Earlier this month, a Melbourne based computer programmer discovered that the 1.7m customers of Australia's largest online broker CommSec, have been using the site's services through outdated password best practices, providing them with the option to use a basic numeric password, which is logically increasing the potential effectiveness of brute forcing attacks.
CommSec introduced password best practices once Australia's Herald Sun approached the company, following two dismissed calls from the programmer:
"He said the online accounts used only a basic numeric password, rather than the secure and more common combination of alphabet and numeric characters. John said he was amazed the nation's biggest online trader was so vulnerable to cyber attacks and had called CommSec to notify them. After he made two attempts to explain the dire situation, the Sydney-based company dismissed his calls. John then contacted the Herald Sun in an attempt to have the issue addressed and online security upgraded."
The newly introduced password best practices come a month after another security design flaw was exposed at the online broker - CommSec’s use of non-SSL frames pages potentially resulting in successful man-in-the-middle attacks. Sadly, the company is also not alone. Last year's published paper "Analyzing Web sites for user-visible security design flaws" stated that 75% of online banking sites are vulnerable to trivial security design flaws similar to the ones exposed at CommSec.
And while the password best practices concern remain realistic even though brute forcing attempts would get easily detected, it's worth emphasizing on the fact that even a SSL enabled, strong passwords empowered Ebanking session can be hijacked, once a banker malware like for instance, Zeus, Limbo or Adrenalin infects the host.