Banks and Netscape InSec

Anonymous nobody at REPLAY.COM
Wed Sep 20 07:25:24 PDT 1995



Financial Times, September 20, 1995, p. 12.


Banks' Security Chains Failed

The Citibank case has highlighted weaknesses in corporate
security measures.

By John Mason


Could it happen to us? Banks have been soul-searching about
their security systems in response to the alleged computer
hacking fraud on Citibank, in which $10m (6.49m pounds) is
said to have been removed from client accounts by a young
Russian based in St Petersburg.

In public, banks express confidence in their computer
security. "It's a shame what happened at Citibank, but it
couldn't happen here," is a typical response.

However, some industry insiders are concerned that many banks
and other commercial organisations are still leaving
themselves dangerously open to attack by hackers. Rumours of
some banks not admitting to similar breaches only increase
doubts.

The full technical picture of what allegedly happened at
Citibank is unclear. The largest US bank, unsurprisingly, is
reluctant to reveal precisely how Mr Vladimir Levin --
apparently without inside help -- allegedly breached its Wall
Street security system from his personal computer in St
Petersburg. A UK court will today decide whether to extradite
Mr Levin to the US to face trial.

It seems that Citibank was caught out by its technology, which
could not match recent developments available to hackers.

Citibank's main weakness is known to have been its use of
"fixed passwords" to guard its computerised cash management
system. This system, dubbed Citicorp Cash Manager, handles
transactions totalling $5OObn every day.

Cash management systems which provide customers with access to
their accounts so that they can make transfers, are inherently
vulnerable to hackers because by definition they allow
third-party access.

In the case of Citibank, access to the cash management system
could be made via telephone lines from anywhere in the world
using a computer. Until the incident, Citibank's system used
fixed or permanent passwords where the customer has only to
enter a name and regular password to gain entry to the system.

However, security experts now agree that this technology has
been rendered ineffective at guarding high-risk systems by the
proliferation of modem communications devices attached to
powerful PCs providing access to the Internet. Hackers now
have ready access to sophisticated software including
"sniffers" -- programs used by network managers which allow
them to look at and capture information on networks. These
give hackers access to huge quantities of information --
including directories of passwords.

The hackers can then take their pick of which password to use.
With bank cash management systems, this virtually amounts to
giving a hacker the choice of which client account to loot.

There are a number of steps banks and other security-conscious
computer network operators can take to defend themselves
against unauthorised intruders. The main option -- and that
introduced by Citibank since the Levin incident -- involves
the use of encrypted passwords that can be used only once.

A "smart card" issued to each customer contains a sequence of
passwords so that a different one is used each time. This
password is then encrypted or scrambled into a form that is,
its manufacturers claim unreadable to anyone "surfing" the
Internet. The main computer then deciphers the signal and,
able to recognise the sequence of changing passwords, lets the
genuine user into the system.

The chances of someone guessing one of Citibanks's passwords
are now one in 11m, says Mr Tom Brady of Enigma Logic of
Concord, California, which supplies this technology to
Citibank. The bank's previous fixed password technology, by
contrast, meant breaking the password system was relatively
straightforward, he says.

Concern centres on how quickly banks and others have reacted
to technological change. Although encryption technology has
been available for more than 10 years, it is only now being
generally introduced, and usually only for systems with
external access.

Barclays Bank introduced encryption for computer systems with
external access before the Citibank incident occured. Barclays
now feels "fairly comfortable" about the state of its
security, says Mr Philip Severs, deputy director of
operational risk.

However, it is clear that not every bank has closed the door
yet. Mr Severs says the business world is just "on the cusp"
of introducing encryption technology.

Another security adviser says the measures of one leading US
bank, based on both fixed and encrypted passwords, are still
considered weak by experts. Another security specialist
employed by a leading international bank says that senior
management throughout the industry has sometimes been slow to
react to change. "Sometimes people think that their security
is adequate simply because it has not been breached in the
past. At other times, head offices are warned of the dangers,
but fail to act because of cost factors."

