AmEx unprotected login site

[Perry E. Metzger]

"Steven M. Bellovin" <smb at cs.columbia.edu> writes:
>>That's why Citibank and most well run bank sites have you click on a
>>button on the front page to go to the login screen. There are ways to
>>handle this correctly.
>
> There's an attack there, too -- one can divert the link to the login 
> screen.

Certainly, but at least then, the URL and the certificate won't point
at Amex (or whomever). If you train your users properly, then they can
avoid trouble even then.

In the current case, by the time you see that there is a problem, it
is too late. Furthermore, you're training your users to engage in a
bad behavior. This is no different than Microsoft training their users
to mindlessly open .exe files for years and years, only to reap the
whirlwind when email viruses came along.

The right behavior to encourage for people is "never enter in your
userid and password for an important account on a page that you don't
trust". They're training people to do the opposite.

>>The other major offender are organizations (such as portions of
>>Verizon) that subcontract payment systems to third parties. They are
>>training their users to expect to be directed to a site they don't
>>recognize to enter in their credit card information. "Really! This is
>>your vendor's payment site! Pay no attention to the URL and
>>certificate!"
>>
>>That one in particular takes amazing brains...
>>
> It's a tough problem: they want to outsource the payment processing, 
> but don't have the infrastructure to do so properly.

They could delegate a "payments.verizon.com" DNS entry and hand the
processor a "payments.verizon.com" certificate, with an expiry date
quite similar to the date when their contract is up for renewal.

I'd like to make my position on one thing here really clear, by the
way.

Since when is it considered acceptable to slack on fiduciary
responsibility on the excuse that it is annoying and requires effort?
No one would accept a bank saying "accounting is boring, and hard to
do right, so we aren't going to keep track of your balance very well
any more." No one would accept "we've decided that paying for a proper
vault is expensive, so we're keeping your safe deposit box in the mens
room." How is proper network security any different? This is a
BANK. Keeping your money secure is what they are paid to do!

Yes, it takes thought, planning, and some skill to have online
security for a financial institution, but no one is obligated to own
or run a bank. If you run a mortuary, you will have to deal with
corpses. If you run a bank, you have to be mindful of security in
handling money.

As for merchants like Verizon, there is really no excuse for a
for being unable to figure out how to process online credit
card payments safely, whether on their own or through a contractor. No
one obligates them to be in business, but if they're going to be, they
have a duty to do things like keeping accurate customer accounts,
paying their taxes, keeping track of who their shareholders are, and,
yes, making sure that they deal with credit card acceptance
non-hazardously. I know it is all a pain in the ass, but if one wants
an easier life, one should be a subsistence farmer instead of a
multinational corporation.

Sure, I'd love not to have to deal with the annoying things I have to
deal with, and I'd love not to have to pay my mortgage on time, and
I'd love a pony and a mountain of gold. I'm an adult, though, so I
accept that I can't have everything I want and I need to fulfill my
obligations. Are we to expect less of AMERICAN EXPRESS? Of VERIZON?
That's a non-starter as far as I'm concerned. If you want to have
a life of excuses, you don't get to play with the grownups.

Perry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com