This story was updated to reflect that the vulnerability has yet to be fixed and that RBS responded to an amateur security researcher's email. A previous version erroneously reported the security hole had been closed and that the bank never sent a reply. After more than three weeks of notice, Royal Bank of Scotland has yet to …
"Och aye, leave it fair the noo. We'll save a few pence."
Where did he send the email to? If all it took to get it fixed was a call to RBS' PR dept, by The Reg, it suggests that he didn't sent it to the right place. That's the trouble with email, you don't know who is at the other end, or if it actually arrives. I would have called them.
Oh heck no. I would *never* report a security issue to anybody, for fear they'd just accuse me of trying to hack the bank. On this side of the pond it's safest to assume the worst, and too often you're proved right.
I'd just close my account as quickly as possible and move to another bank.
Re: Och Aye
What he should have done
A full how-to should have been published about this exploit
They would have fixed it pretty quickly then.
Mad idiot to try this
So this guy actually tested the vulnerability, and you've published his name? What a crazy idiot! Has he not heard of Daniel Cuthbert?
Well, one arm of RBS has only recently got an online banking application working with Java 6, the previous version worked only with Java 1.4.2...
So in relative terms, this is instantaneous ;-)
A contemptible person an idiot.
RE: Knobber Comments
Still more polite than my Scottish father-in-law. 'Course he's dealing with the added irritation of having to look up to me whenever we talk... and to just about everyone else around here I guess as I'm 6 foot one which is only slightly over the average height here.
Hmmm, something is odd here
The worldpay server should be on another domain.
And the merchant website should not be on that domain.
So how is this working?
If the hacker has to be a merchant they are going to be found out pretty quick, and the merchant must be able to include code that runs on worldpay servers that worldpay does not bother to check. So, worldpay needs to stop taking code it does not check.
If Worldpay is running on someone's domain, via some plugin, then that domain already has access to everything, so that setup needs to change.
If it is something else, then it must be exploiting something more than XSS trust relationship. Sure, if you compromise a user's browser first you get everything, not much you can do about that.
I suspect this is something deeper, but it could just be a test where he can do it on his machine or with his relationship to worldpay, but not just any old random site could set up this vulnerability.
I think I may investigate further.
I wonder ....
It could be they were doing something stupid with the get request.
The query string could link to some resource address directly that could just be flipped to point to some code. Hmm, probably something like that.
That is more of a server side application problem, if it is that.
Really it is tantamount to blaming cars, because getaway cars are used in bank jobs, but of course motorbikes, buses, trams, helicopters or just plain walking could be used to getaway, and the attention should be on the bank robbery itself, and ways to prevent that.
But, without details who can really tell.
RE: Hmmm, something is odd here
The answer is there already. It's using XSS. Look it up. The whole point of XSS is it is the trusted server that serves up the bad code.
...never heard of redirects
@anonymous coward 1...
have you never had a verified by visa payment on the tinterweb?
when you make a payment your p0rn provider redirects you to provider x's verified by visa / master card site and you ram your details in there.
they let you know ahead of time your being bounced around.
theres no plugins or any other such ropey crap
for this exploit to work, all you'd have to do is modify someones payment page that uses worldpay as their payments provider and insert the exploit
bingo farmed data and it all looks entirely proper from a users point of view, the only way they would know any better would be to grok the code on the page, which may not even be there as it can be loaded from a separate file at runtime
it is fairly nasty
probably best to just report things like this to el reg immediately and let them beet the idiots round the head with a 10 pound kipper
Do a Ken Dodd
Stick your cash under the bed dear chaps, it never did Ken Dodd any harm and when Hector the inspector got wind of it and had him taken before m'lud, 'ole Doddy made him into a laughing stock and they lost the case and got stuffed with the expenses - someone should have warned him that Dodd is a comedian of note.
The power of comedy, albeit ridicule is usually the best way of effecting change.
Mines the one with all us Dodds out here removing our hard earnt dosh to safety
I wonder if this is why their server was timing out last night when She Who Must Be Obeyed (yes, some Reg readers can manage relationships with the opposite sex) was trying to buy some fabric.
>>when She Who Must Be Obeyed (yes, some Reg readers can manage relationships with the opposite sex)
Not for much longer if you refer to her as 'She Who Must Be Obeyed'. The politically correct choice these days is 'Old Ball & Chain', isn't it?
Quickest route to fix the issue.
