back to article Bank on it: It's either legal to port-scan someone without consent or it's not, fumes researcher

Halifax Bank scans the machines of surfers that land on its login page whether or not they are customers, it has emerged. Security researcher Paul Moore has made his objection to this practice – in which the British bank is not alone – clear, even though it is done for good reasons. The researcher claimed that performing port …

Page:

  1. Anonymous Coward
    Anonymous Coward

    What happens when they scan an IP address whose ports are shared dynamically by many of the ISP's customers? That is then not just their customer they are scanning - even though I suspect such an ISP NAT will only have outgoing connections?

    1. Tsurotu

      its scanning 127.0.0.x, I just had a look. It all pops up on the browser debug console.

      1. Dazed and Confused Silver badge

        its scanning 127.0.0.x

        Well there's a big difference between opening port 59xx to listen on 127.x.y.z and listening to VNC connections more generally. This also means they are failing to test whether you're protected by a firewall. On Linux boxes I'd often have VNC ports open, but that's got nothing to do with malware.

    2. Parax

      It's a local scan (in web page code) not a remote port scan.

      That's a big CMA difference if you ask me. (local verses remote).

      1. sabroni Silver badge

        If I run a port scan of your machine from my machine it's bad, but if I upload a port scanner to your machine that's ok?

        I would argue the former is less invasive.

      2. Aitor 1 Silver badge

        Code

        They are running code in my machine without my explicit consent for their own benefit...

        1. elDog Silver badge

          Re: Code

          Agree. And I have so few computer resources (only 2^16 ports, etc.) that I don't want to waste precious CPU cycles looking for local ports that are open.

          Actually, another problem is the incredible hits these scans make in my logs and debuggers.

        2. aks Bronze badge

          Re: Code

          It's certainly only for their benefit. If it was for your benefit, they'd inform you that you were at risk.

        3. Donn Bly

          Re: Code

          They are running code in my machine without my explicit consent for their own benefit..

          That statement is correct for just about any website that you visit, including this one. If that alone were the problem then every website that uses and kind of browser scripting would run afoul.

          You didn't explicitly give the site permission to validate that you entered a valid date before submitting the form? Then that would be a violation in your eyes.

          I don't use the bank, but I can definitely see the utility of doing a mini-scan warning you of potential RAT or remote access software being active before you are given the chance to enter your userid or password. However, it should probably be put on the page as a first step, ie, a message displayed that says "click continue to run a prerequisite security check before entering your userid".

        4. John Smith 19 Gold badge
          Unhappy

          They are running code in my machine without my explicit consent for their own benefit...

          Exactly.

          It's the lack of consent he's arguing makes this illegal.

          OTOH if it's after you logged in to their site (as a customer) then it's "It's in our T&C's you agree to have your ports scanned," which is entirely different.

          I think he has a case and it does look like a case of "one law for us, another for them."

          1. Kabukiwookie

            Re: They are running code in my machine without my explicit consent for their own benefit...

            Law supersedes any wording in private contracts if the private contract breaks the law.

            1. John Brown (no body) Silver badge

              Re: They are running code in my machine without my explicit consent for their own benefit...

              "Law supersedes any wording in private contracts if the private contract breaks the law."

              Except where the law has a loophole for consent and the T&Cs require you give that consent for security purpose.

          2. Dr. Mouse Silver badge

            Re: They are running code in my machine without my explicit consent for their own benefit...

            I agree that this is a simple matter of consent.

            Most pages now have JS running, but this is mostly in order to do what the visitor is there to do (view/interact with the page). There is implicit consent, as vague as that might be.

            In this, they are performing a scan of your private resources without consent. It would be easy enough for them to add a "we must scan your computer for security reasons" page before doing so, get consent, and even allow storage of that answer to avoid it in future.

            If it's fine for the banks to do this without consent, it should be fine for security researchers (which, IMHO, it should). If it's not allowed for security researchers to do so without consent, the banks should need consent too.

            1. tiggity Silver badge

              Re: They are running code in my machine without my explicit consent for their own benefit...

