View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 7, 2018updated 08 Aug 2018 9:21am

Is the Halifax Conducting “Unauthorised” Port Scans?

Lawyers agree: the activity is legally questionable - albeit tough to prosecute.

By CBR Staff Writer

Cybersecurity researcher Paul Moore wants to sue High Street bank the Halifax for scanning ports on the computers of those visiting its website.

He claims this is being done without their permission or knowledge prior to login – and is the sort of activity that could potentially land even a benign, or “white hat”, hacker in trouble with the court under the Computer Misuse Act (CMA).

He is fundraising to launch legal action against the bank.

One legal expert told Computer Business Review that technically, he may correct: such activity is arguably in breach of the CMA. But prosecuting the bank for the activity, conducted by its anti-fraud software, may be a fruitless task.

What’s Happening, Exactly?

Paul Moore first noticed the scan in 2015 when encountering some errors on the Halifax’s page. After opening his browser console – the part of your web browser that allows you to see security errors and network requests – he noticed that the bank was actively scanning the ports on his computer to see if any of them were open; an activity that hackers also perform to test for vulnerabilities.

The ports being scanned (5939, 63333, 5903, 5950, 3389, 5900, 5901, 5902, 5931, 5279) can be used to secure remote access to a computer.

Paul Moore said: “They are scanning to see if you have a VNC or remote desktop connection enabled, which can be perfectly harmless, but could be a sign that your machine is compromised – presumably they weigh this against a range of other risks.”

Content from our partners
Powering AI’s potential: turning promise into reality
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
halifax port scans

The code served to Paul Moore’s device

He told Computer Business Review: “It is the first time I’d come across an organisation doing that just when you land on their page; pre-login.”

He added: “They were actively scanning 10 ports not just of customers but of visitors. I complained and was referred to their privacy policy. But they are scanning the devices of anyone landing on the page; people who haven’t agreed to the privacy policy.”

“It’s clearly part of a weighted threat metric and seems to be conducted by part of their ThreatMetrix anti-fraud software. I’m not suggesting they are trying to hack their customers or anyone’s money is at risk. But what if we, as customers, scanned a bank’s infrastructure to ensure our safety?  This would clearly breach the CMA and we’d almost certainly end up in court.  The rules should be applied fairly, to both parties.”

halifax port scansHalifax Port Scans: No Malicious Intent , but…

The issue, in his eyes, is that lack of malicious intent has never been much a defence under the CMA and that ‘what’s sauce for the goose is sauce for the gander’.

As he puts it on his fundraising page: “As security researchers, we operate mindful of the CMA. Sometimes, our actions are questionable, other times we clearly overstep the mark if the risk to the public justifies it.  However, the question of ‘intent’ arises time & time again.” (And in the past, benign intent has been no defence for security researchers).

Section 1.1a/b/c) of the CMA reads:A person is guilty of an offence if – (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer; (b) the access he intends to secure is unauthorized; and (c) he knows at the time when he causes the computer to perform that function that that is the case.”

“Probing a Port… Likely to Amount to Securing Accessing to the User’s Computer, for the Purposes of the Computer Misuse Act.”

Neil Brown, from tech law firm decoded:Legal told Computer Business Review: “The allegation is that the site in question is serving up JavaScript, which gets run in the user’s browser and attempts to determine whether or not certain ports are open on the user’s machine. In my view, probing a port to see if there is a response is likely to amount to securing accessing to the user’s computer, for the purposes of the Computer Misuse Act.”

“If that’s correct, the question is whether this is authorised, or if it requires each user’s consent. Since this seemingly happens on a user’s computer, and takes place automatically on page load, without notification to the user, I’m sceptical that the site has authorisation for this access, or else has the user’s consent.”

“If, however, this activity does amount to computer misuse, there could be wider implications. Not only are port scans common, if all JavaScript required a visitor’s consent, the browsing experience would be pretty lousy.”

He added: “Similarly, I’d expect a site such as a bank to argue that there is a clear imperative to secure its systems such that, even if the activity did amount to computer misuse and was without authority, there is no public interest in prosecuting.”

“Robust processes in place”

The Halifax, declining to comment on the legality or otherwise of its approach, told Computer Business Review: “Keeping our customers safe is of paramount importance to the Group and we have a range of robust processes in place ‎to protect online banking customers.”

The script was not being served when Computer Business Review checked its web console for the page. Mr Moore has yet to convince the infosec community the case is worth pursuing; at the time of publishing, he had raised £50 of a £15,000 target.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.