Tuesday, October 18, 2011

Great Moments in Computer Security and Public Relations

First State Superannuation is a company in Australia that provides superannuation funds (the equivalent of America's 401K-type plans for retirement accounts).

First State Super, it seems are complete imbeciles when it comes to their members' security. Let Techdirt tell the story:
[A]security professional found a big and ridiculously obvious bug in the website of an Australian investment fund, First State Superannuation. Apparently you could see other people's accounts by merely changing the account numbers in the URL. Increase the number by one, and see the next user in line. This is the kind of extraordinarily basic mistake that I thought had been eradicated a decade ago. Apparently not.
That's right, just change the account number in the URL and you get to see someone else's details. Okay, but presumably it's just some random person - who could be bothered?
Patrick Webster found he was able to access electronic superannuation notices of any customer by changing numerical values in URLs used to issue statements to clients.
Webster, a customer of First State Superannuation and consultant at OSI Security, increased the URL number value by one and was granted access to a former colleagues' super statement.
 Hmm, that's awkward. How much detail could he see?
He was shown information such as name, address, date of birth, next of kin and superannuation payments.
Oooh. That's worse.

Apparently their website was designed by someone drunk or still in high school. Or both.

This is strike one.

So Patrick Webster, model citizen, reported this gaping flaw to First State Superannuation. How did they respond? I like to imagine the following conversation took place
Underling: Some IT guy reported that it's simplicity itself to hack our website and our users' details are at risk. In fact, the method was so basic that it doesn't even really qualify as 'hacking' - he just typed in a different URL.
CEO: Holy Smoke! How do I choose between the following important priorities:
1. Fix the website to make sure this doesn't happen again
2. Work out how to explain this breach to our members and the press
3. Send a thank you card to the guy who reported the breach
4. Call the cops on the guy who reported the breach.
 Ha ha! #4 is surely a joke, right?

No. No it isn't.

I would love to know how that phone call went.
CEO: Hello, is this the Police? I need to report a potential crime: our website is completely insecure, and I need the guy who told us this to be arrested immediately!
Operator: No really, who is this?
Kidding! The cops of course turned up at the guy's house.

That's strike two.

Okay, so maybe this was just a rush of blood to the head when they didn't know what was happening. Surely after a few days, they came to their senses?

Bwa ha ha! Of course not. They threatened to sue the guy.
Whilst you have indicated that your actions were motivated by an attempt to show that it is possible for a wrongdoer to obtain unauthorised access to Pillar's systems, you actions may themselves be considered a breach of section 308H of the Crimes Act 1900 (NSW) and section 478.1 of the Criminal Code Act 1995 (Cth). You should be aware that due to the serious nature of your actions, this matter has been reported to the NSW Police.
Further, as a member of the Fund, your online access is subject to the terms and conditions of use which are outlined on the Fund's website. Your unauthorised access also constitutes a breach of those terms and has caused the Trustee to expend member funds in dealing with this matter. Please note the Trustee has the right to seek recovery from you for the costs incurred in accordance with those terms. 
This was their considered response. That's strike three.

Minter Ellison, the lawyers who wrote this embarrassing letter, have covered themselves in shame.

So here is my question:

Why on earth would any right-thinking person leave a red cent of their retirement savings with these ungrateful buffoons? Why would you leave your hard-earned cash in the hands of people that cannot design an even minimally secure website, and think that the appropriate response to people trying to help them fix this is to call the cops and threaten lawsuits?

Personally, I would sooner set my money on fire than give it First State Superannuation.

I would, however, gladly hire OSI Security and Patrick Webster to help diagnose security flaws in my website.

No comments:

Post a Comment