Whatever the state of bank security, their experts agree that
their customers' awareness of the problem is lower. "Whenever
payments are made or orders placed electronically, then a
threat exists. The banks are leading on this. Companies are
some way behind," says Mr Severs.

But encryption remains only one way of improving security. The
alleged hacking incident at Citibank involved more than simply
breaching the bank's password system.

The US government claims Mr Levin was able to watch corporate
clients making numerous transactions before deciding which
account to take money from. He also allegedly spotted one
security precaution in place and limited each of his
withdrawals to under 200,000 pounds ($310,540).

Citibank will not comment on its security measures other than
to point to its "smart cards". Huwever, the bank agrees that
there was only partiai use of another well-established.
security system -- "predefined" transfer routes. These allow
customers to make transfers only to specific bank accounts
making it impossible for a hacker to remove funds for himself.

Citibank offers such an option. However, it is only useful to
some customers. The average corporate customer might find it
suitable because the number of destination accounts they need
is limited. However, for financial institutions making
transfers to many accounts, such a system is too cumbersome.
Perhaps significantly, one of Mr Levin's alleged nctims was an
investment company.

Citibank investigators say Mr Levin gave himself away by
making a number of "amateurish" mistakes, but admit he was a
very sophisticated computer operator, allegedly attempting a
particularly elegant fraud.

The bank concedes that it still does not fully understand all
the technical aspects of how Mr Levin allegedly managed to
break in. If and when he is extradited to the US and
introduced to that country's plea bargaining system, he will
be invited to explain further.

Banking security experts agree that the Citibank episode shows
that effective detection systems to track unusual transactions
remain essential. In the Citibank case these worked well,
enabling the attempted fraud to be nipped in the bud,
monitored and losses kept to $400,000.
But they agree that even if new technology is introduced,
keeping one step ahead of the hackers all the time is just not
possible. One with knowledge of the Citibank case comments:
"At the end of the day it cannot be done. Essentially,
security is about being reactive, not pro-dctive."

Meanwhile, the Citibank episode provides the most public
example yet of how hackers can threaten the integrity of the
international banking system. And just as the Barings collapse
prompted other banks to review their internal management
controls, so Mr Levin's case is having a similar effect on
computer security.

But as one bank security expert says: "It takes an incident
like this to prompt people to review their systems. Whether
they take action however is a different matter."

-----

Financial Times, September 20, 1995, p. 20.


Netscape flaw may deal blow to Internet security

By Louise Kehoe in San Francisco


A security flaw in Netscape Communications' popular Internet
software could deal a serious blow to companies planning to
transact business on the Internet, the global computer
network.

The flaw, discovered by two computer science students at the
University of California at Berkeley, means that financially
sensitive data, such as credit card numbers, sent over the
Internet using Netscape software could be vulnerable to
computer hackers.

"Security is the number one issue" that needs to be resolved
if the Internet is to become a medium for largescale
electronic commerce, according to Ms Cathy Medich, executive
director of CommerceNet, a consortium of companies that is
developing standards and protocols for conducting business on
the Internet with backing from the US government.

The security breach is a setback for Netscape, raising
concerns about the company's ability to produce reliable
secure software.

Netscape's so-called secure browsers are used by an estimated
66 per cent of people accessing the World Wide Web, the
segment of the Internet where thousands of companies have set
up electronic displays of their products.

The software had been seen as a breakthrough for electronic
commerce, enabling people to buy and sell goods online without
fear of their messages being intercepted.

Netscape confirmed that a security loophole has been
identified, but said it would offer a free security "patch" by
the end of this week on its World Wide Web page
(http://home.netscape.com).

No losses have been reported as a result of the security
breach, Netscape said.

This is the second time that Netscape's encryption has been
"cracked". Last month, a computer expert in France was able to
decode the weaker version of Netscape's cyphers, which the
company is allowed to export.

The security flaw found by the Berkeley students affects all
current versions of Netscape soMware, including its browsers
and server software, the company said.

However, next week the company will begin trials of a new
version of its browser, which will contain the security patch.

-----














More information about the cypherpunks-legacy mailing list