Commonwealth Bank HACKED - don't sign in!
Post Reply
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
30-03-2017, 01:41 AM
Exclamation Commonwealth Bank HACKED - don't sign in!
Yes the title's click-bait. But seriously, this is what's happened.

The Big Four in Firefox:

[Image: banks-ff.png]

Everything looks fine, yes? They all have a "green bar".

Now, here's Chrome:

[Image: banks-chrome.png]

Seriously, you cannot make this shit up. What's happened is that Google is punishing Symantec for wrongly issuing 30,000 SSL certificates, and that means that no Symantec EV cert is trusted as an EV cert by Google products. And won't be for at least a year.

CBA must be sleeping at the fucking wheel, because banks WANT their users to be highly suspicious when the Green bar is missing - it's one of the best defences they have against phishing websites. Always check the bar. So why haven't they been on top of this and got themselves an EV from a proper CA? Sorry CBA, but you deserve all the bad press this fuck-up brings you.

My Blog
Visit this user's website Find all posts by this user
Like Post Quote this message in a reply
30-03-2017, 06:52 AM
RE: Commonwealth Bank HACKED - don't sign in!
(30-03-2017 01:41 AM)Aractus Wrote:  Yes the title's click-bait. But seriously, this is what's happened.
Now, here's Chrome:
[Image: banks-chrome.png]

Easy answer? Don't use Chrome for financial transactions. Thumbsup

I'm a creationist... I believe that man created God.
Find all posts by this user
Like Post Quote this message in a reply
[+] 1 user Likes SYZ's post
30-03-2017, 07:07 AM
RE: Commonwealth Bank HACKED - don't sign in!
Too lazy to google what all those abbreviations stand for.

Sleepy

Find all posts by this user
Like Post Quote this message in a reply
[+] 1 user Likes DLJ's post
30-03-2017, 09:23 AM
RE: Commonwealth Bank HACKED - don't sign in!
(30-03-2017 06:52 AM)SYZ Wrote:  Easy answer? Don't use Chrome for financial transactions. Thumbsup

It'll show up on Android devices by default too. But yeah, CBA have royally fucked up here by not being on top of this and getting themselves a new EV certificate! The whole point is that customers are supposed to instantly distrust banking websites (including PayPal) when the "green bar" disappears. That indicates that you might be on something like paypal.com.hackersparadise.net. I could get a certificate for one of my domains very easily, like paypal.com.aractus.com. But it'll just be a plain DV cert, no green bar.

As I mentioned on my blog by the way I did send an email to CBA informing them their website appears to be hacked. The operative word of course being "appears". Wink

My Blog
Visit this user's website Find all posts by this user
Like Post Quote this message in a reply
[+] 1 user Likes Aractus's post
30-03-2017, 09:28 AM
RE: Commonwealth Bank HACKED - don't sign in!
(30-03-2017 07:07 AM)DLJ Wrote:  Too lazy to google what all those abbreviations stand for.

Sleepy

SSL = Secure Sockets Layer
EV = Extended Validation
CBA = CommonWealth Bank of Australia
CA = ??? (Idk that one)

"If you keep trying to better yourself that's enough for me. We don't decide which hand we are dealt in life, but we make the decision to play it or fold it" - Nishi Karano Kaze
Find all posts by this user
Like Post Quote this message in a reply
[+] 1 user Likes JDog554's post
30-03-2017, 09:36 AM
RE: Commonwealth Bank HACKED - don't sign in!
(30-03-2017 09:28 AM)JDog554 Wrote:  
(30-03-2017 07:07 AM)DLJ Wrote:  Too lazy to google what all those abbreviations stand for.

Sleepy

SSL = Secure Sockets Layer
EV = Extended Validation
CBA = CommonWealth Bank of Australia
CA = ??? (Idk that one)

Certificate Authority

Atheism: it's not just for communists any more!
America July 4 1776 - November 8 2016 RIP
Find all posts by this user
Like Post Quote this message in a reply
[+] 1 user Likes unfogged's post
30-03-2017, 10:12 AM
RE: Commonwealth Bank HACKED - don't sign in!
(30-03-2017 09:36 AM)unfogged Wrote:  
(30-03-2017 09:28 AM)JDog554 Wrote:  SSL = Secure Sockets Layer
EV = Extended Validation
CBA = CommonWealth Bank of Australia
CA = ??? (Idk that one)

Certificate Authority

Makes sense. In fact that is so obvious I am mad at myself for not seeing it lol

"If you keep trying to better yourself that's enough for me. We don't decide which hand we are dealt in life, but we make the decision to play it or fold it" - Nishi Karano Kaze
Find all posts by this user
Like Post Quote this message in a reply
30-03-2017, 10:16 AM
RE: Commonwealth Bank HACKED - don't sign in!
(30-03-2017 10:12 AM)JDog554 Wrote:  
(30-03-2017 09:36 AM)unfogged Wrote:  Certificate Authority

Makes sense. In fact that is so obvious I am mad at myself for not seeing it lol

Don't feel bad. A common technique for restricting access to clubs is the use of acronyms.

#sigh
Find all posts by this user
Like Post Quote this message in a reply
[+] 5 users Like GirlyMan's post
30-03-2017, 12:44 PM
RE: Commonwealth Bank HACKED - don't sign in!
Google are being a bunch of dickheads about this IMO. They suddenly decided they're the internet cops. Fuck them.

We'll love you just the way you are
If you're perfect -- Alanis Morissette
(06-02-2014 03:47 PM)Momsurroundedbyboys Wrote:  And I'm giving myself a conclusion again from all the facepalming.
Find all posts by this user
Like Post Quote this message in a reply
[+] 1 user Likes morondog's post
30-03-2017, 07:42 PM (This post was last modified: 30-03-2017 07:52 PM by Aractus.)
RE: Commonwealth Bank HACKED - don't sign in!
@dog - Google and Mozilla are the ones that police CA's. Apple and Microsoft just follow whatever they decide. I tend to agree that it's a huge conflict of interest for Google to wield that power - but it's not for Mozilla. I think they have been way too lenient with CA's for way too long. I don't trust Symantec, and I certainly don't trust WoSign. WoSign issued a certificate for github.com to this guy (you can view the cert itself here), and to make matters even worse they deliberately tried to cover up their fuck up. I don't trust either of these companies, and I don't think it's right that my browser tells me I should trust their worthless SSL certificates.

Symantec has wrongly issued 30,000 certificates. Not just one or two. And to make matters even worse, they were EV certificates! There is no coming back from that, boot their root certs and distrust them entirely - the game's up as far as I'm concerned. For comparison, DigiNotar only wrongly issued 500 certs and the company was swiftly seized by the Dutch government and dissolved.

My Blog
Visit this user's website Find all posts by this user
Like Post Quote this message in a reply
Post Reply
Forum Jump: