CHAPIN, S.C. – Tucked away on the second floor of a brick building containing shops and offices in this small town in the South Carolina Midlands are sophisticated crackers who say they are able to easily make their way past the standard ID-and-password barrier that protects many, if not most, online banking accounts. These are ethical hackers, however, and they work for PM Systems Corp., a provider of Internet banking and security services to about 200 credit unions. Through its CUDefense unit, PM Systems is now offering BankBuster, a script-based software program that's already been run against the two-way authentication systems at several credit unions, with perhaps all too much success. "We get in quickly," says Niels Taylor, director of CUDefense. "Intentionally couching this in very general terms, we're simply starting with member number 1 and a simple password and going from there, things a hacker using a script might well do himself." What someone who successfully cracks a credit union's login mechanisms might do can take two forms: He would have access to those accounts, presumably, and he could simply stage a massive lockout attack, forcing the credit union to manually unlock thousands of accounts one by one. And in fact, Taylor says, accounts can even be locked without actually being cracked. How did those credit unions react to the BankBuster test? "They were shocked and surprised when they heard how well it worked and how fast we got in," Taylor says. "And they were surprised by the reaction of their Internet banking vendors, who knew the test was happening and should have anticipated the results." Taylor says credit unions should not assume that such assurances as SAS70 or third-party security audits mean online banking systems are secure. "It's quite unlikely that either of these audits test your online authentication systems in a real-world hacking scenario," he maintains, and contends that vendors of such services often lack staff or expertise to run such tests. "Consequently, large numbers of online credit union members may be vulnerable to tools like BankBuster," Taylor says. At PM System's offices, no signs announce the company's presence, and visitors have to be buzzed in through doors that are always locked. Inside there are cubicles and offices, and a server farm that's backed up by a similar facility about a hundred miles away near Charlotte's Douglas International Airport. But such a secure setting is not necessary to run such a program. "We do this from our office here, but we really could do this anywhere there's a wireless connection to the Internet," Taylor says. "The airport, a coffee shop, just about anywhere. It's easy to move around and do this." While PM Systems, of course, is in business to do business, there's another point to publicizing this process, says Robert Broadwell, PM Systems' co-founder and the company's vice president. "The bottom line here is our contention that Internet banking isn't as secure as it should be. A crucial point we're trying to make with BankBuster is that the industry needs to do more to make Internet banking security stronger," Broadwell says. Broadwell, whose company's own online banking log-on uses graphical security code – essentially skewed sets of letters and numbers – to help thwart such script attacks, advises credit unions not to sign with vendors who won't allow third-party testing of online authentication systems during routine security reviews. "Do not execute an agreement with a vendor that will not permit you to test those security mechanisms protecting your members," he says. He adds that the credit unions where BankBuster was run are not users of PM Systems' WebFederal online banking platform. "That would be a conflict of interest," Broadwell says. "We constantly have people calling us and asking us about it, but in most cases their vendor will not permit them to do it," he adds. "So what would we do if a credit union security vendor wants to check us? "We welcome it. We'd much rather know about a security problem now then find out later there was a hack." -

[email protected]