AmEx [add: and other] unprotected login site

Amir Herzberg herzbea at macs.biu.ac.il
Thu Jun 9 03:24:59 EDT 2005 

Perry: I share your feelings in this matter, great message (but I made 
some comments, see below). I'll appreciate the relevant Verizon URL so 
I'll add them to the Hall of Shame. Notice I already have several banks 
there, including Chase (which you also mentioned), and brokers, 
including CitiGroup's SmithBarney... And security companies including MS 
  Passport and EquiFax... More examples welcome (I'll also add 
`contributors` gladly). Thanks, Amir

Perry E. Metzger wrote:
> "Steven M. Bellovin" <smb at cs.columbia.edu> writes:
> 
>>>That's why Citibank and most well run bank sites have you click on a
>>>button on the front page to go to the login screen. There are ways to
>>>handle this correctly.
>>
>>There's an attack there, too -- one can divert the link to the login 
>>screen.
> 
> Certainly, but at least then, the URL and the certificate won't point
> at Amex (or whomever). If you train your users properly, then they can
> avoid trouble even then.

Agreed. SSL is designed to protect against a MITM attacker, not a mere 
eavesdropper (for protecting only against eavesdroppers, we don't need 
certificates, DH would suffice, right?). Indeed, current browser 
security indicators are terrible, but that's why we do all this work on 
  secure usability, resulting in improved indicators (our TrustBar, and 
a host of others by now; every competent security person should use one 
and take care it's doing good job and not violating privacy). I firmly 
hope and believe this will soon be adopted by browsers, the IE people 
essentially told me they will, and some new browsers (NS, Ophera) 
already improved to some extent.
> 
> In the current case, by the time you see that there is a problem, it
> is too late. Furthermore, you're training your users to engage in a
> bad behavior. This is no different than Microsoft training their users
> to mindlessly open .exe files for years and years, only to reap the
> whirlwind when email viruses came along.

Well, of course, Microsoft are also training their users to enter 
passwords into unprotected login page, just like Amex - see the entry 
for MS Passport in the Hall of Shame... And btw, I had a long dialog 
with an exec in MS about it, and she actually _agreed_ and promised to 
fix it long ago, I'll ask her again how come nothing happens...
> 
> The right behavior to encourage for people is "never enter in your
> userid and password for an important account on a page that you don't
> trust". They're training people to do the opposite.
> 
>>>The other major offender are organizations (such as portions of
>>>Verizon) that subcontract payment systems to third parties. They are
>>>training their users to expect to be directed to a site they don't
>>>recognize to enter in their credit card information. "Really! This is
>>>your vendor's payment site! Pay no attention to the URL and
>>>certificate!"
>>>
>>>That one in particular takes amazing brains...
Examples will be added to the Hall of shame...
>>>
>>
>>It's a tough problem: they want to outsource the payment processing, 
>>but don't have the infrastructure to do so properly.
> 
> 
> They could delegate a "payments.verizon.com" DNS entry and hand the
> processor a "payments.verizon.com" certificate, with an expiry date
> quite similar to the date when their contract is up for renewal.
> 
> I'd like to make my position on one thing here really clear, by the
> way.
> 
> Since when is it considered acceptable to slack on fiduciary
> responsibility on the excuse that it is annoying and requires effort?
> No one would accept a bank saying "accounting is boring, and hard to
> do right, so we aren't going to keep track of your balance very well
> any more." No one would accept "we've decided that paying for a proper
> vault is expensive, so we're keeping your safe deposit box in the mens
> room." How is proper network security any different? This is a
> BANK. Keeping your money secure is what they are paid to do!

Absolutely, and I've also confirmed this by few lawyers...
> 
> Yes, it takes thought, planning, and some skill to have online
> security for a financial institution, but no one is obligated to own
> or run a bank. If you run a mortuary, you will have to deal with
> corpses. If you run a bank, you have to be mindful of security in
> handling money.
> 
> As for merchants like Verizon, there is really no excuse for a
> for being unable to figure out how to process online credit
> card payments safely, whether on their own or through a contractor. No
> one obligates them to be in business, but if they're going to be, they
> have a duty to do things like keeping accurate customer accounts,
> paying their taxes, keeping track of who their shareholders are, and,
> yes, making sure that they deal with credit card acceptance
> non-hazardously. I know it is all a pain in the ass, but if one wants
> an easier life, one should be a subsistence farmer instead of a
> multinational corporation.
> 
> Sure, I'd love not to have to deal with the annoying things I have to
> deal with, and I'd love not to have to pay my mortgage on time, and
> I'd love a pony and a mountain of gold. I'm an adult, though, so I
> accept that I can't have everything I want and I need to fulfill my
> obligations. Are we to expect less of AMERICAN EXPRESS? Of VERIZON?
> That's a non-starter as far as I'm concerned. If you want to have
> a life of excuses, you don't get to play with the grownups.
> 
> Perry
> 
> .
> 

-- 
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com

New: see my Hall Of Shame of Unprotected Login pages: 
http://AmirHerzberg.com/shame.html

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list