Goldleaf Technologies, a unit of Goldleaf Financial Solutions, Inc. which provides homepage services for financial institutions and banks had one of its servers hacked last Thursday on May 25th. I was initially alerted to this by a concerned customer who received an email notice from his bank that ALL customer passwords had been reset to their default password. Several news outlets covered the story by merely posting the Goldleaf official press release verbatim which characterized the breach as a "phishing incident" so the details were initially murky.
The AP Wire was one of the few that characterized the incident as a security breach and were quoted by a Goldleaf spokesperson that 150 to 175 sites were affected. When I asked Goldleaf's spokesperson, he characterized the AP information as wrong and told me that a little more than half of the 600 hosted bank sites were modified to redirect traffic which puts the total number of Banks affected at over 300. The homepages of those banks were modified so that they would direct all online banking traffic to a malicious site in Madrid Spain to collect login credentials from unsuspecting customers.
While this is technically similar to phishing, it isn't the same thing because phishing normally involves spoofed email that purport to be from the bank when they're really from criminals that send emails with legitimate looking URLs that instead send you to a malicious webpage. In this case, the actual bank homepage is what's redirecting you to the malicious site which could only happen if the bank's homepage was compromised. This tends to be a bit more dangerous since customers usually expect some safety when they're surfing the real banking site.
Goldleaf representatives were extremely careful not to use the word hack and instead focused on the word "redirect". This isn't surprising since a company handling most of the world's Visa credit card transactions literally went out of business in the course of weeks after a hacking incident. In Goldleaf's defense, their security administrators noticed and stopped the malicious activity within 90 minutes of the initial compromise and they immediately notified the authorities and all of the banks that they were hosting. The problem is that Goldleaf's servers were hacked in the first place, but at least they were quick to respond.
The truth of the matter is that this type of exploit isn't a whole lot different than banks not using SSL for their online banking user login which I have been hammering lately. Goldleaf has at least fixed their issue in a matter of hours when I still can't get banks to implement SSL after weeks. Even when I followed up on the subject and called the major credit card companies like Chase and American Express, I was given the run-around by public relations that someone will get back to me but I haven't heard a thing in weeks. When banks are so lackadaisical to begin with about E-Commerce security and customer data, it doesn't help the security situation and all of us as consumers end up absorbing the losses in higher costs in goods.
The banks complain about email phishing scams, but they won't even do something as simple and inexpensive as implementing S/MIME digital signatures for official email notifications to their own customers. S/MIME is a ubiquitous standard that allows nearly every email client in the world to do strong authentication and encryption. It seems like until there is more pressure on the banking institutions to do the right thing, they're going continue being sloppy as usual. As a customer of one of the guilty non-SSL banks, I'm considering changing to a bank that cares a little more about security if they aren't willing to change.