[LAC-TF] internet banking threatens IPv6 in Brazil

[Antonio M. Moreiras]

Hi.

We have an interesting situation here. At the same moment that some of
our big ISPs are starting to deploy IPv6 to home users [1], a bug in a
software used by online banking for security reasons threatens this
initiative.

This software is 'warsaw 1.5.1' from GAS Tecnologia, that is a Diebold
company. It is used by our main banks. The security software installs
itself automatically when the user access home banking, and works as a
service in Windows. According to the company, it is installed in more
than 31 million Windows hosts in Brazil, and it doesn't offer any means
to the user uninstall it.

If the network has IPv6, the bug prevents the access to IPv6 hosts, even
if IPv4 is also available. From the end user point of view, 'Internet
stops' (you can't access Google, Facebook, Yahoo, Netflix, etc, and even
network shared folders). Ahh... Yes, you can still use the home banking
website, since it is IPv4 only. So the user probably will blame the ISP
for the lack of connection, or a virus, or maybe the IPv6 deployment
itself, if he is aware of it.

It has proved to be more difficult than it should to show the seriouness
of this situation to the banks and to the company that sells this
solution to them. At the same time, we listen from some companies and
universities that their IT teams are starting to disable IPv6 in Windows
7 and Windows 8 to mitigate this problem.

Do you know any similar problem? I'm not sure if this technology from
Diebold is used in other countries.

We wrote an article in ipv6.br about it:

http://ipv6.br/bug-em-plugin-de-seguranca-de-bancos-bloqueia-internet/

Regards,
Moreiras.

[1] http://6lab.cisco.com/stats/cible.php?country=BR&option=users