              There's not implicit JS consent with me

              Scripts blocked by default for any new site I visit

        5. David Nash Silver badge

          Re: Code

          "They are running code in my machine without my explicit consent for their own benefit..."

          I'm not defending the port scanning but every web page that has Javascript is running code in your machine without your explicit consent.

          1. Dr. Mouse Silver badge

            Re: Code

            I'm not defending the port scanning but every web page that has Javascript is running code in your machine without your explicit consent.

            Most of that is to operate the site itself: To handle interactions, make things pretty, create a better user experience. Some is about adverts, but we have to accept that as part of the site, too. The parts which are part of the site have implicit consent in that you are wanting to view the page, and I think that's good enough for that. Some is about tracking etc., but that's more controlled than it once was and requires a greater level of consent.

            This is a scan of private resources without consent. I think that's a very different thing.

      3. Jeff 11

        "It's a local scan (in web page code) not a remote port scan.

        That's a big CMA difference if you ask me. (local verses remote)."

        I don't know why this comment is getting downvoted. No individual or remote system is connecting to your machine, and this (invasive, I agree) action is triggered by your browser downloading some asset on a system you are using voluntarily.

        I agree there are ethical ramifications as this information is reported back and used 'somewhere'. But legally, I can't see how this could be any more a violation of the CMA than almost every media website the world over checking to see if you're running an adblocker in your browser, or downloading and running a script that performs port checks on your machine using netstat.

        1. Eddy Ito Silver badge
          WTF?

          I don't see the point of running the scan really. So you've got some open ports, what of it? Are they going to kick you out if you've dedicated a port for something if it also happens to be commonly used by a RAT? It's none of their concern what ports I choose to have open even if it's a dumb idea. Have they put up a policy that says you must have ports x, y, & z closed in order to connect?

          1. Anonymous Coward
            Anonymous Coward

            it's to shift blame

            @ Eddy Ito

            "I don't see the point of running the scan really."

            As they are sending the data back to be stored, it's to shift the blame for any dodgy stuff happening to your account.

            once they have recorded you had open ports, any misuse of your account is going to get blamed on you.

            It shifts any blame for intrusion afterwards to you for having an open port..

          2. John Brown (no body) Silver badge

            "Have they put up a policy that says you must have ports x, y, & z closed in order to connect?"

            Maybe they are just collecting information to be used against you if any money goes missing from your account? "Well sir, on at least 4 previous occasions you have logged into our online banking service and we have proof you had open ports used by RATs, therefore we deny any responsibility for losing your money. You were hacked and we can 'prove' it"

        2. Alan Brown Silver badge

          " this (invasive, I agree) action is triggered by your browser downloading some asset on a system you are using voluntarily."

          Um no. It's no different to surreptitiously kicking off a coinminer in the background when I visit your website.

          _Other_ sites such as IRC networks and suchlike are looking at what ports you have open from the outside (mainly to ensure you're not an open proxy) they're not stealing cycles to run a scanner on the victim box and then using that victim box to report details of the internal network which would be shielded from the attacker even on a well-firewalled installation.

          Shit like this is why I use scriptblockers.

          1. JohnFen Silver badge

            "Shit like this is why I use scriptblockers."

            Precisely. And I don't turn them off just because I'm at a bank's website.

        3. JohnFen Silver badge

          "No individual or remote system is connecting to your machine"

          I disagree. The Banks' website (a remote system) is performing the scan. That it does so by downloading code to your machine and running it from there doesn't seem relevant to this point.

    3. Adam 1 Silver badge

      what's the point anyway

      It is executing JavaScript code. That is logically equivalent to asking the browser whether the password was right. Anything done on the client side is by definition untrustworthy. 10 seconds to low lifes install some Chrome plug-in to block that js file.

  2. Tsurotu

    Foaming at the mouth, but the foam kind of makes sense

    I mean, he seems to have made it a crusade, but he does have a point. Hitting a login page doesn't necessarily mean youre a customer...

    1. Aitor 1 Silver badge

      Re: Foaming at the mouth, but the foam kind of makes sense

      The law is ridiculous and makes no sense.

