1. Home
  2. General Telecommunications Forum
  3. Re: Are Major Banking Sites Insecure?

Re: Are Major Banking Sites Insecure?

At issue are the user login areas that can be found on banking sites

> such as Chase.com and Americanexpress.com, which ask users to submit > their user ID and password information. Although these forms may be > encrypted, they do not use authentication technology to prove they are > genuine, according to Johannes Ullrich, chief research officer at the > SANS Institute. > A more secure approach would be to force users to log in on a HTTPS > (HyperText Transport Protocol Secure) Web page. HTTPS pages use the > SSL (Secure Sockets Layer) security protocol, which not only encrypts > the information on the page but also provides digital certificates to > give assurance that the Web site in question is genuine.

SSL is an effective way of transmitting payment information securely to the thief operating a web site in such a way that the other thieves don't get the info first.

"If the login form is not HTTPS, you don't know if it's the real > thing," Ullrich said.

If it's HTTPS, and you don't look at the certificate, you still don't know if it's the real thing. If you don't look at the certificate, you don't know it doesn't say: "Union of Nigerian Bank Fraud Artists, Third Pile of Money on the Left SUCKER, Nigerian Republic of Bank Fraud". I suspect just about anyone can get a real certificate if they use their real name on it, even if they are running a web site from inside a prison and freely admit it to Verisign. Saddam, have you applied for a certificate yet?

If you don't pay attention to warnings about certificate authorities, I can make a certificate that looks just like a real bank certificate, and it will fool lots of people. However, it's more fun to make certificates for "Satan, Prince of Darkness", and few people will read it anyway. You do get a few browser warnings, however, I suspect a lot of people would click OK without thinking to a popup:

You are about to install the Code Red Virus. Only an idiot would deliberately install a virus thinking it was anti-virus software. The install program will also drain your checking account and take your soul and first-born child. Install virus anyway?

Web pages that do not use this type of secure connection are > vulnerable to a type of attack known as DNS (Domain Name System) > spoofing, where attackers attempt to trick Web browsers into visiting > bogus Web sites.

And if you don't read the certificates, you won't notice that you expected to be connected to Chased Bank and you're really connected to Henry's House of Hashish and Aftermarket Biological Weapons.

This type of attack is technically challenging, however, and hackers > generally find it far easier to trick users into giving up their user > names and passwords using phishing techniques, Ullrich said. > Though Bank of America allows customers to enter their online IDs on > the home page, they cannot submit passwords. The bank sends them to an > HTTPS page and uses a technology called SiteKey to confirm to > customers that they are at the legitimate Bank of America site before > they enter their passwords. > "We're committed to safeguarding customer information online and we > wouldn't do anything to compromise that security," Riess said.

Bank of America has an interesting setup to avoid spoofing and man-in-the-middle attacks, and it involves the user a bit more. You set up an image (chosen from a set of what might be a few hundred), a caption, and some security questions and answers. (For example, I might select an image of a fire-breathing dragon, and caption it "my mother-in-law". I might also select a security question of "What is your favorite pet?" with the answer "9/11/2001". Of course, by choosing such wierd answers, I'd better remember the real answers as the question won't give much of a hint.)

  1. You go to what is supposedly the login page.
  2. You put in your ID (but not password)
  3. If your computer has the BofA cookie on it for this account, skip to step 7
  4. You are asked one of the security questions (I think an SSL page).
  5. You answer it.
  6. If your answer is correct, the web page offers to put a cookie on the computer you are using (but advises you not to if it's a public system).
  7. You get a SSL page showing your selected image and the caption (Together, these are the site key.). You are advised *NOT* to enter your password if you don't see the correct site key. Enter your password.
  8. You put in the password.
  9. If it's correct, you're in, and the cookie from step 6 is added if requested.
  10. You get the online banking page (SSL) for your account.

If you usually log in from a small set of computers which by now have the cookie on them, you only do steps 1, 2, 7, 8, 9, and 10, and you should be suspicious of suddenly getting asked (for a man-in-the-middle attack) one of the security questions.

Notes: if you refuse to accept cookies, you get asked the security question, but it still works. The cookie does NOT substitute for knowing the password.

Although it's hardly foolproof, especially if the user isn't paying attention, it's different and it involves the user a bit more, so I think it's going to be more effective.

Gordon L. Burditt

Reply to
Gordon Burditt
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.