"Free WiFi" man-in-the-middle scam seen in the wild.

Perry E. Metzger perry at piermont.com
Tue Jan 23 09:24:30 EST 2007

For years, I've complained about banks, such as Chase, which let
people type in the password to their bank account into a page that has
been downloaded via http: instead of https:.

The banks always say "oh, that's no problem, because the password is
posted via https:", and I say "but that's only if the page comes from
*you*, and it might come from a bad guy."

"How would someone possibly send the user a faked up web page?" they
then ask. I reply like this "the two obvious ways are DNS cache
contamination and doing a man-in-the-middle in the network, and the
latter is really easy now that people trusting WiFi base stations in
strange places that they've never used before. You could just put a
tiny box near a cafe or airport lounge and siphon off passwords day
and night."

The bank people then tell me that I'm crazy. (They're usually more
polite than that, but that's the import of what they say.) I have a
great letter from a manager at Chase informing me that they've been
assured by fabulous security people that their system is safe.

Adding insult to injury, the banks put a little padlock GIF on their
insecure form, probably to reduce the number of phone calls they get
about it.

Well, guess what. It turns out that people are now deploying
man-in-the-middle WiFi devices in places like airports and siphoning
passwords for bank accounts.

Who would have thought of such a nefarious thing? Certainly this is a
new problem and one no would have thought of it before now...:

   January 19, 2007 (Computerworld) -- The next time you're at an airport
   looking for a wireless hot spot, and you see one called "Free Wi-Fi"
   or a similar name, beware -- you may end up being victimized by the
   latest hot-spot scam hitting airports across the country.

   You could end up being the target of a "man in the middle" attack, in
   which a hacker is able to steal the information you send over the
   Internet, including usernames and passwords. And you could also have
   your files and identity stolen,[...]


(Incidently, the article gets a few things wrong. It somewhat implies
that you are safe if you pick a WiFi network you have a previous
relationship with, which isn't true.)

Just to pick on my favorite exemplar of how not to do things for a
moment, go over to:


and ponder how it could be that a giant multinational financial
institution could set its customers up this way.

If you go over to, say, www.fidelity.com, you will find that you can't
even get to the http: version of the page any more -- you are always
redirected to the https: version. For the record, Fidelity has gotten
this right for as long as I've been watching them.

Now you might wonder, why do I keep picking on Chase?

A certain other security person and I had an extended argument with
the folks at another company I won't name other than to say that it was
American Express. At the time, they more or less said, "yah, this is a
problem, but fixing it is going to be a pain." However, I'll note that
now, as with Fidelity, you pretty much can't go onto their web site
without using https: -- kudos to Amex.

Indeed, though this was all a major problem a couple of years ago with
many banks, many have now fixed it. However, for a select few, like,
say, Chase, the message simply isn't getting through even though these
organizations have been repeatedly informed that they are leaving
their customers vulnerable. One wonders what level of trouble they're
going to have to get into before they actually do the right thing.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list