back to article Bank on it: It's either legal to port-scan someone without consent or it's not, fumes researcher

Halifax Bank scans the machines of surfers that land on its login page whether or not they are customers, it has emerged. Security researcher Paul Moore has made his objection to this practice – in which the British bank is not alone – clear, even though it is done for good reasons. The researcher claimed that performing port …

  1. Anonymous Coward
    Anonymous Coward

    What happens when they scan an IP address whose ports are shared dynamically by many of the ISP's customers? That is then not just their customer they are scanning - even though I suspect such an ISP NAT will only have outgoing connections?

    1. Tsurotu

      its scanning 127.0.0.x, I just had a look. It all pops up on the browser debug console.

      1. Dazed and Confused Silver badge

        its scanning 127.0.0.x

        Well there's a big difference between opening port 59xx to listen on 127.x.y.z and listening to VNC connections more generally. This also means they are failing to test whether you're protected by a firewall. On Linux boxes I'd often have VNC ports open, but that's got nothing to do with malware.

    2. Parax

      It's a local scan (in web page code) not a remote port scan.

      That's a big CMA difference if you ask me. (local verses remote).

      1. sabroni Silver badge

        If I run a port scan of your machine from my machine it's bad, but if I upload a port scanner to your machine that's ok?

        I would argue the former is less invasive.

      2. Aitor 1 Silver badge

        Code

        They are running code in my machine without my explicit consent for their own benefit...

        1. elDog Silver badge

          Re: Code

          Agree. And I have so few computer resources (only 2^16 ports, etc.) that I don't want to waste precious CPU cycles looking for local ports that are open.

          Actually, another problem is the incredible hits these scans make in my logs and debuggers.

        2. aks

          Re: Code

          It's certainly only for their benefit. If it was for your benefit, they'd inform you that you were at risk.

        3. Donn Bly

          Re: Code

          They are running code in my machine without my explicit consent for their own benefit..

          That statement is correct for just about any website that you visit, including this one. If that alone were the problem then every website that uses and kind of browser scripting would run afoul.

          You didn't explicitly give the site permission to validate that you entered a valid date before submitting the form? Then that would be a violation in your eyes.

          I don't use the bank, but I can definitely see the utility of doing a mini-scan warning you of potential RAT or remote access software being active before you are given the chance to enter your userid or password. However, it should probably be put on the page as a first step, ie, a message displayed that says "click continue to run a prerequisite security check before entering your userid".

        4. John Smith 19 Gold badge
          Unhappy

          They are running code in my machine without my explicit consent for their own benefit...

          Exactly.

          It's the lack of consent he's arguing makes this illegal.

          OTOH if it's after you logged in to their site (as a customer) then it's "It's in our T&C's you agree to have your ports scanned," which is entirely different.

          I think he has a case and it does look like a case of "one law for us, another for them."

          1. Kabukiwookie Bronze badge

            Re: They are running code in my machine without my explicit consent for their own benefit...

            Law supersedes any wording in private contracts if the private contract breaks the law.

            1. John Brown (no body) Silver badge

              Re: They are running code in my machine without my explicit consent for their own benefit...

              "Law supersedes any wording in private contracts if the private contract breaks the law."

              Except where the law has a loophole for consent and the T&Cs require you give that consent for security purpose.

          2. Dr. Mouse Silver badge

            Re: They are running code in my machine without my explicit consent for their own benefit...

            I agree that this is a simple matter of consent.

            Most pages now have JS running, but this is mostly in order to do what the visitor is there to do (view/interact with the page). There is implicit consent, as vague as that might be.

            In this, they are performing a scan of your private resources without consent. It would be easy enough for them to add a "we must scan your computer for security reasons" page before doing so, get consent, and even allow storage of that answer to avoid it in future.

            If it's fine for the banks to do this without consent, it should be fine for security researchers (which, IMHO, it should). If it's not allowed for security researchers to do so without consent, the banks should need consent too.

            1. tiggity Silver badge

              Re: They are running code in my machine without my explicit consent for their own benefit...

              There's not implicit JS consent with me

              Scripts blocked by default for any new site I visit

        5. David Nash Silver badge

          Re: Code

          "They are running code in my machine without my explicit consent for their own benefit..."

          I'm not defending the port scanning but every web page that has Javascript is running code in your machine without your explicit consent.

          1. Dr. Mouse Silver badge

            Re: Code

            I'm not defending the port scanning but every web page that has Javascript is running code in your machine without your explicit consent.

            Most of that is to operate the site itself: To handle interactions, make things pretty, create a better user experience. Some is about adverts, but we have to accept that as part of the site, too. The parts which are part of the site have implicit consent in that you are wanting to view the page, and I think that's good enough for that. Some is about tracking etc., but that's more controlled than it once was and requires a greater level of consent.

            This is a scan of private resources without consent. I think that's a very different thing.

      3. Jeff 11

        "It's a local scan (in web page code) not a remote port scan.

        That's a big CMA difference if you ask me. (local verses remote)."

        I don't know why this comment is getting downvoted. No individual or remote system is connecting to your machine, and this (invasive, I agree) action is triggered by your browser downloading some asset on a system you are using voluntarily.

        I agree there are ethical ramifications as this information is reported back and used 'somewhere'. But legally, I can't see how this could be any more a violation of the CMA than almost every media website the world over checking to see if you're running an adblocker in your browser, or downloading and running a script that performs port checks on your machine using netstat.

        1. Eddy Ito Silver badge
          WTF?

          I don't see the point of running the scan really. So you've got some open ports, what of it? Are they going to kick you out if you've dedicated a port for something if it also happens to be commonly used by a RAT? It's none of their concern what ports I choose to have open even if it's a dumb idea. Have they put up a policy that says you must have ports x, y, & z closed in order to connect?

