back to article Santander downplays risk of 'personal data-stuffed' cookies

The Spanish banking giant Santander has downplayed growing concerns over its alleged inclusion of "sensitive data" in its cookies. The bank did not deny including personal data in cookies. In a post on widely read security mailing list Full Disclosure, an anonymous contributor details a number of alleged problems on Santander …

COMMENTS

This topic is closed for new posts.
  1. Ben Tasker

    The data items stored within our cookies, if compromised, would not allow access to our online services on their own and our primary login processes do not rely on cookie data.

    No, but with Credit card number, Sort-code and account number who'd need it? Certainly be a good step forward in trying to reset a 'forgotten' userid/passcode if you get a particularly sympathetic customer service advisor.

    1. Anonymous Coward
      Anonymous Coward

      And password and user name, from which the userid is derived. The only thing missing is the pass number, but that was a recent change to their banking, and many people will have used well-known numbers. Prior to that change and the one-time-pin change, the cookie info would have been enough to login and pay money to yourself.

      So that's alright then.

  2. Anonymous Coward
    Anonymous Coward

    Wow.

    Any reputable pen testing consultancy or auditor would red flag this and it would stay that way as a high-priority risk till fixed. The continued existence of these vulnerabilities indicates a very lax approach to risk.

    I'm closing my accounts ASAP

    1. Anonymous Coward
      Anonymous Coward

      I'm glad I'm already leaving...

      They have decided this year to increase the charges for using my overdraft from the £5 I agreed with Alliance+Leicester to £10 and now £20 per month, without any form of communication. It's extortionate, and now this... Suffice to say I'll be closing my accounts as soon as I can.

  3. Anonymous Coward
    Anonymous Coward

    One of my banks states you should close the browser once you've finished your session. To me this is saying 'we're a bit shit and couldn't be bothered securing our stuff properly, so could you tidy up after us please'. Why do I stay with them? Well I have multiple banks - they are all shit in some unique way, but it's good to have a diversified portfolio.

    1. Chris 3

      It could mean that...

      ... or it could just mean that they've had twerps use online banking in cyber cafes and then walk away leaving their bank account details visible.

  4. Anonymous Coward
    Anonymous Coward

    Disgruntled Alliance & Leicester customer

    I was with A&L and since the Santander takeover, everything has gone downhill - customer service, the website, even the small things like the 'friendliness' of its statement layouts. The only things that have increased are the charges and the security theatre.

    Oh, and the probability of Santander going tits-up if the Spanish economy gets any worse. [And before someone says it: yes there is deposit protection insurance so you'll get your money back -- but your salary might not be accessible, your mortgage might not be paid etc for weeks until something is sorted out.]

    1. Anonymous Coward
      Anonymous Coward

      Re: Disgruntled Alliance & Leicester customer

      I also am an old A+L customer.

      They have gotten shambolic since the takeover. Even small admin items, like changing address they manage to balls up spectacularly.

      The only way to get anything done is to try once through the normal channels, then go via complaints when they inevitably balls it up.

      Severely tempted to change banks after the xmas silly consumerism spending season.

      In terms of it being Spanish owned, it was explained to me that the UK wing is ringfenced and is effectively a UK bank owned by a Spanish corporation. Besides, the germans would rather buy Europe out than see their currency project sink...

      1. Anonymous Coward
        Anonymous Coward

        Re: Disgruntled Alliance & Leicester customer

        I changed banks awhile back and found it unbelievably easy process, it's now like switching mobile providers, I asked Lloyd's for an account, they did all the work and transferred all my DD's and SO's over in the space of 14 days. All I had to do was hand in my old cards to my old bank.

        1. Anonymous Coward
          Anonymous Coward

          Re: Disgruntled Alliance & Leicester customer

          Re: Lloyds

          Lloyds are just as bad. I closed my account with them and shall NEVER use their services again.

          They are on my banking blacklist along with Barclays and RBS/Ulster/Natwest.

