Questions have been asked about the security of a banking site if a malicious website were to be opened on another browser tab.
Stuart Okin, managing director of Comsec Consulting, asked what level of security should banks be dictating to their customers?
Okin said: “If I was a bank and I have my website, what can I dictate to you, and how do I enforce that? If there are two tabs open and a bad website attacks the good website, can this happen? We know that holes do exist on websites, but this is a troubling question and it takes time to get right.”
Commenting, Michael Sutton, VP security research at Zscaler, claimed that this should not be able to happen, as policy says that one domain should not be able to access the other.
Sutton said: “It really is about being within the domain; the exception is when it is a browser-based vulnerability. It is not a tried and tested rule. If I get the cookie I can impersonate you, but I could not steal the cookie for a Gmail account as there would need to be a fault with the banking site.”