          1. Anonymous Coward
            Anonymous Coward

            it's to shift blame

            @ Eddy Ito

            "I don't see the point of running the scan really."

            As they are sending the data back to be stored, it's to shift the blame for any dodgy stuff happening to your account.

            once they have recorded you had open ports, any misuse of your account is going to get blamed on you.

            It shifts any blame for intrusion afterwards to you for having an open port..

          2. John Brown (no body) Silver badge

            "Have they put up a policy that says you must have ports x, y, & z closed in order to connect?"

            Maybe they are just collecting information to be used against you if any money goes missing from your account? "Well sir, on at least 4 previous occasions you have logged into our online banking service and we have proof you had open ports used by RATs, therefore we deny any responsibility for losing your money. You were hacked and we can 'prove' it"

        2. Alan Brown Silver badge

          " this (invasive, I agree) action is triggered by your browser downloading some asset on a system you are using voluntarily."

          Um no. It's no different to surreptitiously kicking off a coinminer in the background when I visit your website.

          _Other_ sites such as IRC networks and suchlike are looking at what ports you have open from the outside (mainly to ensure you're not an open proxy) they're not stealing cycles to run a scanner on the victim box and then using that victim box to report details of the internal network which would be shielded from the attacker even on a well-firewalled installation.

          Shit like this is why I use scriptblockers.

          1. JohnFen Silver badge

            "Shit like this is why I use scriptblockers."

            Precisely. And I don't turn them off just because I'm at a bank's website.

        3. JohnFen Silver badge

          "No individual or remote system is connecting to your machine"

          I disagree. The Banks' website (a remote system) is performing the scan. That it does so by downloading code to your machine and running it from there doesn't seem relevant to this point.

    3. Adam 1 Silver badge

      what's the point anyway

      It is executing JavaScript code. That is logically equivalent to asking the browser whether the password was right. Anything done on the client side is by definition untrustworthy. 10 seconds to low lifes install some Chrome plug-in to block that js file.

  2. Tsurotu

    Foaming at the mouth, but the foam kind of makes sense

    I mean, he seems to have made it a crusade, but he does have a point. Hitting a login page doesn't necessarily mean youre a customer...

    1. Aitor 1 Silver badge

      Re: Foaming at the mouth, but the foam kind of makes sense

      The law is ridiculous and makes no sense.

      Either they change the law or it is applied to everyone, not just the poor as it seems to be the case.

      So, to be clear: banks should be allowed to scan before you login, for security, they should disclose it too, and researchers should disclose who they are scanning.

      1. JohnFen Silver badge

        Re: Foaming at the mouth, but the foam kind of makes sense

        I am of the opinion that port scanning should not be prohibited at all. However, if we're going to count it as a prohibited activity, then this:

        "banks should be allowed to scan before you login, for security"

        makes no sense and should be as illegal as it is for everybody else. Scanning after you log in would be OK, as long as you gave consent. But prior to login, there's no way for the bank to know if they have consent or not.

        From a security point of view, it doesn't matter if the scan happens before or after login.

        1. Prst. V.Jeltz Silver badge

          Re: Foaming at the mouth, but the foam kind of makes sense

          "But prior to login, there's no way for the bank to know if they have consent or not."

          sure there is - put a little button on the login page that says "I consent" which un grays the name & pwd box.

    2. rmason Silver badge

      Re: Foaming at the mouth, but the foam kind of makes sense

      I sort of agree with him.

      I think.

      All the same, bloody odd hill he's picked to die on, given the general abuses of privacy etc that happen on the internet.

  3. Gideon 1

    Scanning after login is too late; the malware could have got some login details

    Though their website should get your agreement before scanning.

    1. JohnFen Silver badge

      Re: Scanning after login is too late; the malware could have got some login details

      Any malware will get the login details either way. The sorts of scanning the site is doing won't stop that. If the scan shows something suspicious, it's not going to stop you from logging in. It can't, because a port scan of this sort can't possibly be able to determine if you've been compromised with any useful degree of accuracy. If they prevented you from logging in as a result of the scan, they'd be spending a ton of money constantly dealing with customers who have been mistakenly locked out.

      All this sort of scan can do is indicate whether or not further investigation is a good idea.

    2. earl grey Silver badge
      Flame

      Re: Scanning after login is too late; the malware could have got some login details

      They already want your kidney, testicle, and access to your arse.

  4. m0rt Silver badge

    Actually, I am up for everyone being able to scan whoever they like. I, personally, think that will result in a percentage point increase in secure online destinations.

    The law is an ass when it comes to security in the online world. Basically going after low hanging fruit because 'We are doing something' and all that bollockerdash.

    NMAP ftw.

    1. Camilla Smythe Silver badge
      Terminator

      I'm not.

      If I want my ports scanned I can ask, give permission, for someone with an appropriate and legitimate service to do so.

      I do not need some dweeb dropping in on my open ports saying they are or appearing in my logs as being some sort of security scanning service.

      I've never had one of the twats e-mail me to to warn me that I might have a security problem. I can only conclude that the service is for themselves or the data is sold on to third parties for profit.

      That's wear and tear on my equipment and uses up my bandwidth along with adding to my electricity bill so they can fuck off into IPTables.

      1. Velv Silver badge
        Gimp

        Re: I'm not.

