First State Super shoots the security messenger?
The flaw allowed any logged in member to access other member’s statements by changing a single digit in their browser’s URL bar.
Although First State initially thanked Webster for the information, they later filed a complaint which sent police to Webster’s home at night, locked his own super account, threatened to recover from him the costs for dealing with the breach, and demanded he give them access to his computer.
Having such a vulnerability doesn’t show a superlative level of software development competence or auditing thoroughness, but security is hard and things slip through even the best organizations. My superannuation (retirement savings) is with First State, and while I wouldn’t leave them for having the vulnerability, I am seriously considering leaving because of their ham-fisted handling of the disclosure. FyberOptic paraphrases it as:
“Oh thank you sir for finding my wallet! Now please let me search your house to make sure you didn’t take anything of mine.”
and Troy Hunt says in his open letter to First State:
This is a particularly irrational and unreasonable response to someone whose intent was clearly to ensure the safety of your customers and the integrity of your reputation… the message [First State has] sent clearly says it is better to leave vulnerable software exposed and at risk of truly malicious activity than it is to privately and [responsibly] inform those who have failed in their duty to properly secure it in the first place.
I can appreciate that Pillar, FSS’s trustee, are in a difficult position when they know that sensitive private customer data has been exposed. We should also remember that someone who does report a vulnerability can’t be immediately assumed to have a totally white hat.
Patrick Gray from risky.biz managed to get a good phone interview (mp3) with FSS’s CEO Michael Dwyer.
The key mistakes FSS seems to have made here are:
- Examining Webster’s computer to “prove the files have been deleted” is risible: if Webster wanted to retain the files he could trivially have copied them to another machine or to a USB stick, especially since he’s been given prior warning the search may take place. This is either deep cluelessness, harassment, or a fishing expedition. Webster stated in his initial email that the files had been deleted, and that’s all the proof they’re likely to get.
- By threatening or (mildly) harassing Webster, they don’t reduce the chances that other vulnerabilities will be discovered, only the chance that other vulnerabilities will be reported to them. Account holders ought to bear in mind this makes FSS very slightly more risky than it would otherwise have been, and all Australian financial institutions more risky than they could be.
- Lawyers generally bias towards an aggressive claim-the-moon position: it’s the business’s responsibility to strike the right balance and saying this was “policy” or “legal advice” is a cop-out. Possibly they would have done better contacting an experienced computer security lawyer, rather than one whose experience seems to be on the financial side.
risky.biz draws a comparison to Google’s system of rewards and recognition for people who report vulnerabilities. Webster did go beyond what is allowed in that program by downloading the records of many other members while demonstrating the flaw, but based on Google’s handling of security so far I think they would have taken a more balanced view.
It was my money and personal information at stake and what I would have liked to see is: thanks to Webster; whatever reporting is legally appropriate; and a serious audit for both previous unauthorized access, and currently open vulnerabilities.
I’m motivated to leave partly because I don’t like giving money to jerks, partly because I don’t want to support a policy that makes internet security worse, and also because I’m concerned that when future holes in First State are discovered, they’ll be exploited before they are reported.
First State, like other industry super funds, has good low fees and reliable returns, due to being not-for-profit and spreading costs across many members. (The definition of “not for profit” is not entirely clear when both the investments and administration are outsourced, but the fees are low anyhow.) First State’s customer service is only mediocre: statements arrive three months after the close of the financial year (what are they doing?) and their phone operators have never seemed particularly well informed. Generally speaking it’s hard to beat industry super funds for value-for-money, though they do also tend to also have slightly whiffy connections to the union old-boy network. Sadly the best reason to stay would be pessimism anyone else is any better.
FSS have reached an agreement with Webster and will not be taking legal action against him, though they’re still apparently chasing the mirage of proof that data has been deleted.
The NSW privacy commissioner is investigating FSS:
Any client where there was a potential for their data to be compromised should be advised,” said McAteer
Asher Moses at the SMH also writes:
First State Super CEO Michael Dwyer said yesterday that there was no evidence that anyone other than Webster had gained unauthorised access to customer accounts. But several computer security consultants who are paid by companies to test their networks, speaking on condition of anonymity, said they highly doubted First State kept logs or had the ability to definitively check either way.
the statements were in PDF format and were viewed by the person responsible but from other descriptions of the event this seems unlikely. On Webster’s and media accounts the statements were downloaded but (mostly?) not viewed. There’s a difference; FSS’s sloppiness here is again unimpressive.