'Poodle' Hack Poses Threat to Banks

Several financial industry websites, including those run by JPMorgan Chase and Bank of America, are susceptible to a relatively new type of cyber attack that could be used to steal data from online banking users.

The attack goes by the non-threatening name Poodle, an acronym for Padding Oracle On Downgraded Legacy Encryption, but it could have serious repercussions. Those who use the hack can potentially intercept communications between a web server and website visitors — robbing any sensitive data shared in those sessions, such as a customer's name and password.

Although there is a relatively easy fix available, many banks are only just becoming aware of the threat from Poodle.

"The banks I talk to are concerned about this," said Avivah Litan, vice president at Gartner. "They are making the necessary changes so they avoid the vulnerability. It's just another big thing bank security departments have to worry about."

As of Monday morning, many prominent sites remain vulnerable, including bankofamerica.com, chase.com and even federalreserve.gov, according to a scanning tool offered by Qualys, a provider of cloud security and compliance software. (Full disclosure: the scanning tool also says www.americanbanker.com is vulnerable to the Poodle attack.)

Bank of America and JPMorgan Chase did not immediately respond to a request for comment, but a spokesman for the Fed emphasized that its website is not subject to a Poodle attack because it doesn't collect sensitive information.

"The Federal Reserve Board's public website is used to disseminate public information only," a Fed spokesperson said. "Because private or sensitive PII data are not exchanged, web sessions are not encrypted. As a result, the Board's website is SSL3 disabled and therefore not subject to Poodle vulnerability."

To be sure, no cases of Poodle-enabled crime have been reported yet. But hackers are likely to try to take advantage.

"Statistics say 25% of all flaws that are discovered are getting used by attackers," said Wolfgang Kandek, the chief technology officer of Qualys. "We just don't know which 25% — it's difficult to predict."

The attack exploits a security hole in an aging encryption protocol called Secure Sockets Layer (SSL) as well as older versions of SSL's more modern replacement, Transport Security Layer (TLS). Google researchers discovered the issue in SSL in October and in TLS in mid-December.

But it comes at a time in which banks and other companies are already facing a staggering series of security vulnerabilities and data breaches. Heartbleed, another vulnerability in website encryption technology (albeit with a catchy name and cool logo) came out in April. The Bash bug, a critical security vulnerability affecting many Linux, Unix and Mac computers, came to light in September. Meanwhile JPMorgan confirmed earlier this year a massive data breach, in which card records for 76 million households and seven million small businesses were compromised.

Poodle Is High Maintenance

Unlike Heartbleed — for which readily accessible malware toolkits cropped up within a week of its discovery — Poodle is harder to execute. It's not going to be the first thing cybercriminals reach for when they want to attack a bank.

To exploit Poodle, hackers "have to do an attack from scratch and write all their routines and they're kind of lazy," Litan said. "If you're a clever programmer, you can do it and maybe someone's trying."

But she said that hackers have many other options, such as malicious code that's already been written to do things like eavesdrop on users' keystrokes, take over browser sessions, and escalate privileges.

Still, Poodle poses a threat, observers agreed.

"The broken encryption that Poodle attacks leaks data, but it leaks so little of it that a lot of work has to be done to get a bit of data," said Don Jackson, who is director of threat intelligence at PhishLabs, a provider of cybercrime protection and intelligence services. "If you do it enough and for long enough, you could capture a cookie and use it to connect to a service like online banking, authenticating suddenly as a user, and have access to the bank account."

Blocking Poodle

The good news for banks is that Poodle attacks are fairly easy to block.

The first step for a company is to check its websites to see if they're vulnerable. There are a several free scanners that check for the presence of flawed encryption that allows it, such as https://www.ssllabs.com/ssltest/.

Where a vulnerability exists, a company needs to apply patches to its website software so that it supports only recent versions of the newer TLS encryption protocol.

The tricky part is timing.

"The problems arise around testing and availability — when do you do this?" Kandek said. "You have to take the system offline for a while and update it, so you have to negotiate that with other areas, as most companies would like to have 24/7 availability. That's why people are sometimes reluctant to perform these patches."

On the other hand, most companies have redundancy and failover on critical servers, so IT can test and run the new software on a backup machine before taking it live.

Bank customers also need to defend themselves from Poodle attacks.

To do so, they should use the latest versions of browsers, which are rapidly turning off any remaining SSL and only allowing only TLS. Microsoft, Google and Firefox have all committed to removing support for old encryption protocols.

HEARTBLEED, Poodle SIGNAL DEATH OF SSL

The death of SSL has been coming since April, when Heartbleed was discovered. Heartbleed, a vulnerability in some versions of OpenSSL (free code that many web servers use to secure interactions with other computers), is a coding mistake that cybercriminals could use to steal small amounts of data from a web session. 

In August, Heartbleed was used to steal data at Community Health Systems, where 4.5 million records were compromised. A Canadian teenager later used the Heartbleed bug to hack into the country's tax agency.

Further Heartbleed attacks are still possible. "Researchers have found evidence that hackers are trolling for old and unamended versions of OpenSSL," said Kandek.

While most banks have made sure their websites and any high-profile computers no longer use the flawed version of OpenSSL, there are many devices such as storage units that are susceptible to Heartbleed, that some companies don't even think of as computers. Sometimes the device is on the network and nobody from IT is responsible for it, Kandek said.

SSL is at the end of its useful life, Kandek said.

"We're discovering more and more problems with it, and it's time to move on to the next encryption standard, TLS."

The problem with Poodle is that it has also been discovered in TLS.

"Some implementations of TLS have a bug in them and those are susceptible to Poodle," Kandek acknowledged.

The main thing banks need to do, Kandek suggests, is be prepared for more security threats like this one.

"There will be more alerts of this type," he said. "You need to be able to fix this quickly in a way that doesn't impact the business."

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER