US Banks: Training the next generation of phishing victims

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Oct 12 04:36:58 EDT 2005


Banks like Bank of America have taken some flak in the past for their awful
online banking security practices.  I was poking around their home page today
because I wanted some screenshots to use as examples of how not to do it and I
noticed the following incredible message, which appears when you click on the
tiny padlock icon next to the login dialog:

  Browser security indicators

  You may notice when you are on our home page that some familiar indicators
  do not appear in your browser to confirm the entire page is secure. Those
  indicators include the small "lock" icon in the bottom right corner of the
  browser frame and the "s" in the Web address bar (for example, "https").

  To provide the fastest access to our home page for all of our millions of
  customers and other visitors, we have made signing in to Online Banking
  secure without making the entire page secure. Again, please be assured that
  your ID and passcode are secure and that only Bank of America has access to
  them.

Yep, no need to worry about those silly browser security indicators, just hand
over your banking logon details to anything capable of displaying a Bank of
America logo on a web page.

(Another thing I noticed is that if you indicate that your logon state is WA
or ID, you get sent to an HTTPS page which asks for your SSN alongside your
name and password.  Anyone know what legal requirement is behind that?)

Amex is another example of this type of user training:

  Security is important to everyone!

  Please be assured that, although the home page itself does not have an
  "https" URL, the login component of this page is secure. When you enter your
  User ID and password, your information is transmitted via a secure
  environment, and once the login is complete, you will be redirected to our
  secure area.

Wachovia has:

  Browser security indicators

  You may notice when you are on our home page that some familiar indicators
  do not appear in your browser to confirm the entire page is secure. Those
  indicators include the small "lock" icon in the bottom right corner of the
  browser frame and the "s" in the Web address bar (for example, "https").

  To provide the fastest access to our home page, we have made signing in to
  Online Services secure without making the entire page secure. Again, please
  be assured that your ID and password are secure.

(hmm, their admins must have gone to the same security night school as the BoA
ones :-).

Can anyone who knows Javascript better than I do figure out what the mess of
script on those pages is doing?  It looks like it's taking the username and
password and posting it to an HTTPS URL, but it's rather spaghetti-ish code so
it's a bit hard to follow what's going where.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list