bank if you are banking online. With a bit of bad luck, it isn't safe anymore. Last week I ran into an article on Dutch Tech Magazine Emerce on a security breach in SSL.

SSL Certificate Security Breach

To most people, SSL sounds like a privacy guarantee on the web. Sites like webshops and banks have a secure connection to the internet and have an SSL certificate issued by a CA (Certification Authority) like Verisign or DigiNotar. Hoewever, a team of researchers from the Dutch University of Eindhoven, the CWI (Center of Mathematics and Computer Science), EPEL in Switzerland and independent researchers from California have discovered how to crack the code. They discovered

...that one of the standard cryptographic algorithms, which is used to check digital certificates is subject to abuse. The algorithm in question is the MD5 algorithm. Malicious persons may create a file with a digital signature which is trusted by all major web browsers. The researchers made this use of advanced mathematics and a cluster of more than two hundred game computers.

and

The researchers discovered the security breach which, in combination with the known KAMINSKY vulnerability in the Domain Name System (DNS), can make it difficult to detect phishing attacks.

Crunching Fortis all the way.

In short, if your bank uses an MD5 based SSL certificate, your privacy may be compromised. A quick survey of the methods used by Dutch banks learns that most of them already use the SHA encryption. One of the few exceptions is the troubled Fortis Bank. Fortis is going to a lot of bad weather ever since the acquired (part of) the ABN Amro bank. They were the first Dutch bank to get in trouble due to the credit crunch and the Dutch and Belgian parts have been separated, the Dutch part being taken over by the Dutch Government. They also had to settle for nearly a billion dollar in the Dutch mortgage scandal and also lost about a billion in the Madoff fraud.

MD5 and SHA algorithms

To most of the digitally educated it has been clear for some time that the MD5 encryption in passwords for instance isn't the best practise on the web anymore and have moved over to the more secure SHA-2 and the upcoming SHA-3 encryption algorithms.

  • Read the original Emerce article in Dutch here.
  • Read the Google translation here.

Labels: , , , , , ,