AmEx unprotected login site
Steven M. Bellovin
smb at cs.columbia.edu
Wed Jun 8 19:28:16 EDT 2005
In message <8764woh2r2.fsf at snark.piermont.com>, "Perry E. Metzger" writes:
>
>"Steven M. Bellovin" <smb at cs.columbia.edu> writes:
>>>They're still doing the wrong thing. Unless the page was transmitted
>>>to you securely, you have no way to trust that your username and
>>>password are going to them and not to someone who cleverly sent you an
>>>altered version of the page.
>>
>> They're doing the wrong thing, and probably feel they have no choice.
>> Setting up an SSL session is expensive; most people who go to their
>> home page do not log in, and hence do not (to Amex) require
>> cryptographic protection.
>
>That's why Citibank and most well run bank sites have you click on a
>button on the front page to go to the login screen. There are ways to
>handle this correctly.
There's an attack there, too -- one can divert the link to the login
screen.
>
>The other major offender are organizations (such as portions of
>Verizon) that subcontract payment systems to third parties. They are
>training their users to expect to be directed to a site they don't
>recognize to enter in their credit card information. "Really! This is
>your vendor's payment site! Pay no attention to the URL and
>certificate!"
>
>That one in particular takes amazing brains...
>
It's a tough problem: they want to outsource the payment processing,
but don't have the infrastructure to do so properly.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list