Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Is any bank system affected by heartbleed?

  • 09-04-2014 8:52am
    #1
    Closed Accounts Posts: 265 ✭✭


    Yesterday we learned of a critical defect in an implementation of SSL. 
    SSL is essential is providing secure communication of data to websites and also to services like mobile banking.

    Has Bank of Ireland done any assessment of our vulnerability as customers to this flaw that may be on bank systems now?
    If the bank has any servers that use an affected version of OpenSSL then private keys could already be in the hands of attackers and these private keys could be used to read all traffic to and from the bank from now until the flaw is fixed and the bank changes the keys.


Comments

  • Registered Users, Registered Users 2 Posts: 9,226 ✭✭✭Tow


    What... They cant even fix a basic invalid certificate on their main IE site and you expect them to do something about an obscure vulnerability : https://www.boi.ie

    When is the money (including lost growth) Michael Noonan took in the Pension Levy going to be paid back?



  • Closed Accounts Posts: 265 ✭✭Javan


    Certainly the response so far is underwhelming.

    At this point the prudent thing to do is assume that attackers (anyone from script kiddies to the mafia) already have private keys to any system that uses OpenSSL; that traffic to those systems is being decrypted in real time; and that anyone who has logged in to online or mobile banking (where OpenSSL was deployed) has already had their account details compromised.

    Start with those assumptions, then audit systems to disprove the assumptions.

    In the meantime inform customers of the risks.


  • Registered Users, Registered Users 2 Posts: 9,226 ✭✭✭Tow


    There is no such thing as a secure IT system, and that has been my starting point for many years.

    When is the money (including lost growth) Michael Noonan took in the Pension Levy going to be paid back?



  • Closed Accounts Posts: 265 ✭✭Javan


    Fair enough.

    Unfortunately today we have a real and specific threat that is being active exploited using code readily available to script kiddies.
    Banks are an obvious and easy target and until the bank takes effective action to mitigate the risk using online or mobile banking is an exceptionally high-risk activity.


  • Closed Accounts Posts: 1,066 ✭✭✭Bank of Ireland: Billy


    Hi Folks, 

    Thanks for your posts. 

    We're aware of the conversations about this matter. We're not technical experts here however we've passed your queries on to our technical departments and will let you know when we hear back. 

    Thanks

    Billy


  • Advertisement
  • Closed Accounts Posts: 1,066 ✭✭✭Bank of Ireland: Billy


    [font=Arial, sans-serif]Hi Folks, [/font]
    [font=Arial, sans-serif] [/font]
    [font=Arial, sans-serif]We've received the following update from our technical teams:[/font]
    [font=Arial, sans-serif] [/font]
    [font=Arial, sans-serif]We can confirm that this vulnerability does not exist on the Bank’s core systems and we will continue to be vigilant in this regard. The security of our systems are maintained to the highest standards.[/font]
    [font=Arial, sans-serif] [/font]
    [font=Arial, sans-serif]Thanks[/font]
    [font=Arial, sans-serif] [/font]

    [font=Arial, sans-serif]Billy[/font]


  • Closed Accounts Posts: 265 ✭✭Javan


    [font=Arial, sans-serif]Hi Folks, [/font]
    [font=Arial, sans-serif] [/font]
    [font=Arial, sans-serif]We've received the following update from our technical teams:[/font]
    [font=Arial, sans-serif] [/font]
    [font=Arial, sans-serif]We can confirm that this vulnerability does not exist on the Bank’s core systems and we will continue to be vigilant in this regard. The security of our systems are maintained to the highest standards.[/font]
    [font=Arial, sans-serif] [/font]
    [font=Arial, sans-serif]Thanks[/font]
    [font=Arial, sans-serif] [/font]

    [font=Arial, sans-serif]Billy[/font]
    Thanks Billy.

    Hopefully 'core systems' here is some sort of marketechture phrase, since this problem exists specifically at the edge (the interface between bank systems and the customers) not at the core.


  • Registered Users, Registered Users 2 Posts: 1,667 ✭✭✭Impetus


    You can test any server for this vulnerability by entering the https:// url address in the box on this site

    https://www.ssllabs.com/ssltest/

    It does not affect Microsoft servers.