        Fnarr. Being port probed is “wear and tear on my equipment

        1. This post has been deleted by its author

          1. m0rt Silver badge

            Re: Fnarr

            LIfe's hard. :)

      2. Anonymous Coward
        Anonymous Coward

        Re: I'm not.

        re: Camilla

        Then you've never had your infected machine send me a phishing email from your machine. If you had, you'd have received an email from me telling you'd been hacked.

      3. Camilla Smythe Silver badge

        Re: I'm not... However

        If I thought about it and wanted to play nice then if my Bank wanted to scan my ports when I landed on their Login page then they can pop up a message saying something like.

        For added security if you are a customer about to log in to your account we would like to perform an external port scan in order to check that your computer has not been compromised. If we find anything suspicious then we might not allow you to Log In and ask you to contact us.

        Once you have Logged In we will perform an internal port scan to once again verify that your computer has not been compromised. If we find anything suspicious we may lock your account and ask you to contact us.

        If you agree to this then please click Accept to log in. If you do not then please click Reject. You will be redirected to your Home Page.

        Of course the above is not going to happen because if they get it wrong they have to accept liability for it.

        1. m0rt Silver badge

          @camilla Re: I'm not... However

          "If I want my ports scanned I can ask, give permission, for someone with an appropriate and legitimate service to do so.

          I do not need some dweeb dropping in on my open ports saying they are or appearing in my logs as being some sort of security scanning service."

          And that is exactly the mindset that the policy and lawmakers are coming from.

          If malicious hackers were nice people then they wouldn't be malicious hackers. So it is, quite literally, an anarchists state out there in Intercyberweb Land. Those that know this will have a better chance than those that don't. And now with added GDPR you better hope that your house is in order because hacked/leaked data along with insufficient GDPR consideration will result in bankruptcy.

          So as far as I am concerned, if I put anything online I fully *expect* it to be scanner, probed, prodded and slapped for good measure. I don't say 'How dare you!'

          But hey. That is just me.

          1. Alan Brown Silver badge

            Re: @camilla I'm not... However

            "So as far as I am concerned, if I put anything online I fully *expect* it to be scanner, probed, prodded and slapped for good measure. "

            127.0.0.1 is explicitly NOT online and I don't expect something outside my network to work out a way of bypassing my firewalls, scan it (and possibly the rest of my internal network) the report back to the attacker's mothership.

            Halifax really haven't thought this one through and their actions go well beyond the bounds of what's reasonable behaviour. CMA most definietly applies - not for the scanning, but for the way they're explicitly bypassing security and attacking the target network, plus running unauthorised attack code on 3rd party computers.

            1. m0rt Silver badge

              Re: @camilla I'm not... However

              "Halifax really haven't thought this one through and their actions go well beyond the bounds of what's reasonable behaviour. CMA most definietly applies - not for the scanning, but for *the way they're explicitly bypassing security* and attacking the target network"

              Then it isn't much in the way of security it is bypassing, then.

              I am not defending Halifax. There is a breach of etiquette here. But at the same time it should be water off a ducks back, not a 'How dare you!' reaction.

              The internet is an unforgiving place to be.

      4. Alan Brown Silver badge

        Re: I'm not.

        "I've never had one of the twats e-mail me to to warn me that I might have a security problem."

        If they did you'd probably scream your head off about spam. That was the experience of various voluntary efforts that tried this approach in the 1990s. Shooting the messenger is still a popular pasttime.

  5. Herring`

    It is sort of a fair point. If a web server is going to scan my ports to make sure I'm all safe, then I should be able to do the same before I connect. What's the point in having nmap if I can't use it whenever I please?

    1. disgustedoftunbridgewells Silver badge

      I wonder if you could get around this by making a GET / request to Halifax with the header:

      X-Info: If you respond to this request then you agree to be port scanned.

      That's more than Halifax are doing if you have to be port scanned to read about the fact you're agreeing to be port scanned.

    2. Captain Scarlet Silver badge
      Trollface

      I thought the scan was done in the browser on the loopback address (Someone stated in the comments above), in that case I think you should be able scan yourself :P

  6. Crisp Silver badge

    Where does it end?

    If it's ok to scan for security purposes, that sounds pretty benign doesn't it?

    Oh look! Port 23 is open. Surely there's no harm in looking at the banner? Just to make sure that particular implementation of FTP hasn't got any known security vulnerabilities.

    Those login attempts? We were just scanning for common known passwords, just to check that your machine is really secure.

    Those downloads? We're just collecting document meta data. No human has actually read your invoices, statements and holiday photos. Though we strongly discourage using $RIVALBANK$'s services. They aren't nearly as secure as we are.

    1. FuzzyWuzzys Silver badge
      Happy

      Re: Where does it end?

      If the IT dept of my bank started scanning the telnet port (23) looking for an FTP service, I think I'd move my account pronto to be honest! Ha ha!

      1. Crisp Silver badge

        Re: Where does it end?

        Oh I knew it was somewhere in the 20's!

        1. Charles 9 Silver badge

          Re: Where does it end?

          Cleartext FTP is port 21. Secure Shell (encrypted Telnet) is port 22. Cleartext Telnet is port 23.

          1. Crisp Silver badge
            Coat

            Re: Where does it end?

            So who's on port 7?

            1. Adam 1 Silver badge

              Re: Where does it end?

              No no no. Who's on first!

  7. Anonymous South African Coward Silver badge
    Trollface

    Set up a PC with tarpitted ports

    I'm sure the bank's IT department will be delighted in having their server's responsiveness messed with.

    1. Herring`

      Except that the scanning is done with Javascript running locally. If they did it from the server, then they'd hit your router and the whacky port forwarding rules that you've got set up there (it isn't just me, is it?)

