zlacker

[parent] [thread] 4 comments
1. marvin+(OP)[view] [source] 2018-09-29 09:38:36
I work for a major (by Norwegian standards) bank. This level of authentication integration trickery wouldn't be attempted by us. Mainly because we try hard to avoid serious technical debt (due to timeline/delivery pressure) in our security infrastructure. We occasionally take such shortcuts in places that are not mission-critical, but they are always considered carefully as the tradeoff that they are. I believe that we are considerably better at technology development than most of the banks in the US.

That said, I've heard stories of similar bugs in the industry. The difference was that they were more shallow in the effort to reproduce; deep enough to get through QA but discovered quickly in production.

But honestly, Facebook has more resources to spend on security than any online bank. Banking security should be defense-in-depth: Strong first layer security, serious monitoring of suspicious activity & openness for reports by users, a certain level of manual approval of irrevocable transfers, a certain revocability of transfers that are able to be automatically processed, transfer size limits to deny one breach to have huge consequences.

And finally, a credible economic and legal system that ensures only a tiny minority of people want to rob a bank because there are much better options for making money, and banking regulations that leave the responsibility for security vulnerabilities squarely with the bank's shareholders.

Anyone can be owned with enough effort, so it's not just about creating software that's as secure as you can make it. You need to have sound policies as well.

replies(1): >>cbzoia+M1
2. cbzoia+M1[view] [source] 2018-09-29 10:15:51
>>marvin+(OP)
Meanwhile I work for a major US IB. While I don't work on anything customer facing our internal SSO infrastructure basically consists of a single cookie that gets access to almost everything.. And its really not difficult to sniff one from another user (like say getting them to visit a link like http://mydesktop.companyname.com/..).

Its so bad that for certain systems we check the origin of your connection and will only trust you if you've come from the DMZ rather than internal.

replies(1): >>ramchi+vc
◧◩
3. ramchi+vc[view] [source] [discussion] 2018-09-29 13:47:18
>>cbzoia+M1
Is the cookie not associated to a specific IP? SSO systems would normally flag the mismatch if you try to connect to a website and pass an SSO cookie issued for a different IP, so sniffing cookies wouldn’t help all that much.
replies(1): >>thefou+oy
◧◩◪
4. thefou+oy[view] [source] [discussion] 2018-09-29 17:34:32
>>ramchi+vc
In the mobile space the IP address changes all the time, isn't it?
replies(1): >>ramchi+8c1
◧◩◪◨
5. ramchi+8c1[view] [source] [discussion] 2018-09-30 02:13:18
>>thefou+oy
It's unlikely to change between the SSO login page and the application's login page, and it doesn't matter if it changes later on since the app can issue its own session cookie which isn't tied to an IP.
[go to top]