Forgotten your responsibilities? How password recovery threatens banking security

Ben Smyth (2010) Forgotten your responsibilities? How password recovery threatens banking security. School of Computer Science Technical Report CSR-10-13, University of Birmingham.

Download

Abstract

The online banking systems offered by the Lloyds Banking Group (including Bank of Scotland & Halifax) and the Royal Bank of Scotland Group (including Natwest, Royal Bank of Scotland & Ulster bank) are vulnerable to a remote attack which allows an adversary to commit financial fraud. The vulnerability has arisen as a result of poor software engineering practice which neglected security in favour of usability. More precisely, authentication systems are coupled with credential recovery mechanisms to permit the authentication of customers whom have forgotten their credentials; these secondary authentication mechanisms are insecure due to their reliance on publicly available information. In addition, the attack allows the financial privacy of customers to be compromised. These failures are particularly interesting to the design of online banking systems and legal cases in which customers are found liable for fraud. In these cases banks may refuse refunds and assert negligence, or blame the customer for fraud. The attacks presented in this paper may help explain false accusations of liability and help introduce public policy changes which force banks to be held accountable for systems which they have designed.

Media coverage

This article has been discussed by The Daily Mail (local cache).

Bibtex Entry

@TechReport{2010-attacking-online-banking,
	author = "Ben Smyth",
	title = "{Forgotten your responsibilities? How password recovery threatens banking security}",
	year = "2010",
	number = "CSR-10-13",
	institution = "School of Computer Science",
	address = "University of Birmingham",
}