      1. Pascal Monett Silver badge

        Re: "the scanning is done with Javascript running locally"

        And NoScript to the rescue, again. Ain't nobody port-scanning my computer without my consent !

        1. T. F. M. Reader Silver badge

          Re: "the scanning is done with Javascript running locally"

          NoScript to the rescue

          Take it half a step further: the login page may not work without JS, but it is probably irrelevant for non-customers.

          1. Ian Emery Silver badge

            Re: "the scanning is done with Javascript running locally"

            "Take it half a step further: the login page may not work without JS, but it is probably irrelevant for non-customers."

            But that is the point with NS, you run what scripts YOU want. My bank allows various tracker scripts to run on the log in page - very bad practice, but since I auto block those trackers, Google* knows very little about me.

            The single active script needed to log in is still allowed, so log in works.

            I get VERY grumpy at etailers that try to introduce 3rd party scripts at the final stage of a payment process; the result is nearly always the payment failing, and my order being screwed up for hours (or days), before they clear the issue.

            Sometimes it is for something eminently STUPID, like using a special font from an external source; bugger off, do it in Times or Arial, I'm not letting some unknown 3rd party into my secure session just to make the page look pretty!!!

            *(Ooops)

            1. Charles 9 Silver badge

              Re: "the scanning is done with Javascript running locally"

              But what if the port scan script IS the login script: part and parcel?

            2. Nick Kew Silver badge

              @Ian Emery

              I get VERY grumpy at etailers that try to introduce 3rd party scripts at the final stage of a payment process

              If that's the abomination called "verified by visa" you have in mind, these days my transaction seems to go through just fine if I just back out of it. I presume that's Just One More inexplicable aspect of its brokenness.

              1. Ian Emery Silver badge

                Re: @Ian Emery

                VbV was an early example; and to this day doesnt add any security to your purchase - despite what they say.

                No, as I said, I have encountered a number of scripts, some for 3rd party payment systems, some for cosmetic effects, and more than one script that doesnt appear until the transaction has supposedly finished and you are supposed to be sent to the order summery page with an order reference number.

                The VERY worst was encountered in the payment system for "The Book People"; it has since been fixed, but was so bad I wouldnt use them for a whole year until it was fixed - and I highlighted the issue on several consumer forums after they failed to reply to my complaints about how insecure it was.

            3. Alan Brown Silver badge

              Re: "the scanning is done with Javascript running locally"

              "I get VERY grumpy at etailers that try to introduce 3rd party scripts at the final stage of a payment process;"

              I get very grumpy at contract suppliers who do it at any point along the way. GDPR and personal data harvesting tends to figure in such complaints.

          2. JohnFen Silver badge

            Re: "the scanning is done with Javascript running locally"

            Using NoScript isn't an all or nothing thing. You can allow some scripts to run and not others. That said, if a site doesn't work properly when I have NoScript going, I tend to just not use that website. Even if it belongs to my bank.

  8. Anonymous Coward
    Anonymous Coward

    iptables -j TARPIT

    If everybody did that, it would disable the machine doing the port scanning pretty quickly.

    1. Symon Silver badge
      Pint

      Re: iptables -j TARPIT

      ^^ There's the reason I come to this website. Every day's a school day.

      https://www.aaflalo.me/2015/07/fail2ban-tarpit/

      https://sysadminblog.net/2013/08/debian-iptables-tarpit/

      I had no fucking idea that iptables had an addon tarpit function. Thank you very much! Cheers --->

      1. Alan Brown Silver badge

        Re: iptables -j TARPIT

        "I had no fucking idea that iptables had an addon tarpit function."

        Yeah, but in this case you're tarpitting yourself.

    2. T. F. M. Reader Silver badge

      Re: iptables -j TARPIT

      it would disable the machine doing the port scanning...

      ...which is your machine, and behind iptables, innit?

  9. Mycho Silver badge

    CMA is overzealous

    Like most government responses to the existence of these newfangled light boxes with their strange buttons, the CMA could really do with some good faith exemptions. Which I'd say is the most likely result of this lawsuit and the most likely reason for it.

    1. Mike Richards Silver badge

      Re: CMA is overzealous

      The CPS has guidance for prosecutions under Section 3A of the CMA which covers the likelihood that software was being used to break the CMA. Amongst other things, prosecutors should consider:

      • Was the software developed to obtain unauthorised access to a computer?

      • Does the software have legitimate purposes, such as testing a device's security?

      • What was the context in which the software was used to commit the offence compared with its original intended purpose?

      I can't see how he has a case here. The CPS will point to their guidance.

      https://www.cps.gov.uk/legal-guidance/computer-misuse-act-1990

      1. Mycho Silver badge

        Re: CMA is overzealous

        He's not prosecuting them under 3A. The advice for the sections his crowdfunder says he wants to prosecute them under read a lot more like it was dashed out on a Friday at twenty to pub.

      2. aks

        Re: CMA is overzealous

        The CPS should not add new rules to the law but suggest that the law be revised to include more sensible rules.

      3. Anonymous Coward
        Anonymous Coward

        Re: CMA is overzealous

        • Was the software developed to obtain unauthorised access to a computer?

        Clearly yes: it was designed to be surreptitiously downloaded from the website to a machine, it then runs on said machine and exfiltrates the results to a remote server in a manner hidden from the user of said website

        • Does the software have legitimate purposes, such as testing a device's security?

        First problem there, is this 'legitimate' legally?

        As the users of the website have not explicitly authorised this scan of their machine, in fact, as it appears to have been hidden from them in the mire of javascript that loads when you visit the login page and then runs automatically in a surreptitious manner, I think not..

