Yon Consulting's CEO @ Internetdagarna

Internetdagarna is Sweden’s primary meeting place for Internet professionals. It is organized by .SE - Swedish ccTLD Registry.

Stockholm 2010

Internetdagarna is an amazing conference, with 750 attendees this year. I would never expect such a big event with so many attendees and distinguished speakers in the country with 9 million citizens. Sweden is focused on new technologies so maybe I shouldn't be surprised anyway...? Congratulations to NIC.SE for the great event. Good PR for them and the whole Swedish IT-business. 

As former .PL Registry's Head and CENTR's Chairman, I was invited to give a speech on the Polish domain market and factors which are driving the demand for domain names, and how long can we expect that growth to continue.

Stockholm 2010

To summarize my presentation, I would like to point you to two main aspects. The first is the reason why people register domains. What drives them to purchase a name under a TLD? Here are three reasons behind registrants' decision:

• “Must have” for business to be recognized in the country (like .DE .CZ .PL) → primary market
• Investments (like .CO .ME) → secondary market
• TM protection against cybersquatters (like .FR .BIZ .INFO) → defensive registrations

The next aspect is the TLD Registry itself. What can Registry do to facilitate growth. Let me show you one slide, based on .PL situation. I'm proud to be the author of .PL success, so let me give you a recipe for a successful TLD...

To download the full presentation go here
For any questions please contact me. The contact details are here 

Security Vulnerability @ Polbank EFG

updated on November 18, 2010

Here is the description of the vulnerability of the on-line banking system I've recently detected. 

On-line banking system of Polbank EFG, the Polish branch of the Eurobank EFG, which is one of the largest banking groups in Greece, listed on the Athens Stock Exchange (EUROB), is vulnerable to the man-in-the-middle attack before one-time authorization code is to be entered by the end-user.

Severity Medium
 
Background
In Polbank EFG all on-line money transfer transactions are secured by 6 digit code send via SMS to the registered mobile phone of the bank account holder. One-time password method (send via SMS or generated by hardware tokens) is commonly used across on-line banking systems as easy to use and reliable security provision.

Vulnerability description.

In Polbank EFG, after transaction details are being entered by the account holder into the banking system, account holder requests authorization code to be send to his/her mobile phone. As soon as SMS is obtained, account holder has up-to 2 minutes time slot to enter the (received on his/her mobile) code into the browser to confirm transaction and obtain authorization.

In case of Polbank EFG, before the 6-digit code is to be entered, the transaction details can be altered including Amount and Account Number fields.

In the possible man-in-the-middle attack, attacker can alter the entered values replacing existing values with bank account number belonging to the hacker(s). Regardless of the fact that the transaction details has been changed, previously generated 6-digit auth-code entered by the end-user into the browser confirms the altered transaction.

Updated November 18, 2010:
28 days after the problem has been reported directly to EFG Bank, no actions have been taken. The problem with SMS confirmation still exists.