Wednesday, June 6, 2012

Osuuspankki hack

Last night I tried accessing the website of my bank in order to check my balance. I was in for a surprise. The front page was redirected by javascript to and then back again in an endless loop. As I have some experience in these matters, it seemed to me like a prank some malicious hacker might have done, on their way out of the system. I was starting to seriously suspect my bank's online systems had been compromised.

I started searching for any news regarding this in the morning with no success. I was amazed by the lack of any news or people complaining online. Only after I saw this article, I thought I might have possibly found the reason for last night's suspicious script-behaviour:

OP-verkkopalvelun käyttöä tuetaan tietyillä selainohjelmilla ja niiden versioilla. Tuettuihin selaimiin tulee muutoksia 6.6.2012.
6.6. 2012 alkaen OP-verkkopalveluiden käyttöä tuetaan seuraavilla selaimilla:
Internet Explorer 7, 8 ja 9
Firefox 11 ja 12
Opera 11
Safari 5
Google Chrome
Suosittelemme tietoturvan ja sivujen yleisen toimivuuden vuoksi uusimpien selainversioiden käyttöä. Selainohjelmiston päivittäminen on tärkeää OP-verkkopalveluiden turvallisen käytön kannalta.
  • OP-verkkopalvelun käytön tekniset edellytykset (PDF 28 kB) (PDF 13 kB)
  • Lue lisää selaimista ja niiden päivittämisestä
Basically what they are saying is that from this date froward the bank's online service will be supported by these browsers. Even here was no mention of the blunder and/or compromised system that took place last night.

What to learn: Land users on a page that informs what's happening. Don't leave your system in a state that screams blackhats are doing pranks here. It's even more embarrassing if the very people who are responsible for the system leave it in a state that an attacker would. At least some hacks happened last night and I'm sure it's not good even if in this case hack meant an untalented professional.

What to learn, for the users: Expect that your bank has hired your neighbour's son to do your banking systems.

No comments:

Tip me if you like what you're reading