          The most useful thing about Santander is that, having bought all round them, they have branches all over the shop and not just some awkward city centre branch. However, when I tried to get my savings out to pay cash for a car they nearly had a hernia.

      2. Marcelo Rodrigues
        Unhappy

        Re: Disgruntled Alliance & Leicester customer

        This bank is a steaming pile of turd. I was with Banco Real, and all was OK. Santander bough it - and my woes began.

        Not a single time I walk into an agency and find all the ATMs working. There is always - ALWAYS - at least one broken. I mean, things do break. But one should not find one broken EVERY time he enters the bank.

        And don't get me started on the rest. Everything is useless, unfriendly and inefficient.

        1. zaax
          Megaphone

          Re: Disgruntled Alliance & Leicester customer

          Just leave. It’s amazing how much rubbish people will put up with.

  5. Victor Ludorum
    FAIL

    Yikes

    I've just looked at Firefox cookies on my main PC, and Santander has two cookies on my machine with the sort code and account number in plaintext... Not impressed.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yikes

      "sort code and account number in plaintext"

      Just like a cheque really then ( and that'll have a signature too)

    2. Andy Jones
      Meh

      Re: Yikes

      Three cookies on my machine and not one contains account details.

  6. Ian McNee
    FAIL

    Cookies with user account passwords in plaintext confirmed...

    ...the H-Online have tested this: http://www.h-online.com/security/news/item/Santander-s-online-banking-keeps-passwords-in-cookies-1730364.html

    And these are the people who, if money is fraudulently removed from our accounts, instinctively insist that we must have divulged a card PIN or similar.

    Yes, the banks are an easy target - mainly because they are an arrogant money-grabbing bunch of bastards.

    1. Anonymous Coward
      Thumb Up

      Re: Cookies with user account passwords in plaintext confirmed...

      Amen to that

  7. Stratman

    Another security flaw with Santander...

    ...is when you press the Log Out button, it doesn't log you out.

    Instead, you're taken to a page emblazoned with loads of picture 'offers', hidden in which is a small are you sure? There is a real possibility that unobservant folks may well leave their banking session open, with the attendant whole world of shit © Private Pyle.

    If I press Log Out on any site let alone a banking one, I expect to be logged out , not second guessed by some website designer.

  8. The Boojum

    Even a cursory reading of the financial problem pages of the national press would show that Santander's systems,processes and customer service are abysmal, but to be slightly fair to them, they only carried on with the grand tradition started by Abbey National. This just makes the barge pole with which I wouldn't touch them that bit longer.

    No number of best-buy leading products can make up for a total inability to execute competently.

  9. nuked
    Unhappy

    The really sad thing...

    ...is that I'm not even remotely suprised by this.

  10. Will Godfrey Silver badge

    On the other hand...

    ... if they go tits up does that mean I don't have to pay off the rest of my mortgage?

    1. Peter Johnstone
      Unhappy

      Re: On the other hand...

      Sadly, yes. The debt will just be sold on to another bank.

  11. JeffV
    FAIL

    Well, I guess you storing the password in the cookie technically "...would not allow access to our online services on their own..." (That's what the Alias is - your passphrase.)

    Nope, to logon you would also need the UserId. Oh, wait! Santander user Id's follow the SurnameInitials pattern. Or SurnameInitials1 or SurnameInitials2 if you have more than one account. And I guess you could get that from the full name which is also stored in the cookie.

    But on the face of it, reassuringly, the pass number is not stored in the cookie. Of course having remembered your UserID and your passphrase, a substantial number of people will have used 12345 or something similar as their number. And at first glance it does not look like Santander locks you out of your account after multiple login attempts. So I guess you could brute-force that number.

    Well at least they require a one time pin/password before setting up a new payee. Sent via a phone. But that's quite a recent development.