Send an email to RBS with CCs to The Sun, Globe and Mail, and a few other newspapers. Trust me the issue would be fixed in record time as the cost to fix will be a lot less than the cost to repair the image.
Re: Re: Worldplay?
How's she going to find out when there are no women on the internet?
At the risk of making a serious comment....
....I posted this to a friend who works as an accountant at RBS in Edinburgh. Not to belittle the security lapse he pointed out that any losses through fraud are covered by the bank, so no need to stuff your money in mattresses yet.
And remember, accountants control everything, the cost of fixing this quickly almost certainly exceeded the potential monetary risk faced by the bank between discovery and correction.
RE: At the risk of making a serious comment....
"And remember, accountants control everything, the cost of fixing this quickly almost certainly exceeded the potential monetary risk faced by the bank between discovery and correction."
Which is a nicer way of putting my initial comment ("Och aye, leave it fair the noo. We'll save a few pence.").
The problem with this approach is that it doesn't show any regard for the customer whose information ends up being bandied about by who knows for what future use... and once that information is 'out there' it is 'out there' forever. But hey, the bank saved 'a few pence' so why should they give a s**t - their only responsibility is to their stockholders who care only about ROI -and who will, it is to be hoped, be among those whose details are revealed.
Yes I know that last sentence is somewhat vindictive but I'm tired of the kind of thinking that says 'Our bottom line is all that matters so go f**k yourselves'.
Re: She Who Must Be Obeyed
The only 'politically correct' option in this context is making sure she doesn't have any evidence of you using the terminology. What 'She who must be obeyed' doesn't know won't hurt her :-)
Would be AC for obvious reasons, but the old ball and chain doesn't read this site.
"any losses through fraud are covered by the bank"
Perhaps that's the way to get their attention, then? Transfer someone else's money (preferably that belonging to the bank CEO, as he'll have plenty) to your own account, get a written statement, and then hack it out again (to a numbered account somewhere) and claim a refund...
So what would be an acceptable time frame be?
To identify root cause, check for other potentially affected areas, provide a fix and integrate and test it properly?
Three weeks is a long time but I can well imagine it would take a week to get prioritised correctly, especially if the vulnerability was sent to the wrong people, and a week to implement the fix provided everything went well.
Sorry to dissapoint you regarding bank's only responsibility being to their customers, but RBS has one of the best corporate social responsiblity policies in the FTSE 100.
Staff can take time off, fully paid, to help out the local communities
Staff in East London help local schools with reading clubs
RBS recently cleared up an old commercial forrest in Berkshire and returned it to as it was.
RBS sponsor unfashionable sports (womens Golf etc)
They never did subprime mortgages (although have been stung by the US ones)
...since the tossers STILL don't have an SPF record.
Yes but remember......
......dedicated software companies often take longer than three weeks to fix vulnerabilities. And who's to say anyones account was accessed fraudulently through this? To get annoyed at this is probably just a symptom of the annoying facts you have to use a bank in modern society and they always manage to extract a few of your hard earned pounds.
Anyhow, are some of you guys living in an IT induced fug that makes you think we live in some sort of computing and financial utopia, where things get done in real time?
(Can't believe I'm defending a bank.....immoral trade in my opinion....)
RE: Sorry to dissapoint
Well golly I guess that lets them off the hook then re protecting their customers.
(not belittling their other efforts)
And that's 'disappoint' - yes, yes. I know - small-minded pedantry.
3 weeks is good for RBS
2 1/2 of those weeks was probably spent with a multitude of people from different sections of group technology discussing the issue on converence calls. I could give you more insight but they made me sign so much crap that I'm not allowed even think bad things about them - I call it RBSology.
To the AC who wrote:
"Well, one arm of RBS has only recently got an online banking application working with Java 6, the previous version worked only with Java 1.4.2...
So in relative terms, this is instantaneous ;-)"
Em, Java 1.4.2 was fairly current on System i which is probably what RBS uses since it is leagues ahead in security and capability than an equivalent MS box. Different OS and platforms have different version numbering for software. Imagine the complaints and downtime if RBS ran windows boxes to run their core systems... You'd be standing at the Cashline machine for hours just waiting to for your PIN to be verified!
On the timescale thing, Tom Peach is bang on. You wouldn't just fire in and write a bit of C# or Java to solve this one would you! Having been on an ISO27k course with a couple of blokes from RBS, 3 weeks sounds pretty damn quick! Security fixes need to be carefully implemented or you'd end up opening a whole load of other holes.
