Hacker News new | ask | show | jobs
by jspthrowaway2 4900 days ago
You don't hear of any high-profile bank disclosures, which I imagine is probably because they have security teams that keep up with everything religiously. Most old brick banks have internal systems architected in ways that a younger intruder in the Anonymous mold wouldn't know anything about, as well; you're starting to get into big iron Cobol land.

That said, I don't think it's an impossible task (is anything?), and I'm sure some day there will be a large disclosure through some means, internally-assisted or otherwise.
2 comments
jballanc 4899 days ago
Nothing is impossible, but remotely hacking a bank is pretty damn close. A number of years ago, a friend worked for a large multi-national bank. He once described to me some of the key components of the security system. While the details are hazy (such as I understood them at the time), I do remember that one of the key points was that one of the "very important" servers that handled transactions between outside entities (i.e. other banks) and internal systems was double-firewalled. That is, you couldn't initiate connections from the internet or the intranet. The server would only make connections to hosts of its own choosing, on its own schedule.

Modifying or updating anything on the server required physical access.

That server was located in a secure vault.

link
makomk 4899 days ago
There was actually a high-profile incident not too long ago with one of the big banks' online banking system. Users could view other people's account information just by incrementing an integer in the URL as I recall. It's not necessarily so much that banks are secure, but hacking them is much riskier than hacking Bitcoin sites, especially for white-hats.
link
tedunangst 4899 days ago
Are you thinking of Heroku? Heroku isn't a bank.
link
lclarkmichalek 4899 days ago
It was probably Santander: http://www.h-online.com/security/news/item/Santander-s-onlin..., though there have been other instances of bad bank web practices.
link
tedunangst 4899 days ago
Putting plaintext passwords in a cookie doesn't sound anything like incrementing an integer in a URL.
link