St.George rushes to close Net security breach - News - Security

To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Australia.
--------------------------------------------------------------

St.George rushes to close Net security breach

February 15, 2002
URL: http://www.zdnet.com.au/news/security/soa/St-George-rushes-to-close-Net-security-breach/0,130061744,120263491,00.htm

St.George has moved quickly to close a potential security hole discovered by one of its customers early this week.

The customer contacted ZDNet Australia after discovering that a BPay confirmation receipt e-mailed to him from the bank contained financially compromising details.

"What St.George hasn't thought through is that the BPay reference number used when paying off a credit card is in fact the [customer's] full credit card number," he said.

St.George's Web-based online banking transactions are secured by encryption technology, however, knowledge that the bank is transmitting sensitive information across insecure segments of the Internet has outraged the customer.

"Any server that was used to forward this e-mail on to me now has my credit card number unencrypted for anyone to see," he said.

According to Adam Cook, corporate affairs manager at St.George, the security weakness only affects a small number of customers that request to be notified about regular payments.

"He has the choice of not getting a receipt and had he chosen not to this issue wouldn't have appeared," Cook said.

However, after ZDNet Australia contacted St.George bank to discuss particulars of the security issue, it immediately chose to alter its receipt generation policy.

The bank says that it will now hash the first twelve digits of credit card numbers included in future customer receipts.