Saturday, September 01, 2007

Bank of India, compromised!

The website of the Bank of India at www.bankofindia.com has been compromised. You can read about the attack on the Bank of India site at the SunBelt Blog. This is a fairly big issue, and if you have money at the Bank of India, I would seriously recommend you to withdraw it (in cash) and close your account immediately.

This is what happened. The website has a hidden page element that forces you to visit a malicious website. While you cannot see the page element (since it is hidden), you cannot notice it. But in the background, it downloads a long list of malicious programs. These programs are designed to take over your computer (rootkits) and allow the attacker to have complete control over it. Many of these rootkits allow the hacker more control over your computer than you do. The least destructive end goal is to use your computer as a spam host. Since this is linked from a bank's website, my guess is that the intended goal is to steal personal, financial information and use it to withdraw money or steal identities, or a variety of other creative pursuits.

If you still don't get it, it is the equivalent of having your house keys copied, and the thief has your check book and PAN number, and passwords to all the websites you visit. Not only is this a liability to your Bank of India account, but also to other accounts you have (financial and service websites), and legal documents on your computer.

If you have visited the Bank of India website in the past two or three months, I would highly recommend copying your sensitive documents, and formatting your hard-disk and re-installing your Operating System.

This is interesting for a variety of reasons
  1. The abysmal security of Indian financial websites is being noticed internationally. I wrote about this earlier, when I said that it was only a matter of time before this is noticed, and exploited. When a bank puts a website online, it should be prepared to match wits with some of the most devious minds. I am sure that in the months to come we will see a lot more of such attacks, directed primarily towards poorly designed Indian websites, of which there are plenty.
  2. The possibility of destruction that this attack aims at. While being a spam host is a bad thing, the worst possible outcome is having your bank account emptied. There are 22 pieces of malware that this attack installs, and there is bound to be many computers where a lot of them will stick.
  3. Shockingly sad security of Windows, affecting the customer directly. A fully patched system should be unaffected, but how many Windows systems in India are fully patched, especially if they are attached to a slow dial-up? The worse the connectivity, the lesser the likelihood of the system being up to date. Notice that the attack requires a Windows machine. On every other platform (including every possible Linux version), the attack will fail.
  4. Trust brokers are broken. Mc Afee site advisor did not report any problem with the website. Neither did Google's extension, or any other system that Sunnet Beskerming Pvt. Ltd. checked. So if you rely on a website to certify that your bank's website is hacker proof, you would be misled. Trust brokers are not trustworthy.
Clearly, Bank of India's website team is to be blamed here. They have failed terribly at their job of ensuring secure access to their customers. Bank of India customers should move to another bank for this reason alone. Money earns interest in nearly every bank. We choose banks either on convenience or on the perceived security of our money.

The larger blame is to be placed on all of us. We regard security concerns with ambivalence. When evaluating a financial service, we should expect them to provide a competent web interface. What good is an extra 2% rate of interest if the money is going to sit in some Russian's bank account?

I would highly recommend keeping your system up to date, and patched. While I realize that this is often difficult, it is critical if you are running Windows. As a larger argument, I would suggest not using Windows to access critical financial services. If Microsoft is not held accountable for its security flaws, then such attacks will continue. I would highly recommend using a Macintosh or a computer running Linux. For the attack to be successful, the Bank of India website has to be compromised, and your computer must be riddled with security holes. Once the website is compromised, you're on your own, and having Windows leaves you completely defenceless.

I visited the attacked website, and it is currently down right now. The malicious code has been removed, and there is no mention of it on the website. It says instead that "This site is under temporary maintenance till further notice. Kindly bear with us." If the maintenance is until further notice, how do we know it is temporary? Clearly they brought it down in response to the malicious code.