Security of Web Connections used for Banking

2FA is a false sense of security to be honest, in effect we are losing more privacy for a false sense of security as they can be hacked, when large sums of money are at stake. The key in this equation is ‘the large sum’ of money and to check your back statements at a minimum.

Banning VPN again a false sense of security here, often people do this to protect themselves and not provide their precise location data.

What really adds insult to injury in this regard is that I’m pretty sure all our independent banks (that are not the “big three”) are all being reverse-proxied through either Cloudflare, Amazon Cloudfront, or Akamai.

If someone can find an independent (ie. non big three) bank that isn’t being Man-in-the-Middle’d by a tech feudalist in some way, please do sing out.

This also relates to the OP’s password security, in that Cloudflare and other reverse-proxy services are designed to unencrypt the HTTP request, so they can do things like replace an email on a website with “[email-protected]” etc.

PS. Medibank was MitM’d by Amazon CloudFront, but <INSERT_TWO_MINUTE_HATE_RECIPIENT_HERE>

I’m not sure I should be as paranoid as in the previous post and user. Last time I checked Australia had 4 big banks, not 3 per the post. Cause to ignore the rest which seems incomprehensible.

Suggests my aversion for using the local hotel free internet when travelling, even in Australia is a little excessive.

It does depend on how the 2FA is implemented.

I use an RSA token with a bank for 2FA. I don’t see any privacy issue with that (one of the reasons I opted for the token over using the bank’s app).

While it would be bold to say that an RSA token can’t be hacked, it offers up a much smaller attack surface as compared with a smartphone (again, one of the reasons I opted for the token).

The only real downside is that the RSA token is a blackbox. I have no proof of what it actually does. There is no way to audit it. So the statements in the two previous paragraphs are made on trust. However this is certainly not worse than using a blackbox smartphone, which has the same problem.

That would be somewhat amusing if true. However I guess the onus is on you to demonstrate that it is true (for any bank).

Certainly

• some companies do do TLS like that (for performance reasons)
• in that scenario what I said above about TLS only extends as far as the TLS endpoint, which will be in the Content Distribution Network (CDN) / frontend / reverse proxy, not necessarily inside the “bank” itself

Seeing as this topic is still going, I would like to elaborate on one comment I made above.

your exposure is limited to revealing the fact that you connected to a certain hostname

That’s not quite the whole story. You will leak other metadata e.g. how long you were connected to the web site and e.g. approximately how much data you uploaded / you downloaded. While that is unlikely to be an issue at all for internet banking, in a more general scenario (e.g. a dissident living under a government even more dodgy than ours) this could be a serious problem and a VPN would be 100% needed (or any equivalent technology).

So you are saying the security of some Oz banks has been compromised by some large tech company (eg Meta, Apple etc).

This is a rather alarming statement. Rather than me try to show it doesn’t happen how about you show us the evidence that it has happened. Where has it been done? How? By whom? What are the consequential risks to the ordinary user?

You probably need to read my post to understand what is actually being claimed and how it works.

I wouldn’t specifically use the word “compromised”. Let’s just say … security has become dependent on the security and trustworthiness of the CDN etc. provider. However in broader terms that is true of a great many companies as they engage in outsourcing (and “supply chain attacks” are very much in vogue).

You didnt make the claim so how do you know what is in mind?

Enough words were written in that post such that one can join the dots to make a picture. It’s just that the picture you came up with is different from the picture I came up with.

SPLIT POST DUE TO NEW USER BEING UNABLE TO TAG MORE THAN TWO USERS AT A TIME.

@mark_m I occasionally treat Westpac as not-as-big-a-bank and this can throw people off occasionally. In fairness to you, I probably should just go with the common consensus on that one.

@syncretic is right in asking that I support my claim with some evidence.

Last I checked, Westpac was using a digital feudalist… Amazon if my memory serves. Thankfully, checking whether a domain is being reverse-proxied through a CDN (Content Delivery Network) is quite easy. Unfortunately the problem gets a bit more difficult to check for when a site is just using a server owned by Amazon, Google, Microsoft etc and in those cases one must look at the IP addresses they use and often you need to run a ‘whois’ request on them which is not made easy in browsers.

To check a site for evidence of the most concerning issue, the MitM attack, one can simply:

1. Bring up the Developer Tools > Network Tab in your web browser (in a Firefox-based browser like Tor Browser or LibreWolf simply hit Ctrl+Shift+E. Alternatively right-click on a page and select ‘Inspect’, then tap the Network Tab)
2. Visit the site. You’ll see a bunch of resources appear in the Network tab list,
3. Find a resource that has finished downloading and check the HTTP Response that was sent back to the browser. If it says:

• server: cloudflare or cf-ray: <HEXADEMAL_NUMBERS>, or
• server: AmazonS3 or via: <HEXADECIMAL_NUMBERS>.cloudfront.net (CloudFront), or
• server: AkamaiGhost or something to that effect,

Then that site is being reverse proxied by Cloudflare, Amazon or Akamai. Its man-in-the-middled by what I call a techno-feudalist. This doesn’t mean the site is bad, or the developers are bad. But treat it with great caution. I personally minimise my access to those sites, opting for archived copies of the page, if at all. Many website developers are ignorant to the internet takeover, or they believe that CAPTCHAs are bad and people will leave their site if it has a bot CAPTCHA. Or they think load-balancing is too expensive or difficult etc.

