How a simple task revealed a potentially huge security gap

Well I had to bring this up. First, last week I see a strange transaction wired into my bank account in Canada. I wasn’t expecting it and I did not recognize the sender. So I called the bank and let them know. After a couple of hours they call me back and admit their mistake and that they will correct it. They end by saying, “we’re sorry”. To which I replied, “Don’t apologize to me, give that to the sender. They sent a wire and paid it’s high fees for security and to ensure it gets to the recipient.”

Now a second thing happened. I went to the web banking sites for two different banks to set up a payment to someone. I knew that both these banks run off the same backend online banking platform, but I never knew the security was this bad.

Here is what happened, I had Bank A in tab 1 and filled in the the payment info for a person. Then I closed the tab and opened a new tab for Bank B. As I was starting to fill the info for another recipient, as soon as I typed the first character, the field completed itself with the info from Bank A. I then double clicked on each field and saw that it kept showing the details I provided in the previous one. My guess in what happened is that when I was on Bank B’s site, the Chrome browser recognized the same source code and allowed the prior info to come. Now we can’t blame this as a Chrome issue for temporarily storing the info. And you can’t just blame me for not deleting cookies after closing the tab. The problem lies in using a centralized back-end that wasn’t thoroughly vetted.

Now imagine if someone had done this on a public computer. (Yes, the chances are low, but go with me here). Another person may come up and go to the online banking site of a bank also running the same platform as mine. They could easily get the email, verification code I set, and amount I was sending to the recipient.

Banks need to start accelerating their transition to new technologies like blockchain and next-gen security. What more weak points do they have? What more fails do they need to experience? It’s reasons like this why we’re so focused on decentralized systems and building solutions that address so many of the security holes.

Note: I contacted both banks and let them know of what happened. Both responded quickly and are looking into it.

Join our telegram group to learn more about how we’re building the decentralized internet.