"Free WiFi" man-in-the-middle scam seen in the wild.
Derek Atkins
warlord at MIT.EDU
Tue Jan 23 09:44:27 EST 2007
Quoting "Perry E. Metzger" <perry at piermont.com>:
> Now you might wonder, why do I keep picking on Chase?
>
> A certain other security person and I had an extended argument with
> the folks at another company I won't name other than to say that it was
> American Express. At the time, they more or less said, "yah, this is a
> problem, but fixing it is going to be a pain." However, I'll note that
> now, as with Fidelity, you pretty much can't go onto their web site
> without using https: -- kudos to Amex.
>
> Indeed, though this was all a major problem a couple of years ago with
> many banks, many have now fixed it. However, for a select few, like,
> say, Chase, the message simply isn't getting through even though these
> organizations have been repeatedly informed that they are leaving
> their customers vulnerable. One wonders what level of trouble they're
> going to have to get into before they actually do the right thing.
I'll just point out that you CAN go to:
https://chaseonline.chase.com/
And that works, and should be secure. No, it's not the same as
typing "chase" into your browser and having the right thing happen,
but honestly this is what browser caches are for. (When I type "chase"
into my browser bar it autocompletes to the above URL).
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord at MIT.EDU PGP key available
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list