        Second problem there is, does this code really test a device's security in a 'legitimate' way?

        If they get the browser to scan the loopback interface on a machine and find anything listening on the port numbers they instruct it to check, what exactly does that prove? Only that there is something listening on localhost and responding. As no check is done from an external host to see if they can connect to the same port numbers on the machine's network interface, then it's a bit of a meaningless check as far as security is concerned. This then brings into question the legitimacy of the code, whatever the original intention was.

        • What was the context in which the software was used to commit the offence compared with its original intended purpose?

        You could argue that the intent of the software was to try and bypass the CMA by design, by getting the code to run on a browser on the target machine they obviously hoped to try and bypass Section 1.1.b of the act,

        from the guidance URL you pointed to

        'Section 17 gives the interpretation of " unauthorised access" for the purpose of section 1.Access is unauthorised where an individual is not entitled to or has not been given consent for the type of access in question.

        The offence of unauthorised access requires proof of two mens rea elements section 1(1) :

        there must be knowledge that the intended access was unauthorised;

        there must have been an intention to secure access to any program or data held in a computer.

        There has to be knowledge on the part of the offender that the offender that the access is unauthorised; mere recklessness is not sufficient. This covers not only hackers but also employees who deliberately exceed their authority and access parts of the a system officially denied to them.'

        By any definition, this code provides them with "unauthorised access" as at no point has anyone mentioned that consent has been given, informed or otherwise, the fact that the code runs in a 'hidden' manner without any sort of user interaction points to the fact that it was written with 'knowledge on the part of the offender that the offender that the access is unauthorised'

        The mere act of visiting a web page does not equal consent to have your machine scanned by code downloaded from said page and the results of said scan then exfiltrated to third parties, in fact, it could be argued that if there is any sort of dedicated firewall device between the machine running this code and the internet, blocking access to the port numbers they instruct the browser to scan, and by choosing to scan only the loopback interface for listening processes then this is clearly a deliberate attempt to 'access parts of the a system officially denied to them'

  10. Magani
    Windows

    An open invitation to more unwanted scam phone calls

    Good Morning. I am calling you from Halifax Technical Department. We have noticed a problem with your internet connection. Please download the following software so we can help you.

  11. macjules Silver badge

    Heard that one before

    "Halifax/Lloyds Banking Group are not trying to gain remote access to your device; they are merely testing to see if such a connection is possible and if the port responds. There is no immediate threat to your security or money,"

    1) What if you are online with another (rival) bank at the same time?

    2) I have a Sophos SG UTM software firewall - is that a problem for Halifax? If so, then good.

    3) After the TSB debacle I know that when they say "There is no immediate threat to your security or money" they actually mean, "Oops it's all gone, sorry bout that"

    1. Anonymous Coward
      Anonymous Coward

      Re: Heard that one before

      1) Nothing. The logs show they are just socket checks.

      It is literally, "Are you there? No? Ok."

      2) If you're dropping or otherwise blocking the checks, neato. Nobody cares.

      If your device is a hardware device, in this case no, it wouldn't help you.

      The fact of the matter is that Halifax isn't technically scanning you.

      Halifax is providing you with a piece of Javascript code and having you scan yourself. This is indicated by all of the '127.0.0.1' addresses in Moore's screenshots.

      There are numerous programs to prevent this, if you so desired.

      3) What.

      1. Alan Brown Silver badge

        Re: Heard that one before

        "The fact of the matter is that Halifax isn't technically scanning you."

        No, Halifax is exploiting a security vulnerability of web browsers to induce your computer to run network scanning code - ie, without bothering to get explicit permission first.

        The fact that it's scanning 127.0.0.1 instead of 192.168.0.1-255 or 195.130.217.2[014]1 and 91.220.42.2[014]1(*) isn't relevant. The factor of permission and unauthorised operation _IS_. It would take a couple of tiny tweaks to move this from something apparently benign to something extremely nasty and the fact that its existence has been disclosed means the webserver holding that javascript is now a target for every script kiddie on the planet looking for a DDoS attack engine. As we all know, banking webservers are some of the most secure on the planet.....

        (*) Extra points if anyone recognises those IPs and what the likely reaction would be if they were prodded.

      2. eldakka Silver badge

        Re: Heard that one before

        The fact of the matter is that Halifax isn't technically scanning you.

        Halifax is providing you with a piece of Javascript code and having you scan yourself. This is indicated by all of the '127.0.0.1' addresses in Moore's screenshots.

        Can I claim that defense in court if I grab somebodies arm and smack them in their face with their own fist while saying "Stop punching yourself in the face"?

      3. trydk
        Paris Hilton

        Re: Heard that one before

        @Anonymous Coward, Tuesday 7th August 2018 13:15 GMT

        So, by physical world analogy, it is OK for Halifax to send you a packet containing a robot that surreptitiously scans your home to check that all windows and doors are properly closed, send the result off to themselves neither informing you that they've done it nor of the result? The big difference here is that the robot probably would not go unnoticed, right?

        You cannot in earnest argue that it is OK as you "scan yourself"? If that is a valid argument, it means that anyone making you download a piece of malware go scot free as "you did the malicious part yourself". No ma'am/sir, it ain't working that way!

  12. Captain Badmouth
    FAIL

    Security?

    Well I've just scanned their site on the sophos security header website, and they get a "C" grade, failing 4 out of 7 tests. The result is not hidden on the sophos site for all those interested.

  13. This post has been deleted by its author

    1. Pascal Monett Silver badge

      Re: Who is scanning?

      From what I see, most malware is drive-by download these days, and not at all the same as a hacker connecting to your PC directly.