      Either they change the law or it is applied to everyone, not just the poor as it seems to be the case.

      So, to be clear: banks should be allowed to scan before you login, for security, they should disclose it too, and researchers should disclose who they are scanning.

      1. JohnFen Silver badge

        Re: Foaming at the mouth, but the foam kind of makes sense

        I am of the opinion that port scanning should not be prohibited at all. However, if we're going to count it as a prohibited activity, then this:

        "banks should be allowed to scan before you login, for security"

        makes no sense and should be as illegal as it is for everybody else. Scanning after you log in would be OK, as long as you gave consent. But prior to login, there's no way for the bank to know if they have consent or not.

        From a security point of view, it doesn't matter if the scan happens before or after login.

        1. Prst. V.Jeltz Silver badge

          Re: Foaming at the mouth, but the foam kind of makes sense

          "But prior to login, there's no way for the bank to know if they have consent or not."

          sure there is - put a little button on the login page that says "I consent" which un grays the name & pwd box.

    2. rmason Silver badge

      Re: Foaming at the mouth, but the foam kind of makes sense

      I sort of agree with him.

      I think.

      All the same, bloody odd hill he's picked to die on, given the general abuses of privacy etc that happen on the internet.

  3. Gideon 1

    Scanning after login is too late; the malware could have got some login details

    Though their website should get your agreement before scanning.

    1. JohnFen Silver badge

      Re: Scanning after login is too late; the malware could have got some login details

      Any malware will get the login details either way. The sorts of scanning the site is doing won't stop that. If the scan shows something suspicious, it's not going to stop you from logging in. It can't, because a port scan of this sort can't possibly be able to determine if you've been compromised with any useful degree of accuracy. If they prevented you from logging in as a result of the scan, they'd be spending a ton of money constantly dealing with customers who have been mistakenly locked out.

      All this sort of scan can do is indicate whether or not further investigation is a good idea.

    2. earl grey Silver badge
      Flame

      Re: Scanning after login is too late; the malware could have got some login details

      They already want your kidney, testicle, and access to your arse.

  4. m0rt Silver badge

    Actually, I am up for everyone being able to scan whoever they like. I, personally, think that will result in a percentage point increase in secure online destinations.

    The law is an ass when it comes to security in the online world. Basically going after low hanging fruit because 'We are doing something' and all that bollockerdash.

    NMAP ftw.

    1. Camilla Smythe Silver badge
      Terminator

      I'm not.

      If I want my ports scanned I can ask, give permission, for someone with an appropriate and legitimate service to do so.

      I do not need some dweeb dropping in on my open ports saying they are or appearing in my logs as being some sort of security scanning service.

      I've never had one of the twats e-mail me to to warn me that I might have a security problem. I can only conclude that the service is for themselves or the data is sold on to third parties for profit.

      That's wear and tear on my equipment and uses up my bandwidth along with adding to my electricity bill so they can fuck off into IPTables.

      1. Velv Silver badge
        Gimp

        Re: I'm not.

        Fnarr. Being port probed is “wear and tear on my equipment

        1. This post has been deleted by its author

          1. m0rt Silver badge

            Re: Fnarr

            LIfe's hard. :)

      2. Anonymous Coward
        Anonymous Coward

        Re: I'm not.

        re: Camilla

        Then you've never had your infected machine send me a phishing email from your machine. If you had, you'd have received an email from me telling you'd been hacked.

      3. Camilla Smythe Silver badge

        Re: I'm not... However

        If I thought about it and wanted to play nice then if my Bank wanted to scan my ports when I landed on their Login page then they can pop up a message saying something like.

        For added security if you are a customer about to log in to your account we would like to perform an external port scan in order to check that your computer has not been compromised. If we find anything suspicious then we might not allow you to Log In and ask you to contact us.

        Once you have Logged In we will perform an internal port scan to once again verify that your computer has not been compromised. If we find anything suspicious we may lock your account and ask you to contact us.

        If you agree to this then please click Accept to log in. If you do not then please click Reject. You will be redirected to your Home Page.

        Of course the above is not going to happen because if they get it wrong they have to accept liability for it.

