06 May 2002 07:32
Alec Wilder was livid when he realised that the only way to pay for Yahoo's email forwarding service was to sign up for the company's electronic payment system.
The technology consultant was concerned about the security of his personal information stored in Yahoo!'s so-called digital wallet, a product that keeps login names, credit card numbers and shipping addresses for automatic online transactions.
"No one can prevent break-ins, and eventually there will be a break-in," Wilder said. "I feel as though I have no security right now."
Wilder's sentiments epitomise the fears that many consumers harbour about keeping critical information in online wallets. Their concerns are well-founded: security experts say that such services may present some of the weakest links among the various technologies used to safeguard private information, including data used for online banking.
The issue is likely to escalate as industry powerhouses such as AOL Time Warner, Microsoft, IBM and Sun Microsystems rely on digital wallets as the keys to the kingdom of Web services, the next generation of highly personalised Internet commerce for individuals and companies. The thinking is that consumers and businesses will store vital information in so-called authentication technologies for everything from online payments to communication.
A grand plan, but one with a major Achilles' heel for online banking and other secure transactions. Even if financial institutions are as secure as Fort Knox, hackers might still be able to tunnel in through a Web services hole.
"Web services absolutely will create new security weaknesses. These services are not being designed by bankers," said James Molini, chief executive of security firm Brink's Internet Security and a former executive for data security at First USA Bank. "Many services we see, especially those built by smaller firms, are not actually built using real financial security people. As a result, they don't really know how to even comply with federal regulation sometimes regarding the security of their system."
Because the move to Web services technology is just beginning, security plans are far from complete. But the rush to join the hypercompetitive online services field could create ideal circumstances for hackers to exploit relatively untested products, especially those that rely on existing technologies that have already been proven weak in security.
Even those who have never used the Internet to bank, trade stocks or shop could be vulnerable because the type of information typically used to gain access to accounts can be stored in systems with various levels of security. For example, an employer may keep such records as Social Security numbers, birth dates, addresses and family members' names in human resource files managed by an outside company.
Therein lies the greatest threat: a hacker or rogue insider could mine this information from other databases and use it to break in to a bank account without setting off any alarm bells at the financial institution beforehand. Data transmitted between two companies are usually encrypted, security experts say, but the databases on either end of the pipes are not.
Those concerns are part of the reason that Microsoft is rethinking its consumer Web services plan, called .Net My Services. The plan originally called for Microsoft to serve as the primary host for consumers' private information, but potential partners and privacy advocates criticised that idea because of Microsoft's frequent security problems with its products and Web sites.
"If banks expose their financial services as Web services, it means the entire chain has to be secure all the way from the client to the registry to the back end," said Ravi Balakrishnan, who represented a Fortune 100 technology company in several organisations dealing with Web service standards organisations. "How can a bank trust a Web service is not creating a weak link into its systems at any point along the way?"
Financial institutions have long been reluctant to allow technology companies to become the security gateway and repository of their customers' assets and personal information. That is one reason the high-tech industry is redoubling efforts to create security standards.
In April, Sun named two of its pre-eminent researchers to new, high-ranking security posts. The responsibilities in those positions will include creating safeguards for Web services standards group the Liberty Alliance Project, which the company formed along with AOL Time Warner and others as a counterweight to Microsoft. Around the same time, Microsoft, VeriSign and IBM said they were teaming to create encryption guidelines for Web services.
Microsoft, the most prominent proponent of Web services, has signed up some notable partners for its Passport technology -- the identification system needed to use many of its Web services. In March, Citigroup agreed to use the technology for password protection, online authentication and messaging services. Bank One also agreed to use the Microsoft product in December.
Although Citigroup and Bank One plan to use Passport authentication as only one phase of a multistep security process, critics warn that Microsoft does not have the best track record when it comes to security in general. In February, just one day after Microsoft released a software tool that could be used to create Web services, security specialists discovered a flaw that could have allowed developers to unknowingly write vulnerable programs.
