14 DAY TRIAL // Suffolk County National Bank, a subsidiary of Suffolk Bancorp, announced that back in December it learned of a security breach on one of its Online Banking servers. The organization discovered that 8,378 customer credentials were stolen, but is not aware of any of them being misused to date.
The intrusion occurred between November 18 and November 23, 2009, but the bank only discovered it during a December 24 security audit. 8,378 Online Banking customers were affected, amounting to less than ten percent of SCNB’s total customers. "Although the intrusion was limited in duration and scope, SCNB immediately isolated and rebuilt the compromised server and took other measures to ensure the security of data on the server," the bank said in a press release (PDF) earlier this week.
But even though the financial organization understandably tries to make the best of the situation by using phrasing such as, "Suffolk Bankcorp thwarts data intrusion at banking subsidiary," or, "Our diligence in this regard allowed us to uncover this incident, and to take action rapidly to protect our customers," there are definitely some worrying aspects concerning this incident.
First of all, the bank makes no effort to explain how the hackers breached the server or why they were able to steal the login details. Since these credentials were worth something to the hackers, it is pretty safe to assume that they were usable. This means that the passwords were either stored in plain text, which is a big security oversight, or that they were encrypted using an insecure function that is easily crackable, such as MD5.
"What I find astonishing about this hack is that you would think that a banking application would undergo much more stress testing than most and, as a result, the storage of user credentials in plain text would have been spotted and remediated early on in the system development process," Amichai Shulman, CTO at security company Imperva, commented for The Tech Herald.
Mr. Shulman also suggested that the point of entry for the attack was most likely an SQL injection vulnerability. If true, it means the people who designed this Online Banking system are even more to blame, since this sort of flaws is the result of poor programming. More specifically, SQLi vulnerabilities allow attackers to execute unauthorized queries against a website's database by simply manipulating the URL sent to the server.
Another questionable aspect is the time it took the company to announce this security breach. The bank motivated the two-week window, by saying it needed time to make the necessary arrangements, such as offering the affected customers a two-year free subscription with a credit monitoring service. However, even if it came out earlier with the announcement, we suspect it would still have faced accusations of doing it during the holiday season, when people's attention is focused at other things.
"We understand that this kind of incident is a source of concern: both to our customers, even if their personal information is not misused; and to our shareholders for the expense incurred in response. We have responded to this incident as promptly, diligently and forthrightly as we know how, and will continue to do so until it is fully resolved. We apologize for the concern, and any inconvenience caused by this incident," J. Gordon Huszagh, president and CEO of SCNB, commented.