The Blog of Kolchy Kolchy www.karlkopp.com/ Thu, 11 August 2011 09:22:00 Thu, 11 August 2011 09:22:00 /blog/2011/august/anz-=-security-fail!!/ In this time of large scale security hacks , you would think that banks should be taking the lead on security. They do protect our most valuable assets. They do have teams of people whose job is to continually assess the security of their systems, recommend enhancements, and test these systems.  I thought that was the case too, until today... My sister is overseas, and as part of her trip, I recommended she doesn't log on to any banking sites from overseas (keyboard loggers, malware infested cafe computers etc). So she gave me the details for her ANZ Travel Card so I could top it up as she needed. Last week I decided to log on to make sure all the details where correct. I still haven't had the confidence to log on!  My first step was to go to the website printed on the details page ( www.anzfx.com ) and that's where my security senses started tingling. It redirects you to  https://www.anztravelcard.com/  and has a pad lock (such a security blanket that padlock hey ;) but the URL didn't look like a legit ANZ domain. I would have thought a sub-domain of their corporate domain (anz.com) would be a better choice and show more legitimacy. So I clicked to see the details of the SSL certificate:   Riiiiggghhhhttt! Not even issued to a legal entity. OK, confidence dropping. So I decided to check some more details, and under the Subject metadata for the certificate, here is who it is registered to: CN = www.anztravelcard.com OU = FIS - Prepaid O = Fidelity National Information Services L = Jacksonville S = Florida C = US Doesn't even mention ANZ?!? To compare, here is the details of the certificate I use for my online banking (Westpac) CN = online.westpac.com.au OU = Internet Online Banking O = Westpac Banking Corporation STREET = L 20 275 KENT ST L = SYDNEY S = New South Wales PostalCode = 2000 C = AU It's immediately obvious who the certificate is issued to, and I trust them. I also compared the certificate to the one used on the main ANZ site, which does have the organisation details, and they are issued by different vendors. Even stranger? So, doubts already cast, I looked at the logon form: Now, normally to logon, I need an identifier (an ID, email address etc) and a secret security token of some sort (password, bio fingerprint etc). Here, I need 3 things. OK. Why? Looking more closely, I need to provide my card number (identifier in the credit card world) AND my CVV2 (a quasi secret given it never is printed on receipts or the old school card impression printers). WTF? A simple man in the middle attack , and I can get the 2 pieces of information I need to use this card online! NO THANKS!! It looks to me like ANZ has outsourced this service, but it is their name on the product, and as such, it is their responsibility to ensure customer data is not compromised. This whole platform scares me from the 20 minutes I spent looking at it, so I question how secure the platform as a whole is...  /blog/2011/august/anz-=-security-fail!!/ /blog/2011/august/anz-=-security-fail!!/ Thu, 11 August 2011 09:22:00 Kolchy /blog/2011/july/blog-now-ublogsy-powered!/ Just ditched the tired, old XSLT based blog platform for the shiny new Razor Empire certified uBlogsy platform! Lets see how this goes :) /blog/2011/july/blog-now-ublogsy-powered!/ /blog/2011/july/blog-now-ublogsy-powered!/ Thu, 07 July 2011 09:48:00 /blog/2010/february/critical-security-flaw-afl-dreamteam/ Was logging on to my AFL Dreamteam site last night ( http://afl.virtualsports.com.au ), and noticed that the username and password are passed as clear text in the query string! Easily picked up in any proxies / reverse proxies as well as browser histories! Given the competition has prizes, I'm sure there is a duty of care the the AFL or Telstra (their online service provider) have to protect this information. The technology to do so has existed since  Feb 1995 !! I'm also sure that the body responsible for giving out permits needs a confirmation of data security and integrity completed as well. The AFL surely fail in this regard! PS - the links to Dreamteam don't even work on the front page of the AFL.com.au we site. /blog/2010/february/critical-security-flaw-afl-dreamteam/ /blog/2010/february/critical-security-flaw-afl-dreamteam/ Thu, 04 February 2010 09:40:00