Exchequer Security Vulnerability

 

 

Exchequer stores its passwords using reversible encryption instead of a one-way hash, so if you can get to a user management screen you can easily decrypt everyone’s credentials. Equally all data sent across the network is sent clear for everyone to see.

 

Whilst the security of your financial data may not be considered important any Exchequer password should be immediately considered ineffective, not encrypted and crucially therefore should be different to the domain password. If you use the same password for Exchequer as for any other 3rd party system (eg bank account) internal or external to your organisation I recommend changing your password to that other system as soon as possible.

 

We notified Iris of this vulnerability over six months ago but apparently as we are the only people to have ever raised this concern they don’t consider spending 10 mins fixing it worthwhile! Internally we are not overly concerned about financial data security and have addressed this by advising their users to use unique passwords for Exchequer (a good policy for any system anyway) however Iris’ attitude to this blatant breach of all of their customers security horrifies me! 

 

Kind regards

Olof

 

 

Comments
ExSync's picture

PCI Compliance

ExSync | | Permalink

Iris Exchequer also stores credit card details totally un-encrypted and anyone using these fields is in breach of PCI compliance rules. An audit could be costly. It maybe a legacy from the days Exchequer Enterprise days when credit card security is not what it is today. There is no excuse, it should be at the very top of the list of priorities in any financial system to be secure and PCI compliant.

Users don't know if a data entry field is secure or not, if it says credit card number and they will record it for convenience.

There are plenty of third party database encryption modules available that will do this and it is not rocket science to implement.

If you record Credit card details into Iris Exchequer which is not PCI compliant you risk costs of up to £100,000. http://www.itgovernance.co.uk/media/article.aspx?news_id=647

http://www.pci-dss-compliance.org.uk/PCI-PSS-Compliance/pci-compliance/

Worth a quick check I’d say and use OLE to get rid of the numbers that could break the bank!

 

Paul Sparkes's picture

Exchequer Security Vulnerability

Paul Sparkes | | Permalink

 

 

Thanks for post regarding your security concerns, the good news is that I think these are simply addressed with some simple configuration changes to your system setup.

Access to the ‘User Password’ section of the IRIS Exchequer product can be restricted via permissions within an individual user’s own profile and there are options within the each user profile to permit an individual user purely access to update their own password without needing access to the entire ‘User Password’ options.  As with any system it is a common requirement to have a user with full access to the entire system in order to manage and maintain individual users and access to such options is normally driven by the position held within an organisation.

With regard to your concerns around encryption, there are additional options for customers in IRIS Exchequer to further protect data transmitted across networks; if you would like to contact your support provider they will be able to assist with the configuration of the relevant encryption for your business including such methods as Secure Sockets Layer (SSL) to encrypt data using a digital certificate.

Should you require further assistance please feel free to contact our support teams or your dedicated account manager.

Paul Sparkes's picture

PCI Compliance    1 thanks

Paul Sparkes | | Permalink

 

Thanks again for your comments, again the good news here is that again this sounds like a configuration issue. That said you're quite right that customers should also make sure they understand the PCI legislation as many company store this information non dedicated fields including notes etc.  We advice our customers that they should have a clear policy for their staff on the storage of credit card details, which should take into account any PCI compliancy requirements they are subject to. 

 

To aid this task we  introduced changes in IRIS Exchequer v6.7+ last year in the way credit card and bank account details were stored and displayed within the system. Via the ‘User Password’ options, individual users can now be configured to either permit or restrict the bank and credit card details to be displayed or masked.  Passwords are also available to restrict users the ability to edit / update the bank and credit card fields.

 

In addition to the visible access in the system, a full audit mechanism for the bank and credit card details was also provided and access to the audit log is also controlled via the ‘User Password’ options.  Where user permissions are set to restrict access to the bank and credit card details, these restrictions extend to all reporting access so this information is further protected. Finally, the audit log file is encrypted and can only be read from within the core IRIS Exchequer system via the log viewer which as previously mentioned, the access can be controlled on a user by user basis.

I hope this proves useful, for more details please feel free to contact our support teams or review further details of our release history at our dedicated customer portal www.iris.co.uk/myexchequer.

 

 

 

ExSync's picture

Thanks Paul,

ExSync | | Permalink

Thanks Paul,

I have no doubt that secure SSL communications across networks is a good thing and something easily accomplished. However, In Exchequer 6.8 The credit card number is still stored unhashed and un-encrypted in plain text within Exchequer and this is in breach of PCI compliance. To verify this I have just checked the database and it is there for all to see. (In fact all credit card details are there, start date, end date.........)

We actually regularly check to see if users have entered data by mistake and clear it to ensure we remain PCI compliant and don't accidentally store credit card data in Exchequer.

I am sure that this is something that goes back a long way, simply because Exchequer has been around for so long.

The problem is that users will be users and they will enter data where it lets them.

Whilst you can control what is seen at the application layer within Exchequer the credit card fields are there and can be read externally because they are not encrypted. All you do the application layer is mask them.

This is not PCI compliant.

Whilst you can block visibilty in the interface you are not securing things underneath where it matters, a bit like blocking people on Twitter they can still get around and tweet.

 

olof | | Permalink

 

Hi Paul,

I am afraid you have misunderstood the issue. You are correct they are very easily resolved (30 mins by your dev team) but they cannot be resolved by a customer configuration change.

Please do  re-read my original post. The problem is the encryption you have implemented is easily reversible. It took one of my engineers 30 seconds to pull out all user passwords when he himself had no credentials to the system whatsoever.

Also as I have said we already raised it with your support team but there attitude was insulting and despite multiple escalations we have not received a satisfactory response.

Best regards

Olof

TURBOD's picture

Exchequer Security Vulnerability & PCI Compliance

TURBOD | | Permalink

Iris Exchequer fails PCI Compliance Audit. It is now just short of 8 months since Olof’s

original post pointing out Exchequer’s security vulnerability. Having recently failed a

PCI compliance audit and the non-encryption of credit card data within the Pervasive

PSQL being discovered I would urge Paul Sparkes to take notice of this reported flaw

in the Exchequer system and to allocate some developer resource to this matter

without delay. Listening to constructive criticism and observations from your customers

is important for all businesses regardless of their size.

 

See http://www.turbodynamics.co.uk/iris-exchequer-security-vulnerability for proof that the

data is available and easily accessed.

 

Add comment
Log in or register to post comments
Group: IRIS Exchequer discussion group
Gathering place for Exchquer users to share experiences and swap ideas about the accounting application.