[HN Gopher] They Can Be You
___________________________________________________________________
They Can Be You
Author : markarichards
Score : 27 points
Date : 2024-04-22 08:55 UTC (14 hours ago)
(HTM) web link (theycanbeyou.com)
(TXT) w3m dump (theycanbeyou.com)
| markarichards wrote:
| The security breaches reported here have been detected by SRI
| checking bank websites using
| https://gitlab.com/markalanrichards/access-test/
|
| If anyone wishes to help improve this test suite or fork it for
| other purposes, please go for it.
|
| Some may trust Google, Microsoft and co, and I'm sure some used
| to trust Fujitsu. However, I encourage you to look at the
| companies in the list against the banks and see how broadly some
| banks give remote access to various types of third party
| companies.
|
| Barclay's bank aren't on the list because the test suite didn't
| find anything. I might have to look into how to move my accounts
| there.
| mrbishalsaha wrote:
| What is the solution to these issues? Banking has always been
| on a very old tech stack.
| markarichards wrote:
| The technical fix to this exact issue is remove or SRI and
| review third party code. None of these features are a must
| have requirement for online banking.
|
| However, the breadth of this problem indicates the fix is
| bigger, else this will just pop up again without being
| noticed and should be tackled from two directions.
|
| Technically: in the context of non-repudiation, web browsers
| are insecure for users. Significant user requests (make a
| payment, consent to terms, etc) are not stored client side,
| not signed and were a user to discover an audit log feature
| there is no distinction between what JS did and what a user
| did. This should and must change for the web to evolve to
| protect users.
|
| Business: the failure across most of the banking sector
| suggests that all who should be holding the banks to account
| (share holders, creditors, regulators, customers, etc) are
| failing to monitor the banks and given there has been prior
| warning of this for some (regulators) failing to act. If a
| third party uses their remote access to hack customers, then
| I'm sure they will react but that may be too late. When we
| want security in our physical environment we have watchdogs
| whose responsibility is not just to react, but to proactively
| monitor the environment: spot the river has chemicals in it.
| Banking is significant enough that it probably needs a
| watchdog tasked with specific objectives regarding
| information security.
| HomeDeLaPot wrote:
| Good writeup! It certainly seems absurd for banks, investment
| firms, government services, etc. to just allow third-party
| analytics startups to inject whatever code they want in between
| the user and the product.
|
| It's like if the bank hired contractors from Google, LivePerson,
| Tealium, and Yext to listen in on every phone call I make to the
| bank, for "analytics purposes". Um, is it really necessary for
| them to hear my account number and everything? Oh, you say
| they're plugging their ears?
| kmlx wrote:
| i read it twice and i still don't understand the article.
|
| is this site complaining about 3rd party analytics?
|
| there is also a table further down that shows various banks
| sharing data with... themselves? citibank will share data with
| citibank, and first direct (aka hsbc) will obviously share data
| with hsbc.
|
| can someone explain what this article is actually about?
| markarichards wrote:
| > i read it twice and i still don't understand the article.
|
| Any recommendations to improve are welcome
|
| > is this site complaining about 3rd party analytics?
|
| If a bank page includes a script tag that loads third party
| JavaScript from a non-bank server, then what is to stop that
| script from capturing data, submitting forms, spoofing page
| content?
|
| The bank has effectively given these third parties unaudited
| remote access, via remote code execution, to consumers bank
| accounts.
|
| A bank can safely use third party analytics if they adopt
| appropriate security measures, SRI is likely be one, but
| alone might not be enough.
|
| In the cases found here, there is no SRI protection or
| similar to protect users from the third parties doing what
| they like on the page, acting as customers.
|
| > there is also a table further down that shows various banks
| sharing data with... themselves?
|
| This is oddity due to the test suite spotting JS from a a
| separate domain for the same bank (
| https://gitlab.com/markalanrichards/access-
| test/-/blob/main/... ): thank you for highlighting this and
| when I get time I hope to improve this I hope to filter it
| out.
___________________________________________________________________
(page generated 2024-04-22 23:01 UTC)