    In my opinion, if there is _anyone_ who has lost money prior to the one-time-pin number from their online account, then Santander can not claim that the user is at fault and Santander should reimburse them; provably Santander stored their login details insecurely - that passnumber only happened about the same time as the change to OTP.

    I'd call this a pretty big deal, despite the attempt of Santander to downplay. It should be at the top of the BBC business and technical news, and the FSA should be all over them.

    And I'd also like to see the Santander UK managers personally fined for this appalling lapse. Bankers get paid huge salaries and this sort of amateur-hour stuff should never ever have happened. They should also donate a seven figure sum to the security researcher who published this stupendous fail and write a public letter of thanks.

  12. JeffV
    FAIL

    Also, Verified

    "The Full Disclosure posting was brought to our attention by three Reg readers who described it as unverified but potentially noteworthy."

    I verified that the details of the advisory are correct. Checked this afternoon. In my opinion at least as bad as the security advisory details.

  13. Anonymous Coward
    Anonymous Coward

    Stupid decisions...

    Wow - can imagine they've got some shitty PCI advisor who has told them "fuck it - the PAN is on the customers system - not in scope for us".

    muppets, muppets muppets, bet their customers are getting pwnd left right centre by any fool who knows how to use the beef project.

    1. Anonymous Coward
      Anonymous Coward

      Re: Stupid decisions...

      I'm too lazy to look, but who did their PCI equivilency (or whatever the EU/UK have for financial service regs) and why are they still certified auditors?

  14. David Gosnell

    Third-party analytics

    They also certainly used to use third-party analytics, and claimed there was no issue with doing so. No idea if they still do since I blocked THAT little feature, obviously.

  15. Great Bu

    Universal standards

    I have been with Barclays, NatWest and Santander and I am happy to report that all of them are universally shit.

    I'm considering switching to the bank of underthemattress but for the fact that that institution appears to be over-committed in the old shoes and mysterious fluff market.......

    1. Anonymous Coward
      Anonymous Coward

      Re: Universal standards

      Unfortunately underthemattress cannot be used to get wages paid into.

      Also, there is no debit facility for when you have no cash. The direct debit facility utilises bailiffs.

      Security is a concern, as if someone hacks your windows, they can easily access your account and withdraw all of your funds. Your deposits are usually not insured, any house insurance company will firstly query why you are using the services of underthemattress, and secondly claim that the direct debit facility was broken and you aren't covered anyway.

  16. Miami Mike
    Mushroom

    Santander not well regarded here either

    Santander is aggressively expanding their operations in the US by purchasing large portfolios of auto loans and other consumer debt, including some home mortgages.

    Unfortunately, their customer service here has been abysmal - even for a bank - which is saying something - and their collections tactics on overdue accounts are abusive, egregious, and illegal to the point where they have gotten the attention of the Federal Trade Commission here, which is actively moving forward on enforcement action against them.

    In the old days, the FTC wasn't much to worry about, offending entities might get a slap on the wrist and only have to say they will play nice in the future. Nowadays, the FTC's enforcement division is a vast fleet of nuclear powered, turbocharged fifty-foot-tall Terminators - and that's just the welcoming committee. They just got done fining one bank $368,000,000 (not exactly chump change) for deliberately concealing the destination of overseas wire transfers - it was pay up now or top management was looking at ten years in federal prison and THEN deportation . . . amazing how quickly their check writing and proofreading skills improved.

    Santander may be used to the less stringent regulatory environment in Spain, and think they can pull this crap on everyone else. Guess what? That doesn't work here, especially in an election year when the politicos are trying to remind the voters what they do FOR us (instead of TO us), and Santander is about to suffer the consequences of pissing off King Kong's BIG brother.

  17. Anonymous Coward
    Anonymous Coward

    I was seriously considering moving from another bank (where I had banked for 30 years but they pissed me off with changes to their service which have made it unusable for me) to Santander. But thanks to this timely security warning I will certainly not be doing that.

    Probably going to go to First Direct instead, now.

This topic is closed for new posts.