"As every service offered by Microsoft becomes part of the .Net scheme, a single vulnerability in a user's accounts in one of these services gives skilled cybercriminals access to all of the other services," a security researcher known as Obscure said in an interview with CNET News.com.
In an article last year, Obscure described a way to breach Passport's authentication process by fooling the system into sending the hacker a "session cookie" -- a small piece of code sent by Web sites to a person's computer used to recognise and authenticate returning visitors. Obscure showed how to exploit "cross-site scripting," a common vulnerability that could allow a hacker access to all of a customer's account transactions. The victim could click a seemingly trusted link that the hacker has embedded with malicious code, thereby revealing his or her credentials to the hacker.
"The issues outlined in my Microsoft Passport paper are still a reality," Obscure said. "Although the specific examples I describe in my paper have been patched by the Microsoft security team, from time to time we see new reports on security lists such as Bugtraq and Vuln-Dev of similar examples making use of the same issues described in my paper."
Bugtraq listed several cross-site scripting and malicious JavaScript exploits in April.
"Many of these vulnerabilities allow for rogue Web sites to steal the cookies and modify the content in the victim's browser," said David Ahmad, the moderator of Bugtraq, one of the leading mailing lists dedicated to reports of software vulnerabilities. "This opens up a wide range of possible attacks against Passport, .Net and any other Web-based systems."
Computer worms and viruses also present a major threat. Take the case of a set of worms now on the loose across the Web that allow an attacker to seize control of someone's MSN Messenger session by running malicious code. Microsoft has released patches for the "Js.CoolNow" and "JS_MENGER.GEN" worms, but they continue to infect systems that have not been repaired.
"As long as people are using Windows-based machines that are vulnerable to attack, doing authentication on a large scale is a bad idea," said Aviel Rubin, a security researcher at AT&T Labs.
Microsoft is by no means the only company creating technologies that may prove vulnerable to attack. In March, Bugtraq issued an advisory that Sun's Java Virtual Machine -- a component of Java that converts the programming language into something the computer can understand -- had a major vulnerability.
According to Bugtraq, it was possible for a certain type of Java code to perform an illegal function without detection and, in the process, allow a hacker to hijack a Java Virtual Machine used by someone else. Java is an integral part of Sun's Web services plans.
Cracks have been found in IBM's technologies as well -- two as recently as April. According to Bugtraq, flaws in a particular module in one of IBM's Informix databases could be exploited to weaken security and expose sensitive information.
Oracle's 9i application server, software that runs many e-commerce sites and online services, has also had its share of security problems. Bugtraq reported in February that two glitches in the software's programming could allow an attacker to gain access to some critical source code and content. In both cases, a hacker could find private information such as database IDs and passwords.
In addition, hackers could exploit some systems running Oracle's application server with a "buffer overflow" attack that unleashes malicious code. In this kind of attack, a hacker overloads a system with characters, some of which run code that allows the attacker to hijack a machine.
Although the flawed IBM and Oracle products are not unique to Web services, they can be used as building blocks for these technologies. More holes have been reported about Microsoft's products than for those of its competitors, but Ahmad said this does not necessarily mean that rival technologies are more secure, particularly for the young Web services business.
"The fewer number of vulnerabilities is not indicative of their security," he said. "Perhaps their software has not been scrutinised enough yet."
In the meantime, consumers may be signing up for authentication services that they don't even want. A new study by research firm Gartner showed that the majority of those who signed up for Passport did so as a requirement to use services like Hotmail and MSN Messenger, not to conduct financial transactions.
Many consumers were unaware that they had signed up for an authentication service at all. But that may change as they learn of the inherent security risks in such technologies.
Ari Schwartz, associate director at the Center for Democracy & Technology, a consumer advocacy group, said consumer awareness will rise as security invasions continue. "As you aggregate more information, it becomes a honey pot for hackers," he said.
Have your say instantly, and see what others have said. Go to the ZDNet news forum.
Let the editors know what you think in the Mailroom.
Copyright © 1995-2008 CNET Networks, Inc. All rights reserved
ZDNET is a registered service mark of CNET Networks, Inc. ZDNET Logo is a service mark of CNET Networks, Inc.