Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Customers of major Australian banks are at risk of having usernames and passwords siphoned off by malware thanks to a flaw in the way credentials are stored.
The client-side flaws allowed a custom malware tool to pull passwords, account numbers and access credentials from the Commonwealth Bank, ANZ Bank, Macquarie Bank, St George Bank and Bendigo Bank.
The tool created by security researcher Jamieson O'Reilly was able to scrape the unencrypted credentials from volatile memory of popular web browsers every two hours and siphon off the data up to a day later to remote servers.
He said the memory exposure was likely already exploited by criminals.
"I created this tool to put a spotlight on what most likely is already assisting crooks to extract juicy data from browser memory," O'Reilly told SC.
"The thing that surprises me is that this is so easily avoidable."
In a proof of concept video, O'Reilly showed how credentials from the affected named banks could be swiped by his proof of concept malware.
Westpac and NAB were the only banks tested to have encrypted the data.
Malware capable of scraping memory in point of sale terminals has existed for years and it was O'Reilly's idea to extend the concept with regular expressions to grab credential data.
He said he was surprised the flaws existed since forensics professionals at the banks would have known the credentials were accessible in plain-text memory.
SC alerted the affected banks to O'Reilly's research.
O'Reilly posted the information online and said banks would need only encrypt the credentials to ensure the data was inaccessible to data-stealing malware.
RAM scrapers represented seven percent of the top 20 threats according to this year's Verizon Data Breach Investigations Report which O'Reilly said left "a lot of room for growth and creativeness from the attackers side".
Copyright © SC Magazine, Australia
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.