[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] South African Bank "security"

Dear Full-Disclosure,

ABSA Bank South Africa, "a member of the Barclays Group", has a division named 
"ABSA stock brokers".  ABSA stock brokers sends out "secure email" for 
statements, etc.  This consists of an attached HTML form (plaintext) which 
submits a user name and password by https to digibroker.co.za, which displays 
the actual statement.

This, unfortunately, leaves ample room for rank outsiders to provide similar 
mail and collect passwords, if they can just get past that fiendishly complex 
base64 encryption.  The following sample of only slightly doctored "secure 
email" is provided for educational purposes only:

http://pastebin.com/1FjqMcCq


Timeline:
    Last week: vendor notified
    This week: publication

Vendor describes their security as follows at 
https://www.absastockbrokers.co.za/ :

Absa Stockbrokers is committed to making sure that your online experience is 
safe and secure. Absa Stockbrokers uses multiple levels of security, and 
state-of-the-art Internet technology, beginning with your browser and ending 
with our own security infrastructure to ensure that access to your accounts is 
private and secure. Further information can be found under Security Centre on 
the main Absa website.


Secure Email: All contract notes (broker notes) and monthly statements 
delivered via email are encrypted for your protection. In order to decrypt the 
secure emails, the nominated email recipient is required to register on the 
Absa Stockbrokers website. See Secure Email under FAQ's.  


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/