Security Quote of the Day

Se ei ole aukko, kunnes me pystymme itse varmistamaan että se on aukko.” (“It is not a hole until we are able to verify ourselves that it is a hole.”) — Hannu Vuola, head of communications at Sampo Pankki in a later revised news item in Helsingin Sanomat on the topic of a gaping XSS hole in Sampo’s net bank

The story so far:

  1. Danske Bank acquires Sampo Pankki (site not responding at the time of linking)

  2. Sampo Pankki announces it will replace its net bank with Danske’s “more secure software”

  3. It’s announced that the “more secure” net bank requires Java applets

  4. It is reported that people with Windows 2000 won’t be able to access the new netbank. 64-bit Ubuntu users are out of luck as well.

  5. It is observed that Sampo’s out-of-date Web server software has multiple CVEs on it.

  6. A computer retailer and Sampo offer €100 discount for users who buy a new computer in order to use the crazy Java thing—ecological footprint be damned.

  7. Sampo’s netbank goes offline for the system change over Easter.

  8. A customer is able to log in during the outage and sees someone else’s account data.

  9. It is reported that some customers have stock missing. The news item is later edited with Sampo’s denial.

  10. Sampo Pankki displays a Sharepoint error page to the public.

  11. It is reported that not only does the new netbank require Java, it requires that the user allows JNI!

  12. The Java applet is decompiled and the actions of the JNI libs analyzed. The JNI stuff is there to profile the user’s hardware.

  13. Sampo’s public-facing Web page has an elementary XSS vulnerability that allows the replacement of the bank’s page with any phishing page.

  14. The state consumer agency tells people to file for damages from Sampo.

MULTIFAIL!

The craziest part is that a bank is teaching people to install random software and click Yes to running privileged JNI code in order to connect to a bank.

With cluelessness and incompetence of epic proportions what more do people need in order to switch banks? If I were Sampo’s customer, I would have started shopping for banking services from elsewhere when the Java requirement was announced.

Fortunately, I’m with a bank whose services I can use with any self-contained browser (man-in-the-middle Opera Mini blocked). If you are a customer of Danske Bank or a subsidiary in any country (they run the same code in Denmark) I suggest getting yourself a more clueful banking provider—for security reasons if not for the open Web platform.