Updated Halifax Bank scans the machines of surfers that land on its login page whether or not they are customers, it has emerged.
Security researcher Paul Moore has made his objection to this practice – in which the British bank is not alone – clear, even though it is done for good reasons. The researcher claimed that performing port scans on visitors without permission is a violation of the UK's Computer Misuse Act (CMA).
Halifax has disputed this, arguing that the port scans help it pick up evidence of malware infections on customers' systems. The scans are legal, Halifax told Moore in response to a complaint he made on the topic last month.
If security researchers operate in a similar fashion, we almost always run into the Computer Misuse Act, even if their intent isn't malicious. The CMA should be applied fairly...
Moore said he wouldn't have an issue if Halifax carried out the security checks on people's computers after they had logged on. It's the lack of consent and the scanning of any visitor that bothers him. "If they ran the script after you've logged in... they'd end up with the same end result, but they wouldn't be scanning visitors, only customers," Moore said.
According to Moore, when he called Halifax to complain, a representative told him: "We have to port scan your machine for security reasons."
Having failed to either persuade Halifax Bank to change its practices or Action Fraud to act (thus far1), Moore last week launched a fundraising effort to privately prosecute Halifax Bank for allegedly breaching the Computer Misuse Act. This crowdfunding effort on GoFundMe aims to gather £15,000 (so far just £50 has been raised).
Halifax Bank's "unauthorised" port scans are a clear violation of the CMA – and amounts to an action that security researchers are frequently criticised and/or convicted for, Moore argued. The CISO and part-time security researcher hopes his efforts in this matter might result in a clarification of the law.
"Ultimately, we can't have it both ways," Moore told El Reg. "It's either legal to port scan someone without consent, or with consent but no malicious intent, or it's illegal and Halifax need to change their deployment to only check customers, not visitors."
The whole effort might smack of tilting at windmills, but Moore said he was acting on a point of principle.
"If security researchers operate in a similar fashion, we almost always run into the CMA, even if their intent isn't malicious. The CMA should be applied fairly to both parties."
Moore announced his findings, his crowdfunded litigation push and the reasons behind it on Twitter, sparking a lively debate. Security researchers are split on whether the effort is worthwhile.
The arguments for and against
Infosec pro Lee Burgess disagreed: "If they had added to the non-customer page then the issue would be different. They are only checking for open ports, nothing else, so [I] cannot really see the issue."
Surely there needs to be intent to cause harm or recklessness for any criminal violation, neither of which is present in the case of Halifax, argued another.
UK security pro Kevin Beaumont added: "I'd question if [it was] truly illegal if [there was] not malicious intent. Half the infosec services would be illegal (Shodan, Censys etc). IRC networks check on connect, Xbox does, PlayStation does etc."
Moore responded that two solicitors he'd spoken to agreed Halifax's practice appeared to contravene the CMA. An IT solicitor contact of The Register, who said he'd rather not be quoted on the topic, agreed with this position. Halifax's lawyers undoubtedly disagree.
Moore concluded: "Halifax explicitly says they'll run software to detect malware... but that's if you're a customer. Halifax currently scan everyone, as soon as you land on their site."
Enter the ThreatMetrix
The scripts run within the visitor's browser, and are required to check if a machine is infected with malware. They test for this by trying to connect to a local port, but this is illegal without consent, according to Moore.
"Whilst their intentions are clear and understandable, the simple act of scanning and actively trying to connect to several ports, without consent, is a clear violation of the CMA," Moore argued.
Beaumont countered: "It only connects to the port, it doesn't send or receive any data (you can see from the code, it just checks if port is listening)."
Moore responded that even passively listening would break the CMA. "That's sufficient to breach CMA. If I port-sweep Halifax to see what's listening, I'd be breaching CMA too," he said.
Moore went on to say that this testing – however well-intentioned – might have undesirable consequences.
"Halifax/Lloyds Banking Group are not trying to gain remote access to your device; they are merely testing to see if such a connection is possible and if the port responds. There is no immediate threat to your security or money," he explained.
"The results of their unauthorised scan are sent back to Halifax and processed in a manner which is unclear. If you happen to allow remote desktop connections or VNC, someone (other than you) will be notified as such. If those applications have vulnerabilities of which you are unaware, you are potentially at greater risk."
Moore expressed that his arguably quixotic actions may have beneficial effects. "Either Halifax [is] forced to correct it and pays researchers from the proceeds, or the CMA is revised to clarify that if [its] true intent isn't malicious, [it's] safe to continue," he said.
We have asked ThreatMetrix for comment. ®
Updated at 1200 UTC to add
Halifax Bank has been to touch to say: "Keeping our customers safe is of paramount importance to the Group and we have a range of robust processes in place to protect online banking customers."
1Action Fraud is the UK's cyber security reporting centre. Moore has reported the issue to it. AF's response left Moore pessimistic about finding any relief from that quarter.