      So I guess you have no problem with the legality of that either ?

  14. RobinCM

    1. Just because something is listening on localhost doesn't also mean it's listening on the machine's network IP address.

    2. Most ISPs supply routers that have NAT firewalls enabled by default, so a machine listening on a private address behind one of those is unlikely to be accessible from the public IP address of the router.

    3. If you're not banner grabbing how do you know what's actually listening?

    4. I'm pretty sure ISPs do or used to do port scans of customer's public IP addresses, Virgin/Telewest definitely used to do that to me years ago. Does that still happen?

    5. I'm slightly concerned that client side JavaScript could be scanning any local IP addresses on my internal network, and wonder what's the legitimate use for this functionality in a web browser? Seems like a drive by IoT disaster waiting to happen.

    1. Adrian 4 Silver badge

      If the client side javascript can scan localhost, I guess that NAT firewall isn't too much use against browser-based attacks.

      1. TRT Silver badge

        Must take an age... scanning all 65,535 of them. Or do they restrict themselves to a handful of well-known ports? And what DO they do if I happen to have a service running one one of them?

        1. Alan Brown Silver badge

          "Must take an age... scanning all 65,535 of them"

          About 1 second, give or take.

      2. Nick Kew Silver badge

        If the client side javascript can scan localhost, I guess that NAT firewall isn't too much use against browser-based attacks.

        Verily, it has come to pass. The world has routed around misguided security.

      3. Androgynous Cupboard Silver badge

        Bypassing the firewall.

        For me that's the interesting point. Not only are they scanning the local machine without consent, but they're doing so after getting past my firewall. Someone mentioned "drive by downloads" above, if you view the portscan itself as illegal then this situation isn't that different.

        I agree on the grand scheme of things it's not a big deal, but the law is the law, and taking this one to court would be useful to clarify the position of anyone who is charged over a portscan in the future. Lord knows I've run a few over the years.

        For that reason alone I've thrown in £50.

  15. Teiwaz Silver badge

    I am actually kind of impressed.

    Too many companies don't think enough about security.

    But I do agree, it should be legal or not, not legal for some corp, and not for everyone else (unless connected to some DOS shenanigans).

    Without permission, and all site visitors - got a point about not being particularly effective after login though. I suppose notification could be in T&Cs, but who reads those, considering they are usually couched in legelese and either incomprehensible or make you want to reach for the bottle or 'cause your eyes to glass over.

  16. Anonymous Coward
    Anonymous Coward

    What happens if they find something?

    ring-ring ring-ring

    Hello?

    Good day sir, I am calling from your bank

    ....

    1. Woza
      Joke

      Re: What happens if they find something?

      They wouldn't phone you, that would be absurd!

      They'll probably just send you an email, with a helpful link to click on for more information.

      (Password may be required)

  17. Anonymous Coward
    Anonymous Coward

    GDPR

    They store your IP address presumably and info about your computer. Does this not contravene the GDPR?

    1. activereachmax

      Re: GDPR

      Not necessarily. Network security is usually considered a Legitimate Interest and so capturing IP addresses for security purposes is lawful - as long as the business could show an auditor a Legitimate Interest Assessment and is transparent with the data subject about the collection, who's collecting it, and how to exercise your rights as a data subject with them, as a data controller.

      It's a bit like operating a CCTV camera in that information about you is captured by the system for a legitimate security purpose, but that does not require your consent to be legal.

      1. Anonymous Coward
        Anonymous Coward

        Re: GDPR

        And here is the problem, they are not transparent about their actions, nor would they be able to prove that the ports can had any security benefit. They have no idea what is listening so it could be anything that just happens to be using the same port. Car analogy time. A white van was used in a bank robbery. We therefore assume all white vans are full of bank robbers and will flag them up as such.

  18. disgustedoftunbridgewells Silver badge

    So if I have a service listening that Halifax doesn't like, then what? They refuse my online banking because some software happens to be listening on a non-privileged port?

    Or do they only scan <=1024? In which case, it's my business if I'm running 'finger' or something equally odd.

    1. TRT Silver badge

      They can go finger themselves.

    2. Craigie Bronze badge

      I just loaded their login page and these are the ports that were scanned:

      3389

      5900

      5901

      63333

      5903

      5950

      5902

      5939

      5931

      5279

      1. Jeffrey Nonken Silver badge

        Those are nowhere near my VNC ports.

        1. Anonymous Coward
          Anonymous Coward

          I know :) Btw, why are you running VNC on port 80? :)

          1. Jeffrey Nonken Silver badge

            "why are you running VNC on port 80?"

            Bwah hah hah hah! Go ahead, try to connect to that. I double-dare you.

    3. John Brown (no body) Silver badge

      "Or do they only scan <=1024? In which case, it's my business if I'm running 'finger' or something equally odd."

      Not to mention the obvious thing. Lots of software uses networking and the loop-back address to communicate internally without ever going onto the wider outside network. *nix users in particular will be aware of this, but Windows is more *nix like these days in that respect too. And then there's the various devices inside the home LAN which are running servers and other services or which need you to be running apps/servers on your desktop PC, the one being scanned by Halifax.

  19. Alan J. Wylie Silver badge

    One law for them, another for us

    Do not forget the case of poor Daniel James Cuthbert, found guilty of an offence under the Computer Misuse Act back in 2005 for adding ../.. to the URL of a charity's web site.

    El Reg article

    There is a very thin line between "intending to secure access" and checking to see if insecurities may be present.

  20. Outer mongolian custard monster from outer space (honest)

    it really scans just the local loopback address?

