On Thu, 29 Aug 2019 13:33:26 -0400 Lee via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> That it isn't my financial institution. Hopefully I'd have the > presence of mind to save the fraud site cert, but I'd either find the > business card of the person I've been dealing with there or find an > old statement, call and ask to be transferred to the fraud dept. I commend this presence of mind. > Same deal if the displayed info ends with (US) but doesn't match what > I'm expecting, except I'd be asking the fraud dept about the name > change instead of telling them. Perhaps American banks are much better about this than those I've handled but certainly here in the UK "expecting" is tricky for ordinary customers. As a domain expert I know why my good bank says: first direct (HSBC Bank plc) (GB) ... but I won't be surprised if many of their customers didn't know they're technically part of the enormous HSBC NS&I's certificate spells their name out. Unfortunately their name is quite long, which is why they prefer the abbreviation, so my browser shows: National Savings and Investme... (GB) ... but it would be perfectly legal to set up businesses with different names that truncate exactly the same as this. My mother banks with Halifax. Again I understand why, but I suspect she'd be astonished if she stopped to read that it says: Lloyd Banking Group PLC (GB) ... in fact her bank is part of a larger group under a different name and they didn't bother to get certificates that mention Halifax at all. > I understand that ev certs aren't a panacea, but for the very few web > sites that I really care about I like having the company name > displayed automatically. I think they're helpful and, since I use > bookmarks instead of email links or search results, provide an > adequate assurance that I've actually ended up on the web site I want. > Is that an incorrect assumption? What more should I be doing? The implication of the UI change is that you needn't bother trying to guess whether the Company Name is what you expected, if you are visiting the bookmark for your bank (credit union, card issuer, whatever), that will be your bank. As you have seen in this thread, some people don't agree, but I endorse this view. In a broader picture, there isn't much you should bother trying to do, the onus is largely on the bank. You could try to use countermeasures they provide e.g. per account images to re-assure you that they know who you are before you complete login, but they're pretty likely to get rid of them or change to new ones on a whim so it's scarcely worth it. If you _work_ for such an institution, the best thing you could do to protect your customers against Phishing, a very popular attack that TLS is often expected to mitigate, is offer WebAuthn. Unfortunately the FIDO tokens to enable WebAuthn are not cheap, making the idea of just mailing one to every customer prohibitive. But certainly it could make sense to offer this to High Net Worth Individuals or just let customers use their own tokens if they want to. Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy