"The Office of the Comptroller of the Currency (OCC) charters, regulates, and supervises national banks to ensure a safe, sound and competitive banking system that supports the citizens, communities and economy of the United States."
Now this is all very comforting, and makes perfect sense. So, why are there so many concerns about online banking? Where is the breakdown in security? Even brick and mortar banks have internal networks that must be secured. It's my understanding that these are very well secured indeed. What happens when these security-conscious organizations move their presence to the Internet?
I recently participated in an assessment for an online bank. We were tasked to assess the security of their online banking application, check out the supporting infrastructure, and perform some data analysis of their internal traffic. What we found was quite disturbing, and has strengthened my resolve to limit my online transactions.
This was not the only problem we identified, nor was it my biggest concern. The real concerns were with the supporting systems. After evaluating the web-based application we started checking their network for potential vulnerabilities. I was amazed at the state of their systems. First of all, their firewalls were configured improperly. I was able to readily identify their firewalls, down to the version of the OS and the type/version of the firewall. This was readily visible by SNMP! The level of detail available via SNMP is astounding. Windows NT machines running SNMP will display full system information including such details as available services, account names, file shares, and IP routing tables.
Just through this feature I quickly identified critical systems, vulnerable services running on various systems, and I had a full set of account names for use in a brute-force attack. Further scans revealed a full array of standard vulnerabilities across multiple systems. I had full access to some of their systems in approximately 5 minutes.