AmEx unprotected login site

Ben Laurie ben at algroup.co.uk
Thu Jun 9 09:48:16 EDT 2005 

Perry E. Metzger wrote:
> Ben Laurie <ben at algroup.co.uk> writes:
> 
>>Perry E. Metzger wrote:
>>
>>>"Steven M. Bellovin" <smb at cs.columbia.edu> writes:
>>>
>>>
>>>>>They're still doing the wrong thing. Unless the page was transmitted
>>>>>to you securely, you have no way to trust that your username and
>>>>>password are going to them and not to someone who cleverly sent you an
>>>>>altered version of the page.
>>>>
>>>>They're doing the wrong thing, and probably feel they have no
>>>>choice.  Setting up an SSL session is expensive; most people who go
>>>>to their home page do not log in, and hence do not (to Amex)
>>>>require cryptographic protection.
>>>
>>>That's why Citibank and most well run bank sites have you click on a
>>>button on the front page to go to the login screen. There are ways to
>>>handle this correctly.
>>
>>Why is this better? The button you click can just as easily take you
>>to a site other than the one intended.
> 
> 
> When I go to the SSL protected page, I can look at the URL and the
> lock icon in the corner before typing in my password. When you type in
> your password BEFORE the SSL connection, by the time you realize that
> it went to the wrong place, it is way too late.
> 
> I admit that not everyone will check the URL and the lock icon, but at
> least it is *possible* to train people to do the right thing on
> that. There is no way, effectively, to train people to be safe given
> the way that Amex is set up.

But even if you have seen the lock and the URL, you are still vulnerable 
to homograph attacks and simply names that look right but aren't. I 
notice that AmEx have registered a _lot_ of names to make this hard, but 
even they don't win, for example:

$ whois americanexpresscard.co.uk

     Domain Name:
         americanexpresscard.co.uk

     Registrant:
         Lantec Corporation

     Registrant's Address:
         8 Copthall
         Roseau
         Commonwealth of Dominica
         00152
         DM

Oops.

Cheers,

Ben.

-- 
 >>>ApacheCon Europe<<<                   http://www.apachecon.com/

http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list