Nov 082016
 

Open DoorThe news is full of the US elections today, but yesterday there was a different headline.

‘Thousands of Tesco Bank Customers lose money’

Or similar to that.

Immediately the security world started to look into the reports. Within minutes links to previous issues were being pointed out, within hours a big old game of ‘join the dots’ was mostly complete.

So, what happened ?

Well quite a few things it would appear. Mostly, from guess work and taking the odd peak at the defences that Tesco put up is looks like this.

  • The main web site – tescobank.com still supports TLS v1.0 – this is utterly stupid. TLS 1.0 is long deprecated due to the ease with with a malicious actor can perform a ‘Man in the Middle’ attack.
  • There are literally hundreds of phishing sites that appear to be aimed at tesco. A simply search using a database of domains logged 214 domains added within the last six months that contain ‘tesco’, of which 12 of them appear to refer to bank or other financial products. None of these are owned by Tesco.
  • The password requirements appear to be rather dumb – 6-10 characters, mix of letters and numbers, no special characters and upper/lower case treated the same.
  • Getting the password wrong many times does not appear to lock out the account.
  • There does not seem to be any place for multi-factor authentication (MFA)

Actually figuring out which of these vectors a malicious actor actually took is quite difficult.

Continue reading “The (Tesco) Bank Job” »

 Posted by at 2:45 pm
Aug 012016
 

Passwords are rubbish.

They are an inherently flawed method of securing your information.

Don’t believe me ?

If your password is less than seven characters long, it can be cracked in minutes using cheap off-the-shelf computing hardware.

If it is longer than seven, but still a word that appears on a word list, even if you substitute e’s with 3’s and sprinkle capital letters in there, again it is rubbish.

There are wordlists out in the real word that have  60 billion words on it, while that number might seem high, a dedicated pawed cracking machine that costs less than $5000 will check 6 billion combinations per second. Continue reading “Even with a password manager….” »