The Web site of the fourth-largest U.S. bank lets customers in most cities check their accounts by entering a bank card number and PIN, or personal identification number. By default, this card number is stored to a data file, or cookie, on the customer?s local server and sent via encryption to Bank One?s site at each account visit.
The stored data is meant to make subsequent visits more convenient for consumers, who only need to enter a password thereafter. But debit card or bank card numbers contained in the cookie file could be vulnerable to security breaches, according to Interhack, a Columbus, Ohio-based Internet systems developer and security consultancy.
"Because the cookie file is saved on your local machine without encryption, somebody who could read this file has your credit card number," said Interhack founder Matt Curtin.
Bank One downplayed any risk to which customers may be exposed.
"The proof is in the pudding; we haven?t had any security breaches since we launched the site in 1998," said Bank One spokesman Tom Kelly.
"We know how important security is to our customers, and we constantly evaluate the security of our site," said Kelly, who added the company is aware of Interhack?s research. "And we have a number of safeguards built into our systems that protect our customer accounts from hackers."
The Chicago-based company has about 600,000 customers who bank online, Kelly said.
But Curtin said that snooping in cookie files is common because the files are not often password-protected within local networks. Also, known security bugs within Web browsers can be exploited to let outsiders download cookie files, he said.
"The necessary precautions to prevent fraud are not being taken here," said Curtin, who suggested the company change the required numbers for logging onto an account and storing this information.
Interhack reported the alleged problem to Bank One last month.
Bank One is evaluating the suggestions. "Anytime somebody mentions a security issue we take a look at it," Kelly said.