Watch your Wachovia Bank Account

[SC68Cal]

MR members, this was posted to the Full Disclosure mailing list. I'd be careful about signing into your Wachovia online banking portal. Very careful. BTW MITM stands for "Man In The Middle"

------------------------------

Message: 8
Date: Tue, 10 Jul 2007 20:20:14 -0400
From: Bob Toxen <bob@verysecurelinux.com>
Subject: [Full-disclosure] Wachovia Bank website sends confidential
information
To: full-disclosure@lists.grok.org.uk
Message-ID: <20070711002014.GQ4885@verysecurelinux.com>
Content-Type: text/plain; charset=iso-8859-1

Wachovia Bank website sends confidential information
(social security numbers, phone number, address, etc.)
over the Internet without encryption.

Horizon Network Security Security Advisory 07/10/2007
http://VerySecureLinux.com/
Jul 10, 2007

I. BACKGROUND

Wachovia Bank's official web site offers the following URL to allow
its customers to change their privacy preferences:

http://www.wachovia.com/privacy

Wachovia also notified its customers by U.S. Mail that they can use that
same URL besides.

That URL has a link to the following to actually change one's
preferences:

http://www.wachovia.com/personal/forms/privacy_optout

Unfortunately, that page appears to be an ordinary HTML form whose
"filled out data" then is transmitted via the "post" method to an http
(not https) URL.

III. ANALYSIS

We inspected the page's source via our Opera browser. (We did not
sniff the web traffic so we are not absolutely sure that there is not
some hidden encryption method, though there appears to be none.)

IV. DETECTION

It is trivial to inspect the page source or sniff the data to
demonstrate the problem. The problem has not been corrected.

V. WORKAROUND

Use a method other than their web site to exercise one's preferences.

VI. VENDOR RESPONSE

The vendor (Wachovia Bank) was notified via their customer service
phone number on June 25. We were transferred to "web support". The
person answering asked us to FAX the details to her and we did so,
also on June 25. We explained that we were reporting a severe
security problem on their web site.

We stated that that if we did not hear back from them within 7 days and
the problem was not fixed by then that we would post the problem on the
Full Disclosure list, following accepted industry practice.

To date we have received no response and the problem remains unfixed.

VII. CVE INFORMATION

There is no CVE number.

VIII. DISCLOSURE TIMELINE

06/25/2007 Initial vendor notification
06/25/2007 Vendor requested FAXed details
06/25/2007 Details FAXed to vendor

07/20/2007 No vendor response
07/20/2007 Public disclosure on this Full Disclosure list

IX. CREDIT

This problem was discovered by Bob Toxen, one of our engineers.

X. LEGAL NOTICES

Copyright ? 2007 Horizon Network Security. All rights reserved.

Permission is granted for the redistribution of this alert electronically.
It may not be edited without the express written consent of Horizon
Network Security. If you wish to reprint the whole or any part of this
alert in any other medium other than electronically, please e-mail
btoxen@VerySecureLinux.com for permission.

Disclaimer: The information in the advisory is believed to be accurate at
the time of publishing, based on currently available information. Use of
the information constitutes acceptance for use in an AS IS condition and
waiving of the right to any action against Horizon Network Security or
its employees or contractors.

There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

We believe Wachovia Bank is obligated by California's security breach
disclosure laws to notify its California customers who may have used
this form and the State of California. Other jurisdictions also may
have notification requirements.

Bob Toxen,
Horizon Network Security
http://www.verysecurelinux.com [Network & Linux/Unix Security Consulting]
http://www.realworldlinuxsecurity.com [Our 5* book: "Real World Linux Security"]

 

[janey]

stuff like this gets posted to full-disclosure all the time, and it also happens all the time. also if you read some of the replies so far, there are worse holes and other ways to get the same info. sooo...

edit: personally i wouldnt worry about the possibility of a MITM attack not addressed by Wachovia as much as I would about the PEBKAC on the user's end.

 

[SC68Cal]

Jim Popovich's worries about it being

too much info to leak, I'd
hardly say it's severe. That same info can be easily found in people's
mailboxes weekdays between noon and 4pm.

Doesn't count.

I only get the digests so maybe your ahead of the game.

 

[janey]

Jim Popovich's worries about it being Doesn't count.

Agreed, but more trivial sources for that kind of information exist. It's unacceptable, but it's not like problems don't exist on the user end despite what banks try to do to maintain some semblance of security.

You know, like those huge numbers of people who ignore SiteKeys and write passwords down on postit notes...

 

[SC68Cal]

Yeah. There's a problem with it though. I'm on the fence about the 90 day password change policy.

If you make it too strict your users are going to forget it, write it down, or basically do anything they can to circumvent the policy.

At the same time, if you don't have any password policy you're asking for lots of trouble.

I guess you get paid the big bucks to find a happy medium between the two. I mean we were discussing this very same issue yesterday. I can't sit in front of 24 people and help them figure out Office 2007 then expect them to understand and function under a very strict 90 day password policy

 

[Fairly]

Not that banks haven't let people down and screwed them in the past but today they're very tight with money. It's just that they don't understand the Internet. Like everyone they rush into things because everyone else is doing it. And no, I wouldn't trust them either if they're transmitting without encryption. It's really no big thing until it happens to you and then it's a very big thing. Doing banking online is crazy. Many of these banks run Microsoft servers and how much crazier can you get anyway.