Santander In Cookie Security ‘Train Wreck’

Fotolia: Piggy bank with letters spelling oops - investing your savings © Karen Roach #9936465

Santander customers aren’t happy about alleged security failings at the bank

Major banking institution Santander is facing scrutiny after being accused of poor security practice in how it handles cookies.

According to customers, Santander is storing sensitive information such as credit card details, account numbers and sort codes, and online banking users’ names in session cookies. If a hacker can intercept cookies, as cyber criminals often attempt to do, then customer data could be compromised.

One customer has also accused the company of failing to use the HTTPOnly feature, which prevents cookie information being sent to third parties. When HTTPOnly isn’t being used, cyber crooks can attempt to get cookies sent to their own sites, in a cross-site scripting attack (XSS).

Santander in breach of its own rules?

Furthermore, when cookies expire at the end of a session, they are not overwritten on logout, that customer complained, on the Seclists.org site. Those cookies will remain accessible until the browser is closed, meaning anyone who leaves their browser open, as many do, could risk having their account details compromised.

The bank did not deny it was storing such data in its cookies, nor did it deny failing to implement HTTPOnly or failing to overwrite cookies on logout.

TechWeekEurope understands credit card numbers were stored in cookies for a small number of online banking customers who used the ‘remember me’ option for login.

security malware - Shutterstock: © Marcio Jose Bastos Silva

“The data items stored within our cookies, if compromised, would not allow access to our online services on their own and our primary login processes do not rely on cookie data,” a spokesperson said.

“We review the use of our cookies and the data contained within them, and if necessary will review the IDs used by our customers to limit any future risks. We take the security of our customer data very seriously. Customers can change their IDs at any time themselves and are reminded not to use the ‘remember me’ function on public or shared computers.”

Yet Santander may be in breach of regulators’ and its own rules on data protection. Santander’s own data protection guidance says its site-tracking cookies do not contain name and address information.

It says those cookies contain a uniquely generated random number to differentiate one visitor from another, and the date and time of customers’ previous visit.

Troy Hunt, security expert and a Microsoft Most Valuable Professional, described the situation as a potential “train wreck” for Santander. If HTTPOnly was not being used, then it would make customers “very vulnerable to XSS”.

“Cookies also get stored on the PC so you’re looking at a risk there too. And PCI DSS [compliance rules for companies handling financial data] is very clear about handling credit cards – you simply can’t pass them around like this,” Hunt told TechWeekEurope.

“The info simply shouldn’t be in cookies to begin with. If it is, it’s pointing to another bad design decision.”

Hunt suggested Santander might be using using the card or user account as a “context identifier”

“For example, it sets the cookie to indicate that this is the account you’re looking at. There may be similar behaviours for other accounts,” he explained. “That then means there’s also a possible direct object reference risk – what would happen if you changed the card number to someone else’s card?

“That’s easy enough to discover, but are there then proper access controls in place? They don’t give much confidence that there is.

“If they need to persist context it would be much better to to assign a user-specific session identifier which is useless after they’re finished. It would also be cryptographically random – that’s what we see in most banking apps.”

There have been some notable security errors at major global firms this year. Tesco was caught out on password protection, as it failed to encrypt, hash or salt login details, and a potentially serious XSS flaw was resident on its main, customer-facing site.

Tesco subsequently addressed security concerns after plenty of pressure and customers are hoping Santander will respond to their issues.

Are you a security guru? Try our quiz!