Online banking encryption broken
But attack is difficult, so don't panic, security expert says
Security researchers have developed a potential cyber attack that could decrypt secure communications used by online banking and payment sites.
"The attack breaks the confidentiality model of the protocol … potentially affecting the security of transactions on millions of sites," wrote Dennis Fisher on ThreatPost, an internet security news blog run by the antivirus maker Kaspersky Lab.
The attack targets TLS (transport layer security) 1.0, the encryption mechanism used by websites accessed using https (secure hypertext transfer protocol).
Juliano Rizzo of Buenos Aires is set to demonstrate a browser-based version of the attack, called BEAST (Browser Exploit Against SSL/TLS) Friday at the Ekoparty security conference in his hometown.
The attack, developed by Rizzo and his Vietnamese colleague, Thai Duong, is the first to exploit a flaw in the security protocol known as TLS 1.0 that has been known for a long time, but was previously thought to be unexploitable.
The researchers have already provided details of their attack to browser makers.
According to ThreatPost, the Opera browser has already implemented a fix to thwart the attack.
The researchers told ThreatPost that similar attacks could be used not just against web browsers, but services such as instant messaging or virtual private network (VPN) clients that use SSL, the predecessor to TLS.
P.O.V.
Do you feel your info is safe online? Take our survey.
In some cases, known fixes to the vulnerability are not compatible with the applications, suggesting that the only solution is to switch to a new encryption protocol.
Newer versions of TLS without the vulnerability have been available since 2006, but most existing connections rely on the vulnerable version 1.0 because only that version is supported by the tools used by most websites to deploy TLS.
Recommendations for consumers
In the meantime, "don't panic," suggested Chester Wisniewski, a senior security adviser at the internet security firm Sophos Canada. "We will not know all the details until they are presented on Friday, but preliminary information ... suggests this will be a difficult attack."
He noted that according to ThreatPost, the attacker must be able to intercept the user's communications.
"For most users this is only possible on an open WiFi connection like you get at the café or airport," he told CBC News in an email. "You should never use open WiFi to conduct secure transactions like banking, whether there are known weaknesses in TLS or not."
The attacker must also be able to load code into the user's browser — something that anti-virus software should protect against, Wisniewski added.
Adam Wosotowsky, principal engineer for internet security firm McAfee, said he believes that for the average consumer, the risk of online banking or e-commerce "is still only as high as the risk really was before."
That's because other, less sophisticated attacks already exist to get people's banking information, he said. If someone is capable of infecting your computer with malicious code, it would be far easier for them to simply log everything you type into your keyboard to get your username and password, than to decrypt your bank sessions, he suggested.
Wosotowsky recommended that people concerned about the security of online banking should buy a cheap laptop to use only for that purpose — that minimizes the chance of getting the comptuer infected with any kind of malware.
On the other hand, he said the new attack is "definitely something that is worrying" and may be used in other kinds of attacks, such as to help to get into a secure network.
"Hopefully this pushes people to using the higher versions of TLS and higher versions of SSL," he said.