back to article Crypto weakness leaves online banking apps open to attack

Flaws in the way web applications handle encrypted session cookies might leave online banking accounts open to attack. The security risk stems from a cryptographic weakness in web applications developed using Microsoft's ASP.Net framework. ASP.Net uses the US government-approved AES encryption algorithm to secure the cookies …


This topic is closed for new posts.
  1. Anonymous Coward


    Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.

    People need to give themselves a shake and stop using MS products!

    1. bolccg


      Yes, so they can all migrate en masse to some other product which will then become the main focus of attention for black and white hats alike, generating a bunch of articles on the topic and leading you, presumably, to suggest everyone ditches that, too?

      Good grief. Also, to be pedantic, the articles aren't "always" about MS anyway.

    2. Wize

      Just because you use a less main stream OS

      doesn't make you bullet proof.

    3. No, I will not fix your computer


      More silver cars are stolen than any other car, however pink cars are rarely ever stolen.

      Does this mean;

      A. Silver is a very common colour for a car (and pink uncommon)

      B. Silver cars are more vulnerable

      Of course there is also option C which is the fact that twockers don't want to be seen in a pink car, but if you let that distract you from the point of the analogy then there's really no hope for you.

      Apache 2.0 has 29 open vulnerbilities, IIS 7 only has 3, what does this mean? red top readers that don't think for themselves need not apply.

      1. Anonymous Coward

        1 +1 = 5?

        Your argument would be ok if MS crap-ware made-up a majority of internet-facing servers.

        But it doesn't. If you just take web servers for example, Apache is the most prevalent by far. And yet, exploits against MS's http server FAR outstrips that of apache and indeed all other web servers combined. There are more bugs found in MS http and email servers every month than are found in all the rest in a year.

        Your maths just doesn't add up. So who's the numpty here?

        Face it - most MS software is the buggiest pile of steaming rubbish that has ever been made. And it seems to be getting worse by the day.

      2. KjetilS

        Re: Numpty

        "what does this mean? "?

        Absolutely nothing, as long as you don't take severity into account and just use pure numbers.

      3. CD001


        We're talking web servers here Windows/ISS is NOT the dominant environment for web servers. The regular claims that everyone targets Windows because it has the majority install base does not apply when talking about the web. It even says in the article that it's a software setup used on 25% of web servers... though I suspect it's very slightly less than that.

        If the ubiquity argument was to hold water we'd hear endless reports of serious, exploitable vulnerabilities in Unix-a-like systems running Apache - the LAMP stack in particular. They're not unheard of, true, especially when you factor in dependant libraries (like OpenSSL) or application vulnerabilities as well... but they're generally either less severe or very difficult to exploit.

        > Apache 2.0 has 29 open vulnerbilities, IIS 7 only has 3, what does this mean?

        It means you're good at pulling meaningless numbers out of thin air? Severity and ease of exploit on those vulns please.

        "A car has 29 vulnerabilities, all of them involve breaking into it using a large sledgehammer - while another car has only 3 vulnerabilities, one of which is that there's a 50% chance of the engine exploding in a massive fireball when the ignition is started" - which car would you rather have?

        I'm not saying that IS the case with Apache vs IIS - just that giving a count of vulnerabilities is meaningless sensationalism.

        1. Tigra 07

          Vulnerabilities in cars

          "A car has 29 vulnerabilities, all of them involve breaking into it using a large sledgehammer - while another car has only 3 vulnerabilities, one of which is that there's a 50% chance of the engine exploding in a massive fireball when the ignition is started" - which car would you rather have?"

          The correct answer is the one that isn't a Toyota

      4. heyrick Silver badge

        @ No, I will not fix your computer

        "Apache 2.0 has 29 open vulnerbilities, IIS 7 only has 3, what does this mean?"

        This could, validly, mean that Apache 2.0 has more disclosed vulnerabilities than IIS. We are, I should point out, up to Apache 2.2 now.

    4. Loyal Commenter Silver badge

      You got the wrong icon

      <<You wanted this one.

    5. Anonymous Coward

      Not just Microsoft

      I didn't know that Java Server Faces was a Microsoft technology.

      Perhaps it might be that you just see what you want to see, and blissfully ignore everything else that doesn't fit your particular theory.

      No points for comprehensive reading.

    6. Loyal Commenter Silver badge


      To shoot your argument down in flames, using the cunningly hidden search button up there in the top-right and entereing the word 'explot', gives me a whole bunch of articles, varioulsy about Adobe, Apple, Facebook and Symantec, and about teh same number as any of those about MS. Putting in the phrase 'Security Problems' returns, as far as I can see, a single result about MS in the first page of results, as does 'Security Issues'.

      Maybe, if you did a little fact-checking before spouting off, you'd see that the perrenial problem of computer security actually affects pretty much all computer software, to some degree or another. This is due to the simple facts that the same basic design and coding principles are common to most, if not all computer languages (albeit some are better than others at preventing silly mistakes), and that human programmers are fallible.