  • Registered Users, Registered Users 2 Posts: 117 ✭✭SniperPaddy


    Highest standards? Experts?
    DON'T MAKE ME LAUGH !! :eek:



    "We can confirm that this vulnerability does not exist on the Bank’s core systems and we will continue to be vigilant in this regard. The security of our systems are maintained to the highest standards."


    • For a start, BOI don't implement the SSL extension "Forward Secrecy" in your 365 domain so that's your "highest standards" down the drain. :eek:
    • A direct statement that (1) you have no vulnerable systems anywhere OR (2) that you have patched all vulnerable systems, would be a "highest standards" response. :rolleyes:
    • The disingenuous answer about "core systems" doesn't exactly help your credibility since 365 is an "edge" interface and you avoided the question. :(
    • I'd like to deal directly with one of your "qualified experts" since most of those I dealt with are clock punching script kiddies. :D

    [*]



    The least I should expect is transparency. If I do not hear a comprehensive and clear announcement by the end of the week, I am shutting our BOI accounts and would recommend anyone else to, at the very least, keep a close eye on their credit card statements.


  • Registered Users, Registered Users 2 Posts: 1,667 ✭✭✭Impetus


    Unfortunately Ireland has an incompetent banking system which is run and regulated by morons – viz the Irish banking crisis and bailout etc.


    The least one should expect is effective dual mode multi-factor authentication (ie a login factor that changes every time you log in), and once you have logged in, a digital signature on  every payment – again which varies each time it is performed, linked perhaps to the last n digits of the IBAN receiving the money.   Making replay attacks from anyone able to crack the encryption or who has installed malware on the client PC impossible.


    And yes, perfect forward secrecy please, to prevent long term keys from being compromised into the future.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 348 ✭✭northwestramble


    Just did a quick check of how well BOI websites are rated from a security point of view. I understand that this is a very crude test, but it does show a few interesting things. All tests were done on this website. https://www.ssllabs.com/ssltest/

    356online.com gets a B rating
    bankofireland.com B rating
    bankofirelandlife.ie gets a B rating. 
    bankofireland.ie Certificate name mismatch
    365online.ie Assessment failed: No secure protocols supported 


    In fairness, the last two, do a redirect to the .com addresses, but still looks a little unprofessional not to have the Irish domains correctly set up.  

    The comment that no core systems were affected by heartbleed, would tend to suggest that some systems were affected (but may not be the case)

    I think it would have being more reassuring if the statement had said something like
    "Having carried out an investigation into all of our online services we offer to our customers, we can report and reassure you our customers, that no online services provided by BOI, that you may be using, were affected in any way by heartbleed"
    We work hard to constantly protect and secure our online services and endeavor to provide the highest level of security for our customers"

    Am sure there is a way to make it sound even better and still contain the key points :). I am more a techie so market speak not the best :)  

    I think any good statement should answer and reassure especially when security is at risk, instead we are left to guess  what might be a core system, is it core to me as a customer and my security, or core system to the bank, such as key servers that run all of the operations, or simply a spreadsheet that stores a lot of key information into how the bank runs :) 


  • Closed Accounts Posts: 265 ✭✭Javan


    I've also run a very crude test of my own. From that it appears that the servers supporting 365 online and mobile banking are running IIS. IIS is not susceptible to this bug.
    This test was limited to a couple of minutes looking at the headers returned by the server, so it is not fully reliable. It is possible there is a transparent proxy inserted for load balancing purposes that runs a different server and is responsible for the SSL termination. It is also possible there are other systems that might be running affected server software. I made no attempt to look at BOI-BOL, or interfaces for credit card processing, direct debit processing, ATMs, SWIFT, other inter-bank interfaces, etc.

    It would be nice to get a stronger statement from the bank that they have audited all these systems to ensure there is no detail of the infrastructure running the affected software.

    There is now definitive evidence that it is possible to get the private keys for a site using this exploit. A challenge website was created and within a day three people had obtained the private key using only heartbleed.
    http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge
    There is also some limited evidence that the bug was being exploited last November.
    https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013

    Put those two facts together and you should consider that any system that was vulnerable at any time should be considered insecure until the software patch is applied AND all relevant certificates are revoked AND new certificates are issued from a NEW private key.


Advertisement