        1. m0rt Silver badge

          @camilla Re: I'm not... However

          "If I want my ports scanned I can ask, give permission, for someone with an appropriate and legitimate service to do so.

          I do not need some dweeb dropping in on my open ports saying they are or appearing in my logs as being some sort of security scanning service."

          And that is exactly the mindset that the policy and lawmakers are coming from.

          If malicious hackers were nice people then they wouldn't be malicious hackers. So it is, quite literally, an anarchists state out there in Intercyberweb Land. Those that know this will have a better chance than those that don't. And now with added GDPR you better hope that your house is in order because hacked/leaked data along with insufficient GDPR consideration will result in bankruptcy.

          So as far as I am concerned, if I put anything online I fully *expect* it to be scanner, probed, prodded and slapped for good measure. I don't say 'How dare you!'

          But hey. That is just me.

          1. Alan Brown Silver badge

            Re: @camilla I'm not... However

            "So as far as I am concerned, if I put anything online I fully *expect* it to be scanner, probed, prodded and slapped for good measure. "

            127.0.0.1 is explicitly NOT online and I don't expect something outside my network to work out a way of bypassing my firewalls, scan it (and possibly the rest of my internal network) the report back to the attacker's mothership.

            Halifax really haven't thought this one through and their actions go well beyond the bounds of what's reasonable behaviour. CMA most definietly applies - not for the scanning, but for the way they're explicitly bypassing security and attacking the target network, plus running unauthorised attack code on 3rd party computers.

            1. m0rt Silver badge

              Re: @camilla I'm not... However

              "Halifax really haven't thought this one through and their actions go well beyond the bounds of what's reasonable behaviour. CMA most definietly applies - not for the scanning, but for *the way they're explicitly bypassing security* and attacking the target network"

              Then it isn't much in the way of security it is bypassing, then.

              I am not defending Halifax. There is a breach of etiquette here. But at the same time it should be water off a ducks back, not a 'How dare you!' reaction.

              The internet is an unforgiving place to be.

      4. Alan Brown Silver badge

        Re: I'm not.

        "I've never had one of the twats e-mail me to to warn me that I might have a security problem."

        If they did you'd probably scream your head off about spam. That was the experience of various voluntary efforts that tried this approach in the 1990s. Shooting the messenger is still a popular pasttime.

  5. Herring`

    It is sort of a fair point. If a web server is going to scan my ports to make sure I'm all safe, then I should be able to do the same before I connect. What's the point in having nmap if I can't use it whenever I please?

    1. disgustedoftunbridgewells Silver badge

      I wonder if you could get around this by making a GET / request to Halifax with the header:

      X-Info: If you respond to this request then you agree to be port scanned.

      That's more than Halifax are doing if you have to be port scanned to read about the fact you're agreeing to be port scanned.

    2. Captain Scarlet Silver badge
      Trollface

      I thought the scan was done in the browser on the loopback address (Someone stated in the comments above), in that case I think you should be able scan yourself :P

  6. Crisp Silver badge

    Where does it end?

    If it's ok to scan for security purposes, that sounds pretty benign doesn't it?

    Oh look! Port 23 is open. Surely there's no harm in looking at the banner? Just to make sure that particular implementation of FTP hasn't got any known security vulnerabilities.

    Those login attempts? We were just scanning for common known passwords, just to check that your machine is really secure.

    Those downloads? We're just collecting document meta data. No human has actually read your invoices, statements and holiday photos. Though we strongly discourage using $RIVALBANK$'s services. They aren't nearly as secure as we are.

    1. FuzzyWuzzys Silver badge
      Happy

      Re: Where does it end?

      If the IT dept of my bank started scanning the telnet port (23) looking for an FTP service, I think I'd move my account pronto to be honest! Ha ha!

      1. Crisp Silver badge

        Re: Where does it end?

        Oh I knew it was somewhere in the 20's!

        1. Charles 9 Silver badge

          Re: Where does it end?

          Cleartext FTP is port 21. Secure Shell (encrypted Telnet) is port 22. Cleartext Telnet is port 23.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019