I heard part of the reason some banks were hit was sloppy coding. I went around and began to test atms to see if they were vulnerable to negative withdraws. This is just one of the rumors about how I've heard banks have been hacked.. so I though it'd be fun to test with 1 linden amounts. Here's the results:
1. BCX openly mocks you for not being sane when you try to withdraw -1.
2. ACE does not allow it. Ignores you.
3. SLIB does not allow it. Ignores you.
4. ISE removes the negative and simply takes the absolute value of the amount from your account.
5. DSE states you are using the wrong amount.
6. VSTEX reports that you have insufficient funds.
7. JTF/CAPEX ignores your request
8. BNTF Ignores your request.
9. EDGE ignores your request.
10. Banca Di Italia: Secured as of 1:33 PM est.
11. SL Bank ignores negative withraw requests.
12. WSE/One Bank only allows the use of keypad entry for withdraws and does not allow the use of negative integers.
I intend to con tinue my testing to other institutions, these are the results to date.
A vulnerability has been confirmed, the name of the bank has not been released to protect the bank as it works to repair its atms.
Currently sitting in Kremer waiting on the Governance team.. yay. Even after all these warnings the past few days, some banks still leave themselves exposed.
Update: 1:09 PM est, 10:09 AM slt: The vulnerable bank has been notified of its exposure. The representative told me they would work on resolution immediately and that the transactions can be tracked and are reversible if any have occured that are fraudulent.
Linden Lab just removed the exposed ATM, so I can release the name of the bank now. Banca D Italia's programming was exposed to this exploit. Theoretically, I just saved all of Freedom Italy.
When Banca D Italia loads their new atm, I will retest it once again to ensure the loophole has been closed and update this blog.
The loophole was repaired, now added to list of secured banks.
Tuesday, November 20, 2007
SL Mythbusters: The negative withdraw test. Sloppy coding at fault? White hat at work.
Subscribe to:
Post Comments (Atom)
10 comments:
Maelstrom,
OT, but could you offer your opinions on the institution known as "SL Bank"? They claim to be SL's oldest financial institution. You don't include them in your list.
I'm pretty new on SL and I am trying to avoid the scams as well as the banks run by non-malicious incompetents. Based on my experience in the financial sector, this whittling process is not too hard to do. I've developed a very short list of worthy SL institutions. I'm trying to figure out whether SL Bank should be on this list.
I'll give them a look over today. I've personally not done business with them, but I'd be glad to find out what I can for you.
SL bank does not come up in locations. Out of curiousit ycould you post a SLURL anonymous?
This exploit was brought to my attention but this was not how the ATM was compromised. The database was brute forced and cracked but my service provider did not have my box running like is should have been so I take full fault on this one as I chose the provider. I am not networking and software at all. I am a hardware girl but to no avail, it will be fixed.
Mael,
this is the slurl I have:
http://slurl.com/secondlife/Dotoorak/23/238
Also, here is the website:
http://sl-bank.com/
There is RL information on the CEO on the website.
http://sl-bank.com/more_about_us.htm
Mael, did you try this one already?
/10/withdraw_all
Not tried that last one, I don't know any institutions yet that support that format. I will be checking SL Bank soon now that I have its addresses. I was a bit out in the evening my time working for my church, setting up their lans.
SL Bank is not vulnerable.
I am almost convinced anonymous was an SL Bank rep in disguise! lolz.
lol, no... Though I do have a little money there (<1000L$) to test responsiveness, service, etc.
There...signed on instead of using anonymous posting.
Post a Comment