Saturday, 1 September 2012

BankID - the hackers best friend



What is BankID?
BankID Norge has developed a Norwegian online identification service named BankID. On their home page they write: "BankID er en personlig og enkel elektronisk legitimasjon for sikker identifisering og signering på nett." Translated into English it reads: "BankID is a personal and simple electronic ID for secure authorisation and electronic signing online."

BankID is used by all (?) banks in Norway, as an authorisation / log-in tool for online banking. It's also used by several other sites for identifying / logging in customers. Because of this all (? - at least most) Norwegians using online banking are BankID customers. At the time of writing there are 403 sites using BankID and BankID has in total got 2 796 587 users.

Key numbers 1st of September 2012. (src: BankID)

BankID writes a lot about security on their own pages, like:
"Som tilbyder av sikker digital ID og signaturtjeneste på Internett har vi et ansvar for å ta vare på sikkerheten din og beskytte dine personlige data." and "Vår erfaring er at sikkerheten best ivaretas som en kollektiv oppgave som alle brukere deltar i: personene som bruker BankID, våre partnere som lager systemer som inkluderer BankID, og de eksterne sikkerhetsentusiastene som går oss etter i sømmene. Denne fellesinnsatsen betyr mye for å gjøre Internett og BankID tryggere og sikrere for alle."
Which translates: "As a provider of secure digital ID and signature service online, we have a responsibility to take care of your safety and protect your personal data." and "Our experience is that security is best achieved as a collective task with all users involved: people who use BankID, our partners who create systems that include BankID and the external security enthusiasts who visit us in detail. This joint effort means a lot to make the Internet and BankID safer and safer for everyone."

src : BankId

The Paradox
BankID states they are responsible for protecting their users data and making the Internet a safer place for everyone. That is a huge responsibility. The paradox is the technology they are using. Their application, that has been implemented at 403 sites and used by about 2.8 million people, is developed as a Java applet. On the Internet today there are not many reasons why you would need Java running in your browser, except for gaming (Minecraft for example is developed in Java). The use of Java applets is getting old fashioned, just like the use of Flash. These technologies were invented to get more functionality in your browser than plain HTML and JavaScript could offer. However, thanks to HTML5 and CSS3, this gap is being closed. As a result the number of sites using Flash technology and Java applets is going down. This is good because running Flash and Java in your browser is not safe.

BankID is even using Flash on their own homepage.

Why Java is bad
Java is a very powerful programming language, which lets you do almost anything. And that is the very reason why you do not want Java running in your browser. In short it means that malicious sites can execute some Java code and get control over the visitor's computer.

Java has never been safe. In most version security bugs are found. (src: ars technica).

In theory Java applets are sandboxed, and should have no access to the filesystem or the OS it is running on (read about Java applet security). In real life though that is not the case. Hackers have so far several times used bugs in Java to bypass the sandbox and gain control of computer systems. Recently several stories about security flaws in Java has surfaced in the media. A major security flaw in Java was discovered about four months ago. A fix was released by Oracle this Thursday, with version 7 Update 7. However it took no longer than two till three hours before a new even more serious security bug was discovered. The new bug can give potential hackers full control over PCs.

History has shown that it is just not safe using Java in the browser. It has never been safe and I doubt that it will ever be safe. From a security point of view you do not want anything running in your browser that can get access to the OS.

Why BankID is bad
Since BankID are pushing their Java applets to all banks, and several other sites, every Norwegian that wants to use online banking in Norway needs to install and run Java in their browsers. For most of these Norwegians I assume BankID is the only reason why the install Java at all. And most of these users are not aware of the security flaws in Java, and hence lets Java plugins run all the time which is the default option after having installed it in your browser. When these people accidentally visits a site running some malicious Java code their computers are compromised. So because of BankID their 2.8 million customers are actually a lot more likely to be hacked, than people not having Java installed.

What BankID should do
The answer is simple. They should come up with an alternative to their Java solution ASAP. There is no valid argument why BankID still runs as a Java applet.

What you should do
If you do not need Java uninstall it. If you need it, turn off Java by default in your browser. Only enable Java on sites you trust. Read how to disable Java in Chrome in this post. The same can be done in other browsers. Here is how to do it in Firefox, and here how to in Internet Explorer. You can also secure yourself using NotScript for Chrome and NoScript for Firefox. Read this post on how to secure yourself using Macintosh (and how to disable Java in Safari).

Customers of Landkreditt Bank can login without using BankID, see bottom link.

