"Free WiFi" man-in-the-middle scam seen in the wild.

Matthias Bruestle mbruestle at masktech.de
Tue Jan 23 10:00:11 EST 2007


Perry E. Metzger wrote:
> For years, I've complained about banks, such as Chase, which let
> people type in the password to their bank account into a page that has
> been downloaded via http: instead of https:.
> The banks always say "oh, that's no problem, because the password is
> posted via https:", and I say "but that's only if the page comes from
> *you*, and it might come from a bad guy."

A German bank had the same problem. After some discussions without
positive results I wrote an article about SSL problems for a large
German IT magazine and described their situation. A short time after
they changed the login page to https.


Matthias Bruestle, Managing Director
Phone +49 (0) 91 19 55 14 91, Fax +49 (0) 91 19 55 14 97
MaskTech GmbH, Nordostpark 16, 90411 Nuernberg, Germany

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list