A computer hackers club in Germany has blown apart the Microsoft ActiveX security model used to protect online banking and other Internet applications.

The Chaos club of Hamburg two weeks ago demonstrated a way to siphon money from home users' bank accounts. The action forced Microsoft to warn users: 'There is no way to guarantee safety.'

Cornelius Willis, Microsoft's group product manager, said: 'This is going to be the first of many incidents. Users are going to have to become very security conscious. We've been much too sanguine.'

Despite the news, the Royal Bank of Scotland (RBoS) this week pledged to continue with plans for a Net-based home banking system, which could be attacked in the same way. The bank said its initiative has attracted 'phenomenal interest'. It is promising to repay customers for proven unauthorised transactions.

Barclays, Midland and NatWest Bank confirmed that they are not prepared to take the same risks as the RBoS. A NatWest official said: 'We won't launch an Internet service for some time yet - it's too insecure.'

The Chaos club said it attacked a banking application simply to attract maximum publicity. Club member Lutz Donnerhacke said: 'The problem is not banking. It's every Microsoft network, server and client.'

According to Donnerhacke, malign ActiveX controls (applets written to Microsoft s ActiveX model) could be spread across the Internet as spying and sabotage agents.

Once downloaded, ActiveX controls can access any part of a Windows client or server machine, and perform any task. Chaos claims that using Microsoft's OLE object linking mechanism, files held by the majority of applications can be accessed covertly, without opening the application and alerting the user.

'There are 20 million Net users in Germany. If we attacked just 1% of them and took only DM20 from each one, we'd have DM4m (£1.5m),' Donnerhacke claimed.

He dismissed Microsoft's claims that Java applets are just as great a threat to security as ActiveX controls. Java applets can only perform limited functions once downloaded.

Sabotage is possible because ActiveX is protected only by a system of encrypted certificates which attach to downloaded software. The certificates are intended to reassure users that the software they download is not malicious.

Yet software is not tested before a certificate is issued. Microsoft says users should recognise that certificates only prove that the software's author has been registered, and that the software has not been corrupted since it was written.

Microsoft admitted that false registration is not beyond criminals, 'but it is not a trivial task', Willis said. Registration requires details of company name and credit references.

Causing Chaos

On its default security settings, Microsoft's Internet Explorer Web browser automatically downloads certificated ActiveX controls, without informing the user.

Uncertificated controls are only downloaded if the user gives on-screen consent.

The Chaos club claims that it has written an uncertificated control which will secretly download itself onto a machine, whatever the security setting on Internet Explorer.

Willis at Microsoft said: 'We haven't seen how they do that yet. The code they demonstrated used a certificate.'

The club attached a certificate to a control which, once downloaded, changed the Explorer settings to allow other controls to follow unchecked.

'That's not illegal,' the club said.

13-FEB-97, VNU Business Publications Ltd