Note that some banks give you the option to use BankID on your mobile (code sent as SMS), and that apps also are developed (BankID on iOS exists, Android is under development). So if you can avoid the BankID Java applet do uninstall Java from you computer (unless you need it for something else that is). Some banks luckily also offer customers to login without using BankID.


What is BankID saying?
I have contacted both DnB, being the biggest bank in Norway, and BankID, with questions on why they are using this technology (all emails in Norwegian).

DnB
My email to DnB:

DnB's answer:

My follow up:

Second follow up (regarding new security holes found in Java):

BankID
My email to BankID Norge:

BankID Norge's answer:

My follow up:


Final comment
BankID Norge says that the reason for BankID being developed in Java, as an applet, is that it was developed for more than 10 years ago. At that time Java seemed like a good choice. OK, if we go back more than 10 years Java might have been a reasonable choice. However if BankID truly are concerned about online security, as they states, they should start developing an alternative solution ASAP. There are no good arguments why BankID should be a Java app today. They should have avoided this technology years ago. Because Java not being safe is nothing new. That there are alternatives (BankID on mobile, as apps) to the BankID app is good, but not sufficient. Because as long as BankID's main solution is a Java app there will always be a fair amount of users using that.

10 comments:

  1. National safety authorities ask all to update their PCs : http://goo.gl/DjPv7 (Google Translate)

    Nasjonale sikkerhetsmyndigheter ber alle oppdatere PCen : http://goo.gl/2X5v0 (Original text)

    ReplyDelete
  2. Nasjonal sikkerhetsmyndighet (NSM) om BankID:
    http://blogg.nsm.stat.no/archives/2397

    ReplyDelete
  3. Java is secure enough : http://goo.gl/tbFe9 (Google Translate)

    Java er sikkert nok : http://www.digi.no/901593/java-er-sikkert-nok (Original text)

    ReplyDelete
  4. Flash is not safe either: http://arstechnica.com/information-technology/2012/09/internet-explorer-10s-bundled-flash-leaves-users-exploitable/

    ReplyDelete
  5. My tweet (https://twitter.com/klevstul/status/241815158958202881), with a link to this post, was mentioned by Steve Gibson at Security Now episode #368:

    Steve Gibson: "I did see some disturbing tweets from people in, I'm thinking Sweden, maybe Switzerland, somewhere like that, saying that the banks over there depend upon Java for all of the online banking."
    (src: http://www.grc.com/sn/sn-368.txt)

    SN #368: http://twit.tv/show/security-now/368
    all shows: http://www.grc.com/securitynow.htm



    ReplyDelete
  6. Tyver kan tappe kontoen din - selv uten passord og pinkode
    Selskapet som forvalter tilgangen til nettbanken din, har vært i møte hos Finanstilsynet om alvorlig sikkerhetshull.
    http://www.aftenposten.no/nyheter/iriks/Tyver-kan-tappe-kontoen-din---selv-uten-passord-og-pinkode--6989793.html

    ReplyDelete
  7. Yet another Java flaw allows “complete” bypass of security sandbox
    Flaw in last three Java versions, 8 years worth, puts a billion users at risk.

    http://arstechnica.com/security/2012/09/yet-another-java-flaw-allows-complete-bypass-of-security-sandbox/

    ReplyDelete
  8. Java Is No Longer Needed. Pull The Plug-In

    For nearly everyone, it’s time to dump Java. Once promising, it has outlived its usefulness in the browser, and has become a nightmare that delights cyber-criminals at the expense of computer users.

    So the verdict is clear. Disable Java plug-ins in all browsers, whether Firefox, Chrome or Internet Explorer. Java’s glory days are over and it’s time to pull the plug.


    http://www.readwriteweb.com/hack/2012/09/java-is-no-longer-needed-pull-the-plug-in.php

    ReplyDelete
  9. More from security expert Steven Gibson on Java:

    if you know you don't need it, remove it, if you have it. If you're not sure if you need it, then you probably don't, so remove it.

    source:
    http://www.grc.com/sn/sn-374.txt
    http://twit.tv/sn374

    ReplyDelete
  10. Lets use some logic. The people behind it obviously do have at lest some programming skills, they are not complete idiots. They have after all written a fairly complex program. That much we know.

    When people like that refuse to have their code open for scrutiny, want you to install it with full system permissions (as root in Linux) and on top of that require that you run Java. The you know for ceartain that it is malicious code.

    --steelneck

    ReplyDelete

Allowed HTML tags:
<b>bold</b>
<strong>strong</strong>
<i>italics</i>
<em>emphasis</em>
<a href="">hyperlink</a>


Please, show the courtesy of identifying yourself when adding a comment. Anonymous comments will, most likely, be removed.