    Chocolate fireguard level then, cue malware authors just moving their tools to binding only to active ethernet addresses instead of everything in a really short timeframe.

    1. Charles 9 Silver badge

      That can easily backfire. The key about loopback is that it's always there. No other interface is guaranteed, especially if it's transitory like a WiFi connection.

      1. disgustedoftunbridgewells Silver badge

        Alternatively, adding 127.0.0.2 to the lo device and listening only on that.

  21. VRocker

    I actually noticed this back in 2016 and it put me off banking with them back then. I did find it a bit strange that they were trying all sorts of port scans, including RDP and VNC.

    They say its for 'scanning for malware' but they never actually alert the users that they found open ports (or didn't last time i checked). I have RDP enabled on this machine but not to the internet obviously. The port is checked from your machine (Websocket from the check.js) so even if its not open to the internet the scanner should find it 'open' and report back. Nothing flags up in pfsense about any outside scans so they're not checking if it is open to the internet but yet, i get no 'alert' to say they found something suspicious on my machine so what is it actually used for?

    I imagine the way they'll get around this thing is that the scan is done by your own browser rather than their servers so they're not technically scanning you...

  22. Potemkine! Silver badge

    "One rule for banks, another for us"

    What's new, pussycat?

  23. Christoph Silver badge

    So will they have no objection if I run a full penetration test suite on their site to make sure they are secure enough for me to consider becoming a customer?

    Oh, and I'd like to check that they can cope with a DDOS attack so I don't lose access if someone attacks them.

    For Security, you know.

  24. Giovani Tapini
    Flame

    I tend to agree this is less than a good idea

    If it is reasonable to do a portscan at all it should be part of the login process. The Halifax comment saying that they want to protect customers is fine, except you are not just protecting customers.

    I am not a fan of this even as an idea though, financial services companies should not perform actions they would otherwise be defending against. That's just wrong.

    Scanning non-customers is not against the CMA as far as I understand it. Vulnerability scanning does not require full consent in the UK (albeit that's advice, I don't believe it has been tested in court).

    Are they going to tell people they are vulnerable? What if they are not a customer and identify vulnerabilities? It opens an unnecessary can of worms without any apparent benefits.

    I should imagine most people scanned would not provide a sensible result anyway if they are behind any kind of commercial firewall or NAT based router at the end of their broadband.

    1. Charles 9 Silver badge

      Re: I tend to agree this is less than a good idea

      "If it is reasonable to do a portscan at all it should be part of the login process. The Halifax comment saying that they want to protect customers is fine, except you are not just protecting customers."

      The can MUST be done BEFORE the login. Any point after is Too Damn Late; the malware can already read your credentials.

  25. Uberior

    Well, he's not going to get far with legal action against "Halifax Bank" is he?

    "Halifax" is just a brand name. The banking licence is held by Bank of Scotland, which is owned by Lloyds Banking Group.

  26. Flocke Kroes Silver badge

    Another reason do disable javascript

    I do not usually put much thought into javascript because I have kept it disabled since it was first dumped on the internet. Now that I know javascript can connect to arbitrary ports on localhost I spent a few seconds thinking of a way to abuse the capability. The glaringly obvious attack is to connect to the X server because there will be a valid authentication record in ~/.Xauthority

    [Frothing at the mouth snarling rant aimed at programmers who created this advertisers' wet dream without spending even a few seconds considering the collateral damage any time they add a "cool new feature".]

    X protocol is a pain to implement. So awful that the server and client code is mechanically generated from the definition. A reasonably clever programmer could use the same technique to create a javascript X client for malware. Too late, already happened.

    1. stephanh Silver badge

      Re: Another reason do disable javascript

      Fortunately in-browser JavaScript does not allow arbitrary TCP connections. The "port scan" is done by making HTTP requests and timing how long it takes to error.

      So this cannot be used to connect to an unsecured X server running locally, although it may be able to *detect* such a server.

      (Note that the link was to a Node module, which *can* create arbitrary TCP connections.)

      1. Alan Brown Silver badge

        Re: Another reason do disable javascript

        > The "port scan" is done by making HTTP requests and timing how long it takes to error.

        Your 'port scan' can trivially be someone else's DDoS if this kind of shit is embedded in a popular website.

  27. Anonymous Coward
    Anonymous Coward

    Lloyds and recent JavaScript changes

    Within the past two weeks, Lloyds has changed their site so that JavaScript seems now to be necessary in order to use their online banking. When it's allowed, it makes typing in the user ID / password very sluggish and unresponsive though (as in can type 7-8 characters before they appear). I don't know what's going on, but I don't like it.

    Needless to say there's no chance of getting through to anyone technical to complain, or explain.

  28. Flakk Silver badge

    Nice Idea, Wrong Target?

    Considering that the majority of network infiltrations are initiated by compromised internal machines, wouldn't it make better sense for Halifax to direct their resources to scan their own systems? Of course, a skilled hacker could punch through the perimeter defenses, but isn't that the outlier risk?

    If Halifax is putting so much effort into detecting lower risk external threats, can we then surmise that their internal and business-critical systems are all locked up tight with a superior set of mature controls?

    From Captain Badmouth above:

    Well I've just scanned their site on the sophos security header website, and they get a "C" grade, failing 4 out of 7 tests.

    Oh...

  29. 0laf Silver badge
    Facepalm

    They can do this but won't sort out multifactor authentication

  30. Paul 164

    Whose benefit?

    So if these banks detect certain open ports, do they display a notice on the website that the computer may be compromised, and that the customer should investigate further?

    I bet they don't.

