INTERHACK  


Answers to Common Questions about our Bank One Online Report

Updated: October 26, roughly 1 pm EDT
Because this affects consumers and the vulnerability that we're reporting is not merely theoretical, we expect that our report is going to get some attention. So for folks in the media and other curious, types, we've compiled this list.

What exactly is the problem?
Bank One Online uses bank card numbers as the "Access ID" needed to gain access to the system. That number is stored in insecurely in a cookie that is at risk of being read. Because the value of that cookie is the bank card number, not only is access to the account through the Bank One Online system at risk, but so is the user's card itself.
What can be done once the number has been obtained?
In order to use the number, an attacker will need to guess your PIN to use your bankoneonline.com account or your expiration date to use the credit card. That means an attacker has roughly a three-in-10,000 chance of guessing the PIN and roughly a three-in-36 chance of getting the expiration date. So, an attacker needs to do extra work, and there is a limit to how much work the attacker can do on any given account before an alarm is triggered and the system shuts down the account down.
I'm a customer! Am I vulnerable?
The best way not to be vulnerable to any of these problems is not to save your Access ID to disk when logging in. If the box is selected when you login, be sure to deselect it before proceeding. If it is not selected, do not select it. Also, different regions use different identifiers, so not all regions have this weakness.
How did you discover this problem?
Because of our security and privacy work in the past, we receive a lot of mail from folks who ask us questions and tip us off to potential problems. We'll take a look at those reports that seem important enough to warrant investigation.
Did you tell Bank One about the problem?
Yes. We reported the problem to Bank One on September 12, 2000. We reported the problem to a Bank One executive on October 19 and reported our intention to release to the public on October 26.
Did Bank One respond? What did they say?
After our initial contact, we received no further response, which is why we decided to contact an executive. We received no response after our initial conversation in that case, either. We did receive a telephone call midway through October 26, and we're trying to make sure that everyone understands the risk properly at this point. There's no need to panic, but there is a weakness in the system that needs to be addressed, and that weakness is being addressed.
Why do you report these problems?
We document the problem because it's important that we have a record in the literature of what has and hasn't been done so that when people are looking for case studies that involve design and implementation of Internet systems, they'll have not only examples of what to do but also of what not to do. This isn't to embarrass Bank One or to portray it as incompetent. People make mistakes. We must allow for that, and we advocate building systems that will allow for mistakes to be made without resulting in a disaster.
Who is Interhack? Are you bad guys?
Interhack Corporation is a Columbus, Ohio-based company that helps people to build Internet systems that are reliable. That means they need to be designed well, implemented correctly, and able to resist attacks. Perhaps our best known work is from our Internet Privacy Project.
Where is the full report?
The report can be found online at http://www.interhack.net/pubs/bankone-online/.

corporate | research | news | people | projects | publications | services | feedback | legal

C Matthew Curtin
Last modified: Thu Oct 26 13:13:06 EDT 2000