Stealing My Own Banking Information
Had I decided to be my own worst enemy and become a black hat, I could easily have managed to steal my own banking information and commit fraud against myself in some way. In this article I will describe how a well meaning online feature could have led to an unintentional disclosure of my personal financial information.
I contacted a financial representative asking that person to help me with my retirement funds.
Me: "Hi, can you invest my funds into a retirement account."
Rep: "Of course. Just email me your banking information."
Me: "I would prefer to send it via a more secure manner."
Rep: "No problem. I'm going to email you a link to an online document for you to complete."
Me: "Much better."
Rep: "It's going to ask you for a password. The password is your last name, all in capital letters."
I wonder if this person uses a birthday or a pet's name for a password. I decide to play along.
Me: "Sounds good. I'll fill it out soon."
The Online Document Process
I received an email with a big button informing me to click it to get started. I hovered over the button and saw a legitimate the web address. I then check the SSL certificate by clicking the lock icon to the left of the web address in the browser's URL bar. So far so good.
The web page asked me for my password. I probably should have entered a bogus password to see if it would have logged me in. Next time I receive this type of online form I want to give it a try and find out. I entered my super secure password.
The form is straightforward enough. I completed it, hit submit, and called it day. To my surprise, I get an email right away. The email contains a confirmation and an unencrypted PDF with the form I just completed. My banking information is in there!
I decided I was going to experiment with the security of the online document web site. The email also had a button to view my document. When I clicked it, the web page no longer asked for my password, but displayed the completed form (with my banking information). I was surprised how easy it was to get into this secure document. I suspected it had a cached session.
I opened a private web browser window; it has no browser history or cached data. I copied the link from the email and pasted it into the URL bar. I was even more surprised when I saw the same results. I tried a different browser and got the same result.
I remembered I used this service earlier in the year. I opened up the completion confirmation email and clicked the link. I was happy to see the page list an error stating the link was expired. I must have not noticed the email the PDF attachment with this email, probably because it did not have any sensitive information.
After I was done experimenting, I deleted the email right away and "permanently" deleted the email from the trash folder. It's been a couple months now and I have not seen weird behavior in my bank account. I am hoping the cached data along the Internet routing equipment is probably gone and nobody found my banking information.
This online service did some good things and not-so-good things. The actors involved also did some good things and no-so-good things.
- The service provided an easy and convenient process for submitting information.
- The service effectively used email to invite the parties to submit their information, and to notify the parties the process was complete.
- The service had the ability to specify a password for the document.
- The service expired links after a set period of time.
- The service used HTTPS and had a valid certificate.
- The document originator specified an easy to guess password.
- The service failed to enforce good password requirements.
- The service sent a confirmation email containing the document information; if the document originator had the option disable sending the PDF, that person should have disabled it.
- The service used a unique link that was difficult to guess by using multiple Universally Unique Identifiers (UUIDs) in the link, e.g. onlinedocument.com/document?a=&b=.
Overall the service was well-designed, but could have accounted for user errors.
I wrote this case study to highlight that well-meaning convenience features might result in information security and cybersecurity risks to the parties involved. Sometimes it behooves us to step back from providing features and start assessing how we might negatively impact users and stakeholders from a security perspective.
Before You Go
Join my mailing list to receive updates about my writing.
About the Author
Miguel is a Principal Security Engineer and is the author of the " Serverless Security " book. He has worked on multiple serverless projects as a developer and security engineer, contributed to open-source serverless projects, and worked on large military systems in various engineering roles.
Originally published on Secjuice.com