Computerworld

ActiveX breaches fail to halt online banking talks

Microsoft will continue its negotiations to kick-start online banking in New Zealand despite ActiveX security breaches overseas. A group of German hackers has used Microsoft's ActiveX controls to make unauthorised funds transfers with Intuit's Quicken money management package which, like Microsoft's own product, Money 97, supports ActiveX.

Microsoft will continue its negotiations to kick-start online banking in New Zealand despite ActiveX security breaches overseas.

A group of German hackers has used Microsoft’s ActiveX controls to make unauthorised funds transfers with Intuit’s Quicken money management package which, like Microsoft’s own product, Money 97, supports ActiveX.

Intuit’s response to the breach was to recommend users disable the ActiveX capability of their browsers or use a browser — such as Netscape Navigator — that doesn’t support the technology.

Questions about ActiveX security have been raised as the controls are able to perform a wide variety of functions and are not contained in a separate shell, as are Java applets. Microsoft uses an authentication system called Authenticode to enable the tracking of the creators of the controls.

Microsoft New Zealand marketing manager Steve Jenkins says the particular circumstances in Germany made the security breach possible.

“ActiveX meant they could do it, Intuit meant they could do it and the German banking system meant they could do it.

“The German way of banking allows transfers between accounts, so it’s not something that would be applicable worldwide. I’m trying to chase up the New Zealand situation, but definitely in the US you would be able to transfer money from your personal cheque account to your personal savings account. But there would be processes in place to prevent that happening from one person’s account to another person’s account. It’s particular to the German situation as far as I know. The same risk is carried with other programs as well. This is not particular to ActiveX. Any executable file can do the same things, for example, a native DLL, Java code or a Netscape plug-in or a Shock-wave activity could produce the same risk.”

Jenkins claims Authenticode as the solution to the problem.

“Authenticode is becoming more important day by day. Microsoft is promoting this as the solution to the issue because it indemnifies everybody and you can identify the writer of the code.”

But Authenticode doesn’t prevent the action in the first instance.

“Agreed,” says Microsoft New Zealand’s Steve Jenkins.

“But it makes them liable for what they are doing. There are a lot of other examples of that in the world. You can’t stop somebody from shooting somebody but once the tracking is in place you put a restriction on them doing it.

“Sandboxing [as in Java applets] does give a bit of benefit. Yes. It also causes the negative, that two codes can’t talk to each other.”

“From a technical point of view,” Microsoft’s Richard Birt says, “there is an option in Internet Explorer that allows you to check the ActiveX controls before they download and by default it is turned on to maximum security. It would require somebody to turn that off to download ActiveX controls and store them on the system.

“ActiveX gives you richness in terms of the experience you are getting but because it’s not sandboxed like Java there are issues around that and you have to be aware of what you are doing.”

Carol Leishman, Microsoft’s public relations representative, says she is unable to comment on the banking negotiations at present as these are continuing.

She is hopeful of an announcement around mid-year.

Locally the race is on to get online banking under way. Microsoft and Intuit have both enabled their products to undertake banking activity over the Internet but need the support of banks to utilise that capability.

[See related story below: 'Microsoft launches new security site']