Saw a chilling presentation today from Fabrice A Marie of FMA-RMS at the Bellua Cyber Security Asia 2005 conference in Jakarta. Fabrice talked about Hacking Intenet Banking Applications, something he does for a living on behalf of banks around the region. Bottom line: They’re easy to hack.
Of 15 banks’ application assessments he worked on in the past 18 months he found 258 vulnerabilities, 429 beta quality scripts, 339 unnecessary files, averaging 17 vulnerabilities per application.
He didn’t go into detail about what kind of vulnerabilities he found, but his presentation explored a dozen different ways of getting past banks’ security measures, including spying on competitors’ transcation histories, stealing money using fund transfer functionality, purchasing insurance for free and buying discounted shares. All you need is an account.
His parting words were: “Nobody will be using Internet banking anymore. If you do just make sure you don’t have much money online.” He told me later he was just joking, and that banks, particularly in Singapore, are safe. But nobody laughed.
He didn’t mention phishing, but a thought struck me: How many phishing attacks are not to clear out an account but to gain access to a bank as part of a broader, longer term attack?