Answers to Common Questions about our Bank One Online Report
Updated: October 26, roughly 1 pm EDT
Because this affects consumers and the vulnerability that we're
reporting is not merely theoretical, we expect that our report
is going to get some attention. So for folks in the media and
other curious, types, we've compiled this list.
- What exactly is the problem?
- Bank One Online uses bank card numbers as the "Access ID"
needed to gain access to the system. That number is stored in
insecurely in a cookie that is at risk of being read. Because
the value of that cookie is the bank card number, not only is
access to the account through the Bank One Online system at
risk, but so is the user's card itself.
- What can be done once the number has been
- In order to use the number, an attacker will need to guess
your PIN to use your bankoneonline.com account or your
expiration date to use the credit card. That means an
attacker has roughly a three-in-10,000 chance of guessing the
PIN and roughly a three-in-36 chance of getting the expiration
date. So, an attacker needs to do extra work, and there is a
limit to how much work the attacker can do on any given
account before an alarm is triggered and the system shuts down
the account down.
- I'm a customer! Am I vulnerable?
- The best way not to be vulnerable to any of these problems
is not to save your Access ID to disk when logging in. If the
box is selected when you login, be sure to deselect it before
proceeding. If it is not selected, do not select it. Also,
different regions use different identifiers, so not all
regions have this weakness.
- How did you discover this problem?
- Because of our security and privacy work in the past, we
receive a lot of mail from folks who ask us questions and tip
us off to potential problems. We'll take a look at those
reports that seem important enough to warrant
- Did you tell Bank One about the problem?
- Yes. We reported the problem to Bank One on September 12,
2000. We reported the problem to a Bank One executive on
October 19 and reported our intention to release to the public
on October 26.
- Did Bank One respond? What did they say?
- After our initial contact, we received no further response,
which is why we decided to contact an executive. We received
no response after our initial conversation in that case,
either. We did receive a telephone call midway through
October 26, and we're trying to make sure that everyone
understands the risk properly at this point. There's no need
to panic, but there is a weakness in the system that needs to
be addressed, and that weakness is being
- Why do you report these problems?
- We document the problem because it's important that we have
a record in the literature of what has and hasn't been done so
that when people are looking for case studies that involve
design and implementation of Internet systems, they'll have
not only examples of what to do but also of what not to do.
This isn't to embarrass Bank One or to portray it as
incompetent. People make mistakes. We must allow for that,
and we advocate building systems that will allow for mistakes
to be made without resulting in a disaster.
- Who is Interhack? Are you bad guys?
- Interhack Corporation is a Columbus, Ohio-based company that
helps people to build Internet systems that are reliable.
That means they need to be designed well, implemented
correctly, and able to resist attacks. Perhaps our best known
work is from our Internet Privacy
- Where is the full report?
- The report can be found online at http://www.interhack.net/pubs/bankone-online/.
C Matthew Curtin
Last modified: Thu Oct 26 13:13:06 EDT 2000