      It probably says more that although MS are a larger company (in terms of market share and in various other ways) than the likes of Apple, and Adobe, there seem to actually be roughly the same number of articles discussing security holes for all three of these companies.

      Sorry to piss on your bonfire and all...

    7. Anonymous Coward
      Gates Halo

      RE: AC

      I can only assume that was an apple fanboi who was stupid enough to write that comment.

      Get back in your walled garden! You're not allowed to see the outside!

  2. JaitcH

    Naturally the customers will get to pay for the banks weaknesses

    The banks continue, mistakenly, to think very highly of their on-line systems security but when it comes to undoing fraud they get offensive and accuse their clients of various misdeeds.

    My bank has part of the solution. I was able, using a branch terminal, to adjust my profile do the countries my Debit Card will work in, together with disabling the ability to transfer money other than to my other accounts.

    I always use portable-versions of software so the risk of using public computers is minimised. I also only transfer cash from my main account to the ATM account minutes before I access the money. It is a pity that smart-phone Apps have not been developed by banks as additional verification would be possible.

    The last technique I use to identify my withdrawals is NOT use round numbers, such as GBP1000, instead I would withdraw GBP990, habitually, whereas fraud artists usually go for the highest amounts.

    Another weakness are the 'independent' ATM's - I always use a bank ATM after making sure it has no suspicious attachments to the card slot or the face of the machine.

    Until banks accept they are not infallible they remain part of the fraud equation.

    1. Anonymous Coward


      You could stop being so paranoid and actually get on with your life. Have a beer and relax.

  3. Jolyon Ralph
    Thumb Down

    Misleading headline

    "online banking apps" aren't directly at risk, as this new attack won't get around SSL encryption.

    Although, of course, if you can use this to access personal details for people on a non SSL website, and they share these passwords with (for example) their paypal account, then it could be a danger. But most banking sites now not only use SSL, but use card authentication devices and/or multiple passwords/pass keys to avoid just this very problem. Paypal is a bit behind the times with login security.

  4. Anonymous Coward
    Thumb Down

    Misleading content

    The "hack" requires the target system to be using AES128 in order to work effectively, I cant remember the last time I used less then 256.

    Also switching the cryptographic provider to anything other then Rijndael (a number of others are supported out of the box and any cypher imaginable can be plugged in to the framework) would be of help, if they don't know the cypher they are attempting to grab the key for then the attack will fail.

    1. Daniel B.

      Switching cyphers?

      That's "security by obscurity", and depending on that isn't secure at all.

      I know about the "encrypted tickets", though I only use them for session identification. No real loss if someone decrypts a cookie; the really sensitive stuff I send using an AES128-encrypted message, signed with a RSA-2048 key and the secret AES key is also encrypted with RSA-2048. So the "secure transfer" stuff is actually secure, but that's because I take an extra security step instead of using MS' "secure tickets". Meh.

  5. Anonymous Coward
    Anonymous Coward

    name is a bit misleading

    as it seems to have bugger all to do with Oracle.

    1. K. Adams

      "Padding Oracle", not "Oracle"

      The word "Oracle" (or "oracle"), as used in the context of this article relates to the cyptologic principle known as the "random oracle," which is an abstract/mathematical construct that responds in a truly random fashion to each possible input, with the constraint that if a given input is duplicated, the resulting output is also duplicated. More detailed information on cryptologic random oracles can be found on Wikipedia, here:


      More generally, an "oracle machine" is a mathematical "black box" which is used to study whether a given input to a construct will map to a given output, in an effort to learn the operational functions or bahaviors contained within the construct. More detailed information on general oracle machines can also be read here:


      Both concepts are related to decision theory:


      1. Anonymous Coward

        thanks, but I'm well aware of the difference

        Next time, I'll add the joke alert icon for you.

      2. Big Al

        The Name Game

        "The word "Oracle" (or "oracle"), as used in the context of this article relates to the cyptologic principle known as the "random oracle,"

        The fact that it yields a nifty acronym (POET) is of course entirely coincidental....

  6. Anonymous Coward
    Big Brother


    We tolds you that Rizzo would take over the world!!!!

  7. Gabor Laszlo

    Out of band

    My bank uses an SMS to send me the TANs (along with the transaction details), I've yet to see even a theoretical attack against this (short of rooting the bank server itself and/or the HLR). Why is this not SOP?

  8. Anonymous Coward

    Classic ASP

    My bank still uses Classic ASP, so I'm safe, rite?

  9. Anonymous Coward
    Anonymous Coward

    and another one..

  10. Anonymous Coward
    Anonymous Coward

    re Out of band

    Be careful out there: this guy had his phone number re-assigned to a new SIM. Result = -80,000 beer tokens.

This topic is closed for new posts.