When it comes to security, Santander – one of the world’s largest banks – is a “joke.” At least that’s what a security researcher who has carefully analyzed the institution’s website claims.
“Fed up of two years of battling with them to fix issues any other bank would have fixed in seconds, things like XSS on login pages etc. Time to hit full disclosure with some of these issues in the hope they'll change their game and start to take their customers security seriously,” the expert explained
He reveals that Santander’s United Kingdom online banking website exposes sensitive information by storing it in cookies.
Depending on the section of the site customers are accessing while performing online banking operations, their full names, user IDs, credit card numbers (PAN), bank account numbers and sort codes, and their aliases are transmitted via cookies.
For instance, when a card is selected from the website’s Credit Card section, a cookie that contains the credit card number is set.
cookie is encoded in base64, but when it’s decoded, it reveals information such as name, alias and user ID.
In general, experts highly advise against storing sensitive information in cookies because attackers can easily get a hold of it. Furthermore, the Payment Card Industry (PCI) Data Security Standard clearly states
that credit card information should not be transmitted via cookies.
“It should be noted that the HTTPOnly flag is not used on any cookies exposing them to increased greater risk of exposure (for example through XSS) - such as the XSS which was present on the login page for ~1 year before being inadvertently fixed!!” the researcher said.
“Additionally, whilst the cookies expire at the end of a session, they are not overwritten on logout. This mean any user who does not close their browser, even if they log out correctly, will still have these cookies present until they close their browser. Thus increasing the window for exposure,” he added.
On the other hand, in its Security and Privacy
section, Santander claims that “site-tracking cookies don’t contain name or address information.” This basically means that they’re breaching their own policy.