Paris because holes were mentioned... uhuh.
Lunch here and not much else to do so...
Exactly (assuming you mean NOT impressive). Just average these days (which was my point) except in many areas of Scotland. After a while politeness was all that kept me from kicking anybody who said "Ho Ho. If you were any longer you'd be late. Ho Ho."
A charming wee people (their lack of height more than compensated for by their opinion of themselves).
Except for a few who described themselves as highlanders. Not used to talking to somebodies chest. Yes, stereotypes sometimes hold true.
Of course it may have been pure chance that in all my time there the majority of the people I met I just happened to dwarves.
RBS, corporate responsibilty?? These are one of the bankers that provided Tom Hicks and George Gillett with a leveraged loan to purchase Liverpool football club and have gone cap in hand to shareholders asking for £10/12bn, responsible, you're havin' a laugh...
Comment to Self
"Of course it may have been pure chance that in all my time there the majority of the people I met I just happened to dwarves."
Slip of the keyboard - should obviously have been "just happened to BE dwarves" but the other could of course make just as much sense if taken to explain their existence as the product of 'a union between dwarves', to put it delicately, and a consequent unwanted pregnancy.
OK so a few years have passed since I worked in the Scottish Banking sector... but in those days there were virtually no staff who understood IT.... it had all been designed and built by outsiders.
So contacting the bank wouldn't do much good...they probably didn't understand what you were saying. Even if the message was understood, the banks tended to have a complacent attitude to electronic security... the main risk being seen as reputational, and requiring an actual exploit to hit the headlines.... which given the banks reticence to admit to anything is highly unlikely....particularly as the Scottish broadsheet press is pretty tame on this stuff.... (financial journalists have a VERY nice life here and don't rock boats)
Even if the message percolated through to someone who understood it....getting any change made would be a laborious process, involving many meetings with IT illiterate senior managers. In my experience three weeks to get anything IT related to happen would be warp speed and require evidence of large amounts of money flowing out of a PLC sized clients account.
The complacency and ineptitude in the Scottish financials I worked in had to be experienced to be believed.
Early on I had a manager saying that I would be the first person suspected if their (in)security was compromised after informing him of (another) whopping hole in the machines acting as gateways between the Internet and their mainframe (default install of NT4/IIS4, anyone)
There should be an icon of head being hit on desk.... but Paris will do since I'd invest in her before RBoS or HBoS.
Big faceless corporate
Banks attract and mould a certain type of "IT professional". Your be-suited, middle management wanabee who has little interest (or ability) in technical excellence, always going for the easy (read expensive and completely unsuitable) option, spouting excuses why things can't be done, outsourcing solutions (and, hence, blame and any responsibility) wherever possible.
RBS did have a lot of good techs, most of them contractors or staff assimilated into the organisation by the aggressive borg takeover policy. Most of them have now left - bullied out or disillusioned by the endless meetings and any form of even slightly leading edge technical challenges. You can have a job for life at RBS, if you're prepared to nod your head on cue (like the Churchill dog) and go with the flow (more like a trickle).
WorldPay is just a brand label of a failing, poorly managed banking organisation. I'd suggest customers take their business to somewhere which actually takes pride in implementing good technical solutions, providing decent service and whose prime interest isn't maximising the bottom line by eliminating (or buying up) the competition. RBS like their brands - WorldPay, RBS Streamline, BiBit, TrustMarque. Insurance? Churchill, Direct Line, Tesco, Privilege, etc. They like to give the impression there's choice in the marketplace, what they really want is a monopoly.
The internet is a fast moving, constantly evolving entity. Your bank is a big, slow, lumbering, gluttonous giant. They cannot hope to keep up with the technical pace that internet services demand.
Stating the obvious...
Er, if someone has set up a fake e-commerce site, why would they need to use worldpay to harvest a users details? They would simply take them. Doh.
Lame, Lame, Lame...
I worked for RBS for 6 years until quite recently and I promise you, this is NOT unusual. Unless the news had hit the BBC's headlines, it's just seen as a bunch of geeks whinging about something that will probably never happen.
They're FAR too busy wondering which parts of the bank to sell to make up for their last few fuck-ups, to worry about something DIFFICULT.
No I loved working there, honest.*cough* tossers *cough*
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series
- Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...
- Too slow with that iPhone refresh, Apple: Android is GOBBLING up US mobile market