Forwarded from: security curmudgeon 
Cc: Editor (at) BankInfoSecurity.com, reportfraud (at) mibank.com

bankinfosecurity.com: Too bad Linda blindly accepted everything she read 
on the Interwebz.

mibank.com: "reportfraud", I am reporting fraud to you as requested. 
Specifically, the 'fraud' that your bank is trying to commit against 
customers.

: http://www.bankinfosecurity.com/articles.php?art_id=1164 
: 
: By Linda McGlasson
: Managing Editor
: Bank Info Security
: January 19, 2009
: 
: Phishing, malware and the Nigerian 404 scam. These are among the top 
: 2009 agenda items for the M&I Corporation in Wisconsin - not just to 
: fight the threats, but to make customers more aware of them.
: 
: Customer awareness is a huge priority for Wisconsin's largest bank, 
: says Scott Coghill, CISM, Vice President, Information Security 
: Department at the Milwaukee-based financial services corporation, 
: which has $63.5 billion in assets and operates in seven states.
: 
: M&I has a dedicated web page for its customers with an outline of the

It does? McGlasson/BankInfoSecurity don't link to it off their page. If 
I hit https://www.mibank.com/ and search for 'security', i get a generic 
FAQ style page. If I click on the "M&I Online Guarantee" I get worse.

FAQ:

  Is Online Banking secure?
  Yes, M&I is committed to providing you with peace of mind when using 
  Online Banking and Bill Payment. 

Guarantee:

  The M&I Online Guarantee offers consumers some of the strongest 
  protection available.
  [..]
  Security Commitment: We use data encryption to protect you when applying 
  for accounts, conducting transactions or paying bills online.

Ok, i'll take your word for it and only use a web browser (and freely 
available, easy to use browser plugins) to trust you.

- This web server allows EXP-* (exportable) ciphersuits. (What were you 
  saying about data encryption?)
- Web server reveals version (Apache/1.3.9) and module (Ben-SSL/1.37 
  (Unix))
- Javascript information disclosure (Michael T Venturella Jr (MTV) 
  created mibankJsLib.js on 05-Oct-05
- Use code from Websidestory, Inc. (websidestory.com)
- Initial cookies are not set 'secure'
- Initial cookies are not set 'httponly'
- One server in their cluster is Hitbox Gateway 9.3.6-rc1
- One server in their cluster is Apache-Coyotoe/1.1 and likely runs 
  ColdFusion
- Directory indexing is off, but error message reveals web server 
  vendor/version
- Customer user enumeration via error messages (valid name, invalid 
  state), server that handles this is IBM_HTTP_Server .. assuming that 
  connections to "ibanking-services.com" are legitimate, as they are 
  registered to "Metavante Corporation" not "M&I Online Banking"
- Copyright out of date
- Cross-Site Scripting (XSS) on the search page. Entering 
  "> will result in a popup if entered 
through www.mibank.com/mibanknew/subsections.cfm?pagename=search 

: most important security messages and updates. It also offers key tips 
: in ID theft fraud protection, a section describing how M&I is 
: protecting its customers,

Now i'm really curious, is this page only available to customers? If 
they paid high dollar to a security company that performed web 
application testing, I think they would be in for a rude shock since I 
just hit 12 findings (one high risk!) in fifteen minutes. Care to pay me 
10k for the elite audit I performed above before you spend more on a 
company that will give you worse news?

Are they *really* dedicated, or are they just regurgitating the same 
PR-friendly crap every e-commerce site does in a desperate attempt to 
cover their ass while they provide insecure banking to the masses?

: "We periodically send out flyers in their monthly statements, and we 
: provide the same information to our call center, branch personnel, 
: community bankers and other areas of customer contact whenever we post 
: an alert regarding a new phishing or malware scam that could be of 
: interest to people," Coghill says.

Great, shift all the blame on everyone else, but not the folks running 
the IT / Security department. The above findings means M&I is not PCI 
compliant for sure (sorry, XSS finding fails you). Did your PCI ASV find 
this? If not, why not? If so, why are you still vulnerable? Oh wait, PCI 
is a scam, nevermind.

$63.5 billion in assets? I look forward to seeing you on 
http://datalossdb.org/ =) 

: "With the way the economy is today, the bad guys will try to look for 
: opportunities to take unfair advantage of situations," Coghill says, 
: requiring strong awareness programs for employees and customers alike. 
: The awareness program in place is a strong, he adds. "Our goal is to 
: keep that information current and relevant."

All the while, ignoring Security 101 about web application security?

: [...]


_______________________________________________      
Best Selling Security Books & More!
http://www.shopinfosecnews.org/