TELECOM Digest OnLine - Sorted: Re: Are Major Banking Sites Insecure?

Re: Are Major Banking Sites Insecure?

Steven Lichter (
Sat, 22 Apr 2006 20:24:28 GMT

In article, Gordon Burditt at wrote on 4/21/06 16:10:

>> At issue are the user login areas that can be found on banking sites
>> such as and, which ask users to submit
>> their user ID and password information. Although these forms may be
>> encrypted, they do not use authentication technology to prove they are
>> genuine, according to Johannes Ullrich, chief research officer at the
>> SANS Institute.

>> A more secure approach would be to force users to log in on a HTTPS
>> (HyperText Transport Protocol Secure) Web page. HTTPS pages use the
>> SSL (Secure Sockets Layer) security protocol, which not only encrypts
>> the information on the page but also provides digital certificates to
>> give assurance that the Web site in question is genuine.

> SSL is an effective way of transmitting payment information securely to
> the thief operating a web site in such a way that the other thieves
> don't get the info first.

>> "If the login form is not HTTPS, you don't know if it's the real
>> thing," Ullrich said.

> If it's HTTPS, and you don't look at the certificate, you still don't
> know if it's the real thing. If you don't look at the certificate,
> you don't know it doesn't say: "Union of Nigerian Bank Fraud Artists,
> Third Pile of Money on the Left SUCKER, Nigerian Republic of Bank
> Fraud". I suspect just about anyone can get a real certificate if
> they use their real name on it, even if they are running a web site
> from inside a prison and freely admit it to Verisign. Saddam, have
> you applied for a certificate yet?

> If you don't pay attention to warnings about certificate authorities,
> I can make a certificate that looks just like a real bank certificate,
> and it will fool lots of people. However, it's more fun to make
> certificates for "Satan, Prince of Darkness", and few people will read
> it anyway. You do get a few browser warnings, however, I suspect a
> lot of people would click OK without thinking to a popup:

> You are about to install the Code Red Virus.
> Only an idiot would deliberately install a virus thinking
> it was anti-virus software. The install program will also
> drain your checking account and take your soul and first-born
> child. Install virus anyway?

>> Web pages that do not use this type of secure connection are
>> vulnerable to a type of attack known as DNS (Domain Name System)
>> spoofing, where attackers attempt to trick Web browsers into visiting
>> bogus Web sites.

> And if you don't read the certificates, you won't notice that you
> expected to be connected to Chased Bank and you're really connected to
> Henry's House of Hashish and Aftermarket Biological Weapons.

>> This type of attack is technically challenging, however, and hackers
>> generally find it far easier to trick users into giving up their user
>> names and passwords using phishing techniques, Ullrich said.

>> Though Bank of America allows customers to enter their online IDs on
>> the home page, they cannot submit passwords. The bank sends them to an
>> HTTPS page and uses a technology called SiteKey to confirm to
>> customers that they are at the legitimate Bank of America site before
>> they enter their passwords.

>> "We're committed to safeguarding customer information online and we
>> wouldn't do anything to compromise that security," Riess said.

> Bank of America has an interesting setup to avoid spoofing and
> man-in-the-middle attacks, and it involves the user a bit more. You
> set up an image (chosen from a set of what might be a few hundred), a
> caption, and some security questions and answers. (For example, I
> might select an image of a fire-breathing dragon, and caption it "my
> mother-in-law". I might also select a security question of "What is
> your favorite pet?" with the answer "9/11/2001". Of course, by
> choosing such wierd answers, I'd better remember the real answers as
> the question won't give much of a hint.)

> 1. You go to what is supposedly the login page.
> 2. You put in your ID (but not password)
> 3. If your computer has the BofA cookie on it for this account,
> skip to step 7
> 4. You are asked one of the security questions (I think an SSL page).
> 5. You answer it.
> 6. If your answer is correct, the web page offers to put a cookie on
> the computer you are using (but advises you not to if it's a public
> system).
> 7. You get a SSL page showing your selected image and the caption
> (Together, these are the site key.).
> You are advised *NOT* to enter your password if you don't see the
> correct site key. Enter your password.
> 8. You put in the password.
> 9. If it's correct, you're in, and the cookie from step 6 is added
> if requested.
> 10. You get the online banking page (SSL) for your account.

> If you usually log in from a small set of computers which by now have
> the cookie on them, you only do steps 1, 2, 7, 8, 9, and 10, and you
> should be suspicious of suddenly getting asked (for a
> man-in-the-middle attack) one of the security questions.

> Notes: if you refuse to accept cookies, you get asked the security
> question, but it still works. The cookie does NOT substitute for
> knowing the password.

> Although it's hardly foolproof, especially if the user isn't paying
> attention, it's different and it involves the user a bit more, so I
> think it's going to be more effective.

> Gordon L. Burditt

Our credit union started this option a few weeks ago, surprised me
since there was no warning, I found a member newsletter that had said
they were goin to start this. Also Walmart has it on their online
Pharmacy site to get into your account.

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: B. Wright: "Re: Are Major Banking Sites Insecure?"
Go to Previous message: Monty Solomon: "Google's China Problem (and China's Google Problem)"
May be in reply to: Robert McMillan: "Are Major Banking Sites Insecure?"
Next in thread: B. Wright: "Re: Are Major Banking Sites Insecure?"
TELECOM Digest: Home Page