Xbank Security Flaws

From WebXbank, where the "X.com" bank (http://www.x.com/) is discussed...

"Do more with your money."

And "do more with other people's money" if the New York Times is to be believed:

"Security Flaw Discovered at Online Bank" New York Times (01/28/00) P. C2; Markoff, John

"X.com, an online startup bank, recently discovered a major security breach in its system that allowed anyone with knowledge of another person's account and bank routing number to take money from that account, put it in an X.com account, and then withdraw the funds. The company says there were only five or 10 transactions that were "problematic", and that the problem has now been fixed. Computer experts say the case is a textbook example of the dangers of moving banking online too fast, without fully testing Internet banking systems for security holes. Experts say the bank erred when it decided to directly interconnect its online application form with the country's Automated Clearing House network. X.com now requires that customers fax or mail a copy of a canceled check to verify that they actually own an account before they are allowed to transfer any money, and only transfers from accounts with a customer's name on it can be used to open an account with X.com."

...from http://www.acm.org/technews/articles/2000-2/0128f.html

At the New York Times web site, you can read the original article (for a $2.50) charge. See http://www.nytimes.com/

Security Flaw Discovered at Online Bank In what may prove to be a cautionary tale about the headlong rush into electronic commerce, a new online bank permitted customers for almost a month to transfer funds from any other account in the nation's banking system. As a result, someone armed with ...

Business/Financial Desk - 827 words - By JOHN MARKOFF

From ECommerce Times: http://www.ecommercetimes.com/news/articles2000/000201-2.shtml

"X.com, a Palo Alto, California-based online bank, recently allowed customers who were setting up new accounts to specify the account number from which funds were being transferred. Unfortunately, X.com did not verify whether the person who was setting up the account had the right to transfer those funds."

(I guess it just never occurred to them that they should verify one's right to transfer funds. ;-)

CategorySecurity

EditText of this page (last edited June 26, 2003) or FindPage with title or text search