Anyway I challenge anyone to find an independent bank that is not being MitM’d. (HINT: There is one I know of, out of approximately forty. Some I was unable to check because of the types of road-blocks some sites put up so I would love to be proven wrong here)

It bears repeating that Medibank (specifically members.medibank.com.au) was and is reverse proxied by Amazon Cloudfront. MitM’d from a server in the US if it makes any real difference… it doesn’t. Namely the server is server-13-225-34-42.cdg3.r.cloudfront.net

This is not “paranoia” this is what Europe have invested a lot of time and energy to stop and here in Australia we roll over and consign ourselves to being taken over. As an example Google Analytics was made illegal in Europe, moving data offshore is illegal, and a gentleman in Europe won a court case to be able to buy a computer without Microsoft Windows. The latter might be a good thread of of discussion in itself at Choice, in fact.

So to bring this back to the topic at hand, what good is a password at all if everything on the pages you access and in your communications is being man-in-the-middled and could possibly be spied on and collected by servers in the location of the hegemon. Or maybe that is why the humble password is not so important, maybe mass surveillance, combined with assessing your mouse movements or button taps, or your biometrics like your fingerprint (someone mentioned above which is creepy as all hell) as you browse is how they ensure you are you. Microsoft have a patent on using brainwaves so maybe they plan to use that too, if they are not using it already.

This is not to discourage, I’m just laying out some of the challenges I think we must face moving forward, I agree that passwords should be solid they get hacked then they should probably bear some responsibility, but we cannot really talk about password security before addressing the elephant is the room, which to my understanding is the MitM Attack happening in silence.

The 2FA RSA token is good against fruadulant transfers, but in terms of privacy, we have close to none, with the exception of one bank. Again prove me wrong, please. Show me that another bank is not MitM’d - I would love to have a ‘CHOICE’.

This is of no value to me as I am not a network expert and I don’t know what you are recommending or what it shows.

If a substantial part of our banking system is insecure I would expect the technical journals to be awash with it and that the major media would pick it up.

If you think small banks online presence is not secure how about something from a reliable source that illustrates how it is insecure, what could go wrong and most important if there are practical implications are for the user. It is one thing to say there is a possible threat in principle, another to show that it actually happens and that it causes real harm.

A post was merged into an existing topic: Another MyGov scam

Syncretic has a valid point but if we are always to wait for the fourth estate to generate action from an issue it has to be raised first. What they have highlighted is personal responsibility for online security and these posts flow from that. I don’t think I’m “chicken licken “

According to KPMG, Westpac is Australia’s third largest bank ahead of ANZ and not that far behind NAB. Always subject to change, but not by any amount to change who they are. They are too much alike.

I had to look up how Man in the Middle is defined by those wiser. How can an agreement between a bank and a reverse proxy server provider be called secret? It’s purposeful and not hidden any more than any other aspect of what happens between a users device and the banks secured system.

I’ll leave it to others to explain how or why consumers and businesses are typically caught out by MitM attacks. Most typically by users clicking on links or responding to web pages without checking the address path. Or using insecure and public networks.

Where is the role of MitM in the cause of well know data breeches?

I am not saying we must wait for the media before doing or saying anything but that there is a technical media that publishes details of security risks and they pick up on rumours, claims etc about such problems. So if this is a serious and widespread problem I would expect it to be mentioned.

I don’t see where that fits in. If it is a consequence of the way that some banks (but not all) operate their web sites and user access applications how can you or I take personal responsibility for it?

Can you see why that response could be a little concerning? When I read that, I thought of climate change. “I’m not a climate scientist but … I know better than all the climate scientists …” Yeah, I know that’s a little harsh but I’m just mentioning how it came across.

I accept though that you won’t take @‌shauno’s word for it or my word for it.

It isn’t just banks that use this architecture.

I’ll be honest with you … of all the security problems in the world that keep me awake at night, TLS front-ending is not one of them.

Yes, I accept that it is a conscious choice by the company (in this case, a bank) and it has negative security implications.

For the record, those headers don’t have any authenticity. You could access any web server that I operate, and it could send a header claiming that the server is any one of those companies and vice versa i.e. if consumer concern about reverse-proxying became widespread, they could just suppress or falsify the Via: header.

The Server: header is supposed to be the software version (of the origin server). The Via: header is supposed to tell you about reverse-proxying (or forward-proxying).

However let’s assume that neither the CDN-operator nor the bank is lying. Then you can use those headers.

What a strange problem this is.

The Internet is the wild west. Unregulated. Designed for free and open access.

Banking systems are so security controlled and monitored that nothing gets through the layers of hardware and software unless through controlled interfaces.

Man in the middle attack? LMAO.

No because I am not putting up my non-existent expertise nor saying because I don’t know the answer question is unfathomable.

