US Banks: Training the next generation of phishing victims

Thu Oct 13 02:32:35 EDT 2005

Peter Gutmann wrote:
> Banks like Bank of America have taken some flak in the past for their awful
> online banking security practices.  [...]

For an example of how you can do it well and still have a well-designed 
user interface, consider SaarLB (http://www.saarlb.de).  The homepage is 
unencrypted.  In the lower right-hand corner there is a box 
"Online-Banking" that even has a demo account so that you can try online 
banking before getting an account with them (I consider this a great 
idea).  That leads to an encrypted page containing the login text boxes.

The banking pages have an online glossary where you can enter words that 
you don't understand, such as "Zertifikat", "Schlüssel" (key) etc. and 
get them explained to you.

The login page also has this hint:

"Derzeit sind betrügerische Mails im Umlauf! Folgen Sie nicht dem Link. 
Geben Sie dort keine Daten ein. Bitte beachten Sie unsere 
Sicherheitshinweise und wenden sich im Zweifelsfall persönlich an Ihren 
Kundenberater."

(Translation: "We know of fraudulent emails being sent!  Do not follow 
the link.  Don't enter any data.  Please follow our security notices; 
when in doubt, contact your customer consultant personally.")

The security notice has well-written sections on how PIN/TAN 
authentication/authorization works (including how to set a limit on 
remittances in order to limit any damage), how to configure your browser 
(including how to turn off java and java script, a recommendation not to 
let the browser save your password, how to clear the cache, and how, 
why, and when to enable cookies), how to check the certificate 
fingerprint(!), how to recognize phishing, why traffic analysis is still 
possible, even with encryption, etc.  In particular, it contains the 
following hint:

"Sollte Ihr Browser bei einem Verbindungsaufbau mit dem 
Online-Banking-Server in einer Warnmeldung darauf hinweisen, dass ein 
Schlüssel nicht erfolgreich überprüft werden konnte, wählen Sie 
unbedingt "Abbrechen", denn ein sicherer Verbindungsaufbau zu dem 
Rechner unseres Institutes ist in diesem Fall nicht mehr gewährleistet. 
Nehmen Sie in diesem Fall bitte Kontakt mit uns auf."

(Translation: "Should your browser warn you that the key couldn't be 
certified, always choose "Cancel", because in this case, a secure 
connection to one of our servers couldn't be established.  In this case, 
please contact us.")

This has a picture of a security warning with the mouse on "Abbrechen" 
("Cancel").

Once you log out, you get a window containing this message:

"Sicherheitshinweis:
Aus Sicherheitsgründen empfehlen wir Ihnen, das Browserfenster zum Ende 
der Nutzung unserer Internetseiten zu schließen und nicht für den Besuch 
weiterer Seiten im Internet zu verwenden.
Dieser Hinweis gilt insbesondere dann, wenn Sie das Online-Banking nicht 
von zu Hause, sondern von einem öffentlichen Ort aus nutzen (z.B. 
Arbeitsplatz, Internet-Café)."

(Translation: "Security Notice: For security reasons, we recommend that 
you close your browser window once you have finished using our internet 
pages.  Please don't re-use this browser window for further browsing. 
This hint is applicable especially if you use our online banking not 
from your home, but from a public place, such as your workplace or an 
internet cafe.")

All in all, I think this is just about as good as you can do it. 
Technically, customers are as secure as they can be using https, 
PIN/TAN, and current browser technology, while still having a reasonably 
hassle-free UI.  And the bank at least makes an attempt to educate its 
customers as to best security practices.

Fun,

Stephan

PS: Since I'm usually bitching about things, you might legitimately 
wonder if I had something to do with the bank's web site.  The answer is 
no, I had nothing to do with it.  I don't even know who did it.  But 
perhaps I should find out.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: neuhaus.vcf
Type: text/x-vcard
Size: 394 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20051013/bd349d22/attachment.vcf>