There are no vulnerabilities in Sberbank online
The day before yesterday , an article was published on GeekTimes, in which the video demonstrates the allegedly existing vulnerability of the Sberbank Online web version. We will explain why your data is safe and what is actually shown in this video.
We are confident that GeekTimes readers do not need to be told that Yandex.Metrics and Google Analytics visiting counters are used in Russia and around the world - including the largest financial organizations. We use them at Sberbank Online to collect statistics on customer page transitions in order to optimize and improve the quality of our online services. The anonymity of the information collected is guaranteed by the privacy policies of Yandex and Google. In more detail about them: the user agreement Yandex. Metrics , the user agreement Google Analytics . We not only rely on the reputation of our partners, but also check the composition of the transmitted information .
To protect the service, Sberbank Online uses a set of modern tools, including TLS, two-factor authentication, risk-scoring operations and tools that track virus activity on client computers. The most sensitive client information (such as surnames, card and account numbers, etc.) is not even transmitted to client computers at all — this data is masked, that is, hidden by asterisks. In addition to ensure the safety of our service, with each update we conduct extensive penetration-testing, which includes all known types of attacks.
Let us take for granted the author’s claim that the information entered on the Sberbank Online page is transmitted to a remote computer. This is possible only if the Sberbank Online page is modified.
')
In fact, modern browsers protect pages from content spoofing during data transfer. In the case of content spoofing on an intermediate server, the browser classifies the changes as a MITM attack and does not allow content to be loaded onto the page. Thus, the substitution of content is possible only if there is local access to the computer or when a computer is infected with a virus.
What does the olegon-ru video prove? Only that you can program your computer to transfer data outside. But this does not affect the security of service to other customers.
We are confident that GeekTimes readers do not need to be told that Yandex.Metrics and Google Analytics visiting counters are used in Russia and around the world - including the largest financial organizations. We use them at Sberbank Online to collect statistics on customer page transitions in order to optimize and improve the quality of our online services. The anonymity of the information collected is guaranteed by the privacy policies of Yandex and Google. In more detail about them: the user agreement Yandex. Metrics , the user agreement Google Analytics . We not only rely on the reputation of our partners, but also check the composition of the transmitted information .
To protect the service, Sberbank Online uses a set of modern tools, including TLS, two-factor authentication, risk-scoring operations and tools that track virus activity on client computers. The most sensitive client information (such as surnames, card and account numbers, etc.) is not even transmitted to client computers at all — this data is masked, that is, hidden by asterisks. In addition to ensure the safety of our service, with each update we conduct extensive penetration-testing, which includes all known types of attacks.
Let us take for granted the author’s claim that the information entered on the Sberbank Online page is transmitted to a remote computer. This is possible only if the Sberbank Online page is modified.
')
In fact, modern browsers protect pages from content spoofing during data transfer. In the case of content spoofing on an intermediate server, the browser classifies the changes as a MITM attack and does not allow content to be loaded onto the page. Thus, the substitution of content is possible only if there is local access to the computer or when a computer is infected with a virus.
What does the olegon-ru video prove? Only that you can program your computer to transfer data outside. But this does not affect the security of service to other customers.
Source: https://habr.com/ru/post/356472/
All Articles