Online banking encryption broken

Security researchers havedevelopeda potential cyber attack that coulddecrypt secure communications used by online banking and payment sites.

"The attack breaks the confidentiality model of the protocol potentially affecting the security of transactions on millions of sites," wrote Dennis Fisher on ThreatPost, an internet security news blog run by the antivirus maker Kaspersky Lab.

The attack targets TLS (transport layer security) 1.0, the encryption mechanism used by websites accessed using https (secure hypertext transfer protocol).

Juliano Rizzo of Buenos Aires is set to demonstrate a browser-based version of the attack, called BEAST (Browser Exploit Against SSL/TLS) Friday at the Ekoparty security conference in his hometown.

The attack, developed by Rizzo and his Vietnamese colleague, Thai Duong, is the first to exploit a flaw in the security protocol known as TLS 1.0 that has been known for a long time, but was previously thought to be unexploitable.

The researchers have already provided details of their attack to browser makers.

According to ThreatPost, the Opera browser has already implemented a fix to thwart the attack.

The researchers told ThreatPost that similar attacks could be used not just against web browsers, but services such as instant messaging or virtual private network (VPN) clients that use SSL, the predecessor to TLS.

In some cases, known fixes to the vulnerability are not compatible with the applications, suggesting that the only solution is to switch to a new encryption protocol.

Newer versions of TLS without the vulnerability have been available since 2006, but most existing connections rely on the vulnerable version 1.0 because only that version is supported by the tools used by most websites to deploy TLS.

Recommendations for consumers

In the meantime, "don't panic," suggested Chester Wisniewski, a senior security adviser at the internet security firm Sophos Canada. "We will not know all the details until they are presented on Friday, but preliminary information ... suggests this will be a difficult attack."

He noted that according to ThreatPost, the attacker must be able to intercept the user's communications.

"For most users this is only possible on an open WiFi connection like you get at the caf or airport," he told CBC News in anemail. "You should never use open WiFi to conduct secure transactions like banking, whether there are known weaknesses in TLS or not."

The attackermust also be able to load code into the user's browser something that anti-virus software should protect against, Wisniewski added.

Adam Wosotowsky, principal engineer for internet security firm McAfee, said he believes that for the average consumer, the risk of online banking or e-commerce "is still only as high as the risk really was before."

That's because other, less sophisticated attacksalready existto get people's banking information, he said. If someone is capable of infecting your computer with malicious code,it would be far easier for them to simply log everything you type into your keyboardto get your username and password, than to decrypt your bank sessions,he suggested.

Wosotowsky recommended that peopleconcerned about the security of online banking should buy a cheap laptop to use only for that purposethat minimizes the chance of getting the comptuer infected with any kind of malware.

On the other hand, he said the new attack is "definitely something that is worrying" and may be used in other kinds of attacks, such as to helpto getinto a secure network.

"Hopefully this pushes people to using the higher versions of TLS and higher versions of SSL," he said.