Donate to Science & Enterprise

S&E on Mastodon

S&E on LinkedIn

S&E on Flipboard

Please share Science & Enterprise

Weaknesses Found in Online Banking, Facebook Security

Bank vault door (BillMcChesney/Flickr)Computer scientists at University of London’s Royal Holloway College found what they call major weaknesses in the security protocol for protecting online e-mail, Facebook, and financial transactions. The team led by Royal Holloway information security professor Kenny Paterson say they found the vulnerabilities in the transport layer security protocol designed to prevent eavesdropping, tampering, and message forgery.

The transport layer security protocol provides privacy and data integrity between two communicating applications and is widely used in online transactions, including banking and credit card purchases, and large social media networks including Facebook. The security is provided through a record protocol layer that assures privacy and reliability in the connection. The record protocol layer in turn contains a handshake protocol that allows the server and client to authenticate each other, and then negotiate an encryption algorithm and cryptographic keys before the application transmits or receives its first message data.

Paterson and doctoral candidate Nadhem AlFardan found a man-in-the-middle attack could intercept personal data transmitted with a transport layer security protocol. A man-in-the-middle attack targets the hypertext transport protocol transaction between the client and server. Paterson and AlFardan found the flaws in the way the protocol terminates transport layer security (TLS) sessions, which can leak small amounts of data that hackers could then collect and assemble.

The researchers note attacks can only be carried out by a determined perpetrator located close to the machine being attacked and who can generate sufficient sessions for the attacks. As a result, says Paterson, the vulnerabilities do not pose immediate threats to ordinary online systems users, but these “attacks only get better with time.” Paterson adds, “Given TLS’s extremely widespread use, it is crucial to tackle this issue now.”

The Royal Holloway team prepared several countermeasures and is working with companies such as Oracle and Google, and organizations including the OpenSSL Project developing open-source security tools, to test systems for these attacks.

Read more:

Photo: Bill McChesney/Flickr

*     *     *

Comments are closed.