I am asking what the practical consequences are for loss of security which has not yet been mentioned. What are the chances that your funds or privacy are going to be stolen? This is what the average punter wants to hear.

I thank you @mark_m for clarifying the state of Westpac as a big bank. Interestingly my source was an NAB software developer who also thought that mass surveillance is fine because “money laundering”. I have no qualms with considering that person an unreliable source. Thankyou.

Over the years from 2013 to today, many in the commentators and privacy movement have called out the menance of the reverse proxy, and developers who fail to include Cloudflare and other reverse proxy “services” as man-in-the-middle attacks. One such commentator is Jeff Cliff BSc and you can find one of his well-researched and documented writings here.

That upguard.com link above is by a company that seems to profit from the use of third-party softwares and services. There first two headlines are, “Continuously Monitor, Assess, and Reduce Your Vendor Risk” and “All-in-one third-party risk and attack surface management software”. They are hosted on AWS (Amazon Web Services) at aacb0a264e514dd48.awsglobalaccelerator.com in the US. It is also very, very difficult and many say impossible, to know the true causes of data breaches. In many cases the attacker can leave fingerprints to suggest it was something unrelated, and this is common practice. Also vested interests simply lie to further their agenda, which we all saw quite famously when the Hillary campaign in 2016 decided to simply make up a story about the leaking of her emails being from “the Russians”, stoking xenophobia that has polluted our discourse for almost a decade now (feeling old).

The fact is we can only go by what we can see with our own eyes. Medibank was reverse-proxied (MITM’d) by Amazon prior to the hack as far as I know, so I (we) cannot rule out malfeasance as some level there.

It shows that the endpoint is a reverse proxy service, which many shrewd commentator’s describe as a MitM Attack. If the website doesn’t tell you that your data is moving into the custody of a foreign country or corporation then they are essentially extorting your data to the third-party in exchange for protection. This can therefore be likened to a protection-racket such as those exercised by mafias.

BCMA

There is an add-on called BCMA (Block Cloudflare MITM Attack) that uses such HTTP Response headers as I decribed in my last post. Unfortunately it is only focused on Cloudflare and doesn’t cover Amazon CloudFront or Akamai, so you would need to check those yourself. The code is opensource and free-licence so anyone can adapt it and called it something different. It seems that late last year, Mozilla delisted it, only the older, cruder Russian language version is available now

Early last year, a bug fix was added (version 1.0.2) that made the addon slightly better looking, and it made it near impossible for a server to possibly detect that you were using it (the old version used an alert border on MitM’d pages but this made elements on the page smaller by a few pixels and so your browser may fetch a smaller version of an image if you use the addon and the site was cloudflare. This was deemed a fingerprinting/anonymity issue and it was upgraded).

Its interesting that Firefox removed the addon, but it should be known that Mozilla who make Firefox were labelled “Internet Villain of the Year” in 2019 for sending all user’s DNS requests direct to Cloudflare, using DNS-over-HTTPS, a new protocol for DNS. It is therefore, obvious that Mozilla have a conflict of interest here.

I can only vouch for BCMA Version 1.0.2, available at multiple good repositories, which, if you check its SHA-512 hash for integrity should conform to:
9bbd384b1f388f59f2367aeefa65a190a0775286141fe571727c30d9f9bb21bfadcdb533792ddb09fb28dda1f65bda33d458996cffa5a3bfa698eda7cfd3b01f

If you have a mac or linux you can check the SHA512 at the command line with shasum -a 512 <FILEPATH_NAME>

If anyone here has the time and inclination to audit the latest release of BCMA, please do. Just rename the file from ‘xpi’ to ‘zip’ and decompress it so you can read the code. If you trust a previous release you can simply compare the folders of the releases using the ‘diff’ command in linux. I’ve never seen bad code from deCloudFlare but do think it should include Amazon and Akamai, and so I find it very interesting indeed that Mozilla delisted it.

Yes, someone can conceivably lie in those headers, but why? To fool a person who wants to actively avoid the MitM’d sites? Those HTTP headers are apparently commonly used in debugging so it becomes difficult for operators of the MitM to simply remove them.

In any case the custody chain of the data, is broken. Data is moved offshore or to foreign owned corporations, this is much more difficult to hide.

I was going to say that last I checked, Visa has a special relationship with Cloudflare that involves not using a cf-ray nor server: cloudflare in the header. So yes, to my knowledge they are also capable of hiding what they are doing and this doesn’t make the situation any better, obviously.

What is the risk to funds or privacy if you use a bank that has this problem? You and Person have both gone on about the technicalities but said nothing about whether this is actually a danger if you use those banks. Other than if one is a technophile why should we care?

That’s reassuring, as it says I’m as safe as I can be if I take care with connecting to my bank, and checking for the https and lock symbol. That’s before before using my long number sequence user ID, memorised 16 random character password and RSA device to log in.

The final assumption is I’ve a quality device, software updated and suitable AV+internet security tools in place.

If all this is not adequate I’m reassured there are approx 20million other Aussies and umpteen business account holders all in the same boat. Many possibly less careful than I am.