  31. sitta_europea

    "Bootnote

    Action Fraud is the UK's cyber security reporting centre. ..."

    And in my experience a bunch of complete wasters.

    1. Alan Brown Silver badge

      "And in my experience a bunch of complete wasters."

      That's an unfair comparison to complete wasters.

  32. Anonymous Coward
    Anonymous Coward

    intent to cause harm or recklessness

    a Big Bank would not do that! Because? Because they're a Big Bank. QED.

    1. Ian Emery Silver badge

      Re: intent to cause harm or recklessness

      What? You mean like a bank with a horse setting business's up to fail, then profiting from the seizure and selling of its assets??

      Hasnt that just been through the courts??

  33. Anonymous Coward
    Anonymous Coward

    Halifax Bank has been to touch to say

    nothing relevant.

    1. Dan 55 Silver badge

      Re: Halifax Bank has been to touch to say

      ... canned PR bollocks.

      And El Reg should have said that they did not address the question instead of quoting them.

  34. Dwarf Silver badge

    and when they do detect RDP or VNC.. what then ?

    There are a bunch of reasons that people may legitimately be running these services. Would they then be refused Internet banking because of that ?

  35. DougS Silver badge

    So put up a warning

    WARNING: Connecting to this page will result in a network scan of your computer/phone, clicking Accept indicates consent to this.

    Then set a cookie after you've consented, begin the scan, and do it silently on future visits thanks to that cookie (or every time if you have your browser set to not remember cookies)

  36. Anonymous Coward
    Anonymous Coward

    Scanning for free?

    Doesn't some AV websites charge you to get your pc scanned? And this bank is doing it for free?

    1. Captain Badmouth
      Terminator

      Re: Scanning for free?

      Money for nothing and your scans for free...

      Nah, that can't be right.

      RBS bank manager ---->>>

    2. Martin an gof Silver badge

      Re: Scanning for free?

      Doesn't some AV websites charge you to get your pc scanned?

      Follow the link to Shields Up!

      M.

  37. Anonymous Coward
    Anonymous Coward

    Ummm. A Web page that does a portscan...

    ...isn't that exactly what someone would do to find / take over your IOT devices?

  38. Anonymous Coward
    Anonymous Coward

    Poor misguided sod

    I think it's adorable that this guy actually thinks that bankers are held to the same rules as the rest of us.

    1. Paul Moore

      Re: Poor misguided sod

      Thanks :)

      That's actually the point of the campaign. It's precisely because banks and other financial institutions are not held to the same rules as we are... so either the law needs to be revised or Halifax be held to account.

  39. mwnci

    It's a Risk equation for the banks, and the legal defence against them doing this, is a terribly dated legislation...The 1990 Computer Misuse Act. Context is everything the 1990 Computer Misuse Act - It's massively out of date and irrelevant...So 28 years ago, lets just see what the cutting edge Computer systems were of 1990.

    March 1990 - Macintosh IIfx

    June 1990 - Commodore releases the Amiga 3000,

    Nov 1990 - 1st ever Microsoft Office release

    The internet was Embryonic - with the Archie FTP search engine.

    The WORLD WIDE WEB - Didn't appear until 1991!!!!

    1. John Brown (no body) Silver badge

      "Context is everything the 1990 Computer Misuse Act - It's massively out of date and irrelevant."

      There have been amendments since then. Just as with most Acts of Parliament. It quite rare for a law to be thrown out and replaced.

  40. Timmy B Silver badge

    If I withdrew permisssion...

    I wonder what would happen then? If I send a letter to Halifax and ask them not to do this and then monitored that they were would I have any legal standing. Just thinking...

  41. Craigie Bronze badge

    While I sympathise with the feeling of disparity, the bank is forcing you to port scan yourself. If you want to set up the same scripts and then send them a link to let you port scan their PCs then go ahead.

  42. defiler Silver badge

    So who can I portscan?

    I mean, I scanned our public subnet at one of our sites and found that our comms provider has left BGP open to the world. Am I in trouble now?

    /me hides from Interpol since it's a DC abroad...

  43. tallenglish

    If Its JavaScript Block it

    Not sure the point of this, miscreants will just block the javascript and fake any expected results - so mallware will just be able to bypass it as they usually act as man in the middle for HTTPS especially if they are some bad Firefox/Chrome plugin as we have seen previously with the theme tools.

    Hackers normally just go for a fake site to steal details anyway.

    So I don't even see the point of Halifax bothering with it?

  44. Anonymous Coward
    Anonymous Coward

    These aren't the droids you're looking for....

    CMA isn't the only show in town, and tbh, the way the internet works, I doubt that you'd be able to prove criminal intent in the way that the ports are being scanned.

    The bigger fish here is the GDPR and the use of javascript under the PECR regs. I've just checked the Halifax website and a cookie consent banner pops up on landing. PECR covers the use of cookies, beacons and javascript, so mandates consent requirements in the use of cookies etc ("placement and retrieval on a terminal device"). The only exception here is where placement is "necessary" and whether the use of javascript as part of port scanning on a landing page is "necessary". If you're only browsing, with no intention to log in and access services, this security feature is arguably unnecessary, and in that case consent is required.

    The Halifax cookie banner doesn't list port scanning for vulnerabilities etc, so I think that this is an issue. And any data placed or collected is being processed, and processing is covered by the GDPR......fair and lawful? Transparent? I don't think so....

  45. Paul Moore
    Thumb Up

    Amazed by the response!

    Just to say a huge thank you to everyone that's commented so far. I appreciate your feedback and hope you'll consider backing this action.

    If you're discussing this on Twitter, please use #halifaxPortScanning.

    Thanks!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019