US Banks: Training the next generation of phishing victims

Sidney Markowitz sidney at sidney.com
Wed Oct 12 16:14:38 EDT 2005 

Peter Gutmann wrote:
> (hmm, their admins must have gone to the same security night school as the BoA
> ones :-).

I don't understand how big companies can be willing to send their
customers through multilayer telephone menu hell just to be put on hold
for 20 minutes, but think that it is unacceptable to have to click a
"Secure Online Banking" button on the home page before entering their id
and password. As you have pointed out, the latter seems to be the
standard for banks outside the US, and I'm sure it works for them.

It looks like they are all getting their web sites from the same
Hack-In-A-Box. I just checked out my credit union in the US that used to
be an example of doing things right so I could say something nice about
them here, but it appears that their online management have also been
replaced by the same pod people since I last had a reason to do online
transactions with them.

When I entered the http://www.bayfed.org URL that I'm familiar with, the
first thing that happened was an immediate and invisible redirect to
http://www.bayfed.com. Ok, maybe they finally bought that domain and
decided to standardize on it. The behavior I remember it having a couple
of years ago was an immediate redirect to https://www.bayfed.org.

There on the home page is a form to enter my member number and password
and a login button. Next to it is a turquoise padlock icon labeled
"security advisory". The word "advisory" led to me to think, "Aha,
they've succumbed to the dark side under management pressure, but at
least they are going to warn me that this is not really secure and if I
want to prevent any phishing attack I should do something like click on
the login button without entering my information, then actually enter on
the secured site".

Nope. Hovering the mouse over the icon tells me that they secure their
transactions using 128-bit SSL and I can get more information by
clicking on the icon. Clicking it brings up a page saying... Yes, the
same pod people wrote their web site:

"Online Security Policy

You may notice when you are on our public web site that some familiar
indicators do not appear in your browser to confirm the entire page is
secure. These indicators include the small "padlock" icon in your
browser's status area and the "https" prefix in the Address bar. To
provide all of our users with the fastest and most responsive possible
access to our web site, we have chosen to make the process of signing in
to Online Banking secure without unnecessarily securing any additional
pages on the public web site. Again, please be assured that your member
number, password and other information are secure, and that Bay Federal
alone has access to them: only public, non-sensitive web pages will
remain unsecured, while any page that collects or reveals your sensitive
personal information will continue to be handled with the strictest
available security measures."

Hmm, one difference from the BoA and Wachovia examples is that this is
under the heading "Security Policy". It can be argued that their
unsecured home page, which collects a member number and password,
violates the portion of the policy that says "only public, non-sensitive
web pages will remain unsecured, while any page that collects or reveals
your sensitive personal information will continue to be handled with the
strictest available security measures".

By the way, it does get worse. https://www.bayfed.org gives me a warning
about a certificate that expired over a year ago, then when I accept it
redirects me to the unsecured http://www.bayfed.com. Clicking on the
login button on the home page without entering my ID and password does
not take me to a secured page that gives me a chance to log in securely
-- Just a page that says that the ID and/or password are not valid, with
no exit other than the browser back button. So there appears to be no
way to get to an SSL secured login page even if I wanted to. Well, there
is a way. If I notice the URL of the invalid user error page I can guess
that https://ebanking.bayfed.com/ might work, and indeed it does present
a login page. Thanks, BayFed.

 -- Sidney Markowitz
    http://www.sidney.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list