AmEx unprotected login site

Thu Jun 9 09:25:19 EDT 2005

"R. Hirschfeld" <ray at unipay.nl> writes:
>> From: "Perry E. Metzger" <perry at piermont.com>
>> Date: Wed, 08 Jun 2005 19:01:37 -0400
>
>> The other major offender are organizations (such as portions of
>> Verizon) that subcontract payment systems to third parties. They are
>> training their users to expect to be directed to a site they don't
>> recognize to enter in their credit card information. "Really! This is
>> your vendor's payment site! Pay no attention to the URL and
>> certificate!"
>> 
>> That one in particular takes amazing brains...
>
> For Verizon maybe, but there are plenty of Mom and Pop internet
> merchants for which it is arguably more secure to do it this way.  The
> merchant never sees the customer's payment information and thus
> needn't know how to properly protect it, and one-time shoppers may not
> know/trust the merchant anyway.  If the redirect is from a secure
> merchant site to a secure payment provider site, and the merchant site
> informs users where they will be redirected, is this so bad?

If the merchant site is secured by SSL, and prominently says that you
will be redirected to a given provider, it is perhaps not so bad in
theory. However, in practice, this fails the "simple rules my mom can
follow" test. I'd rather that they hand a short term cert and DNS
delegation to their processing partner.

What I want to be able to do is tell my mom something dead simple,
like "never enter your username and password or credit card
information unless the web page is the one you are expecting, and it
has the "lock icon" in the corner and the lock icon doesn't look like
someone was faking it."

Now, we face two major problems here.

1) Every complication you add on top of that means that you're
training lots and lots of very naive users to do things that are
potentially unsafe. Training users to expect to do unsafe things (like
what Amex or what Verizon are doing) is bad, because then they won't
notice in the future when they are asked to do something unsafe by a
bad guy. 

Fidelity, to my mind, is a model of good user training. They have a
set of very good web pages (see
http://personal.fidelity.com/accounts/services/findanswer/content/security/minimize_risk.shtml
and others) that give users excellent advice on never entering
passwords in on pages that didn't arrive encrypted, never emailing
personal information, etc. They allow customers to avoid ever exposing
social security numbers to customer service reps, encourage users to
use those services, etc. Their login page itself comes SSL
encrypted. There may be other security problems they have, but
encouraging users to do unsafe things isn't one of them.

Now, here they (and I and others) go, trying hard to educate users
about what the right thing is, and others go around forcing users to
do the wrong thing just to get their day to day business done! After a
while, people's defenses drop because they're being constantly trained
to do the wrong thing.

2) The other issue is that the browser accepts certs from so many CAs,
many of which have effectively no security. There are ways to fix this
long term, but that is a whole separate discussion.

-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com