De: "BlueJAMC" À: Objet: Vulnerability in credit union's E-statement feature Date : samedi 1 septembre 2001 18:16 I brought this to the attention of my individual credit union a number of months ago. They replied that they would bring it up with the maker of their E-statements software, but as yet no changes have been made. Description: Sioux Falls Federal Credit Union's e-mail alert program transmits account number in plaintext. Detailed description: Sioux Falls Federal Credit Union gives its clients the ability to be alerted via e-mail when their monthly statement is available. There is a rather severe flaw in this feature, however. Below is an example of the e-mail which a client using the online statement notification would receive: --- Please click on the following Link to retrieve your Credit Union Statement: https://www.siouxfallsfcu.org/servlet/com.sos.estatements.PreLogin?UName =12345-5&Month=8&Year=2001 This is the Statement for August Have a Great Day! --- In the link above, the 12345 is the account number of the person receiving the e-statement. The -5 is referencing the type of account which the statement is in regards to. In the example above, the 5 references that the account is savings. Obviously, the problem here is clear; the account number is clear text. Of course, the link requires you to include a password. However, considering the fact that most users the same password for everything--e-mail, e-statements, chatroom SNs, etc--the requirement to use a password is little consolation. This, coupled with the fact that the individual branches for the credit union do not check for any type of identification other than a signature when making a withdrawl, makes this even more dangerous. Vendor notification: I initially notified Sioux Falls Federal Credit Union about this a number of months ago--either in the end of April, or beginning of May. Their response is below: --- Josh: Thanks for your e-mail on Tuesday regarding the security of our e*statements. Since that time we have been discussing the issue with our vendor, and they have agreed to correct the problem by encrypting the link. Of course, we are at their mercy with regard to the timeline. They tell us that it will be done by mid-summer when they introduce the next version of the e*teller account access program. I want you to feel comfortable that your account information is secure, and if you feel waiting until the fix is too long, I would suggest that you discontinue the e*statement until then. Let me know what you decide, and we will take care of it for you. Sincerely, Kevin Kavanaugh Vice President --- Well, at this point, I'm tired of waiting. I do realize that, as Mr. Kavanaugh described above, that they are at the mercy of their vendor. However, at this point, I think it's time to apply a little pressure. The other problem I have is that SFFCU refers to their vendor, which leads me to believe that this isn't only specific to my credit union. I do not, however, have any evidence to back this up. Resolution: Obviously this depends on the vendor. However, the suggestion I gave initially was to use either a random number which would correspond to the bank account, or to use a one-time randomly generated number for the link which can only be used once. If there is an attempt to view the link again, the user will be notified that the link has already been viewed, and to contact the credit union. DKG/CTC