Re: US Banks: Training the next generation of phishing victims
I probably wasted more time than anybody on this crazy topic, and in particular: 1. I keep `Hall of Shame` site of such unprotected login pages (even got me a DigiCrime title: Inter-Net Fraud League Commissioner!) 2. With others, we develop TrustBar, an improved security indicator toolbar for FireFox, which also tries to protect users of unprotected login pages, e.g. by automatically redirecting to protected pages when found. Some results/observations: 1. Few companies that had a dialog with me said their marketing/site design folks insist on login via the homepage, claiming this is so much better for consumers compared to a separate login page. I see this as a very very extreme case of `usability beats security`. 2. Same companies also claimed that using SSL on homepage is too much overhead. Extreme case of `performance beats security`. 3. One company responded (to my warning of their unprotected login and the fact I'm going to add them to `hall of shame`) by legal threats. Typical case of `pay lawyers a lot, to avoid doing things right`. 4. One company sent me coupons for free trades. Rare example, I'm afraid... -- Best regards, Amir Herzberg Associate Professor Department of Computer Science Bar Ilan University http://AmirHerzberg.com Try TrustBar - improved browser security UI: http://AmirHerzberg.com/TrustBar Visit my Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: US Banks: Training the next generation of phishing victims
Peter Gutmann wrote:
Banks like Bank of America have taken some flak in the past for their awful
online banking security practices. [...]
For an example of how you can do it well and still have a well-designed
user interface, consider SaarLB (http://www.saarlb.de). The homepage is
unencrypted. In the lower right-hand corner there is a box
"Online-Banking" that even has a demo account so that you can try online
banking before getting an account with them (I consider this a great
idea). That leads to an encrypted page containing the login text boxes.
The banking pages have an online glossary where you can enter words that
you don't understand, such as "Zertifikat", "Schlüssel" (key) etc. and
get them explained to you.
The login page also has this hint:
"Derzeit sind betrügerische Mails im Umlauf! Folgen Sie nicht dem Link.
Geben Sie dort keine Daten ein. Bitte beachten Sie unsere
Sicherheitshinweise und wenden sich im Zweifelsfall persönlich an Ihren
Kundenberater."
(Translation: "We know of fraudulent emails being sent! Do not follow
the link. Don't enter any data. Please follow our security notices;
when in doubt, contact your customer consultant personally.")
The security notice has well-written sections on how PIN/TAN
authentication/authorization works (including how to set a limit on
remittances in order to limit any damage), how to configure your browser
(including how to turn off java and java script, a recommendation not to
let the browser save your password, how to clear the cache, and how,
why, and when to enable cookies), how to check the certificate
fingerprint(!), how to recognize phishing, why traffic analysis is still
possible, even with encryption, etc. In particular, it contains the
following hint:
"Sollte Ihr Browser bei einem Verbindungsaufbau mit dem
Online-Banking-Server in einer Warnmeldung darauf hinweisen, dass ein
Schlüssel nicht erfolgreich überprüft werden konnte, wählen Sie
unbedingt "Abbrechen", denn ein sicherer Verbindungsaufbau zu dem
Rechner unseres Institutes ist in diesem Fall nicht mehr gewährleistet.
Nehmen Sie in diesem Fall bitte Kontakt mit uns auf."
(Translation: "Should your browser warn you that the key couldn't be
certified, always choose "Cancel", because in this case, a secure
connection to one of our servers couldn't be established. In this case,
please contact us.")
This has a picture of a security warning with the mouse on "Abbrechen"
("Cancel").
Once you log out, you get a window containing this message:
"Sicherheitshinweis:
Aus Sicherheitsgründen empfehlen wir Ihnen, das Browserfenster zum Ende
der Nutzung unserer Internetseiten zu schließen und nicht für den Besuch
weiterer Seiten im Internet zu verwenden.
Dieser Hinweis gilt insbesondere dann, wenn Sie das Online-Banking nicht
von zu Hause, sondern von einem öffentlichen Ort aus nutzen (z.B.
Arbeitsplatz, Internet-Café)."
(Translation: "Security Notice: For security reasons, we recommend that
you close your browser window once you have finished using our internet
pages. Please don't re-use this browser window for further browsing.
This hint is applicable especially if you use our online banking not
from your home, but from a public place, such as your workplace or an
internet cafe.")
All in all, I think this is just about as good as you can do it.
Technically, customers are as secure as they can be using https,
PIN/TAN, and current browser technology, while still having a reasonably
hassle-free UI. And the bank at least makes an attempt to educate its
customers as to best security practices.
Fun,
Stephan
PS: Since I'm usually bitching about things, you might legitimately
wonder if I had something to do with the bank's web site. The answer is
no, I had nothing to do with it. I don't even know who did it. But
perhaps I should find out.
begin:vcard
fn:Stephan Neuhaus
n:Neuhaus;Stephan
org;quoted-printable:Universit=C3=A4t des Saarlandes;Department of Informatics
adr;quoted-printable:;;Postfach 15 11 50;Saarbr=C3=BCcken;;66041;Germany
email;internet:[EMAIL PROTECTED]
title:Researcher
tel;work:+49-681/302-64018
tel;fax:+49-681/302-64012
x-mozilla-html:FALSE
url:http://www.st.cs.uni-sb.de/~neuhaus
version:2.1
end:vcard
Re: US Banks: Training the next generation of phishing victims
Sidney Markowitz <[EMAIL PROTECTED]> writes: >It looks like they are all getting their web sites from the same Hack-In-A- >Box. My original comment on that was "Looks like they got their security certification from the same cornflakes packet" :-). An anonymous contributor sent in the following comment: -- Snip -- A possible reason that you are seeing similar, in some cases almost the same, language at those different companies web sites is that they may very well have outsourced their website design and/or management to the same company. Which also exmplains the similar approach to security. Back in the late 1990s when I was consulting, I saw brokerage firms doing the same thing. There were companies specializing in providing "online trading" who basically put together a web site with the brokerage firm's logo on the front, but the web sites were owned, managed and located at the "online trading" company. One such company that I know of was using Bourne-shell (horrors) for their cgi scripts. -- Snip -- >https://www.bayfed.org gives me a warning about a certificate that expired >over a year ago, then when I accept it redirects me to the unsecured >http://www.bayfed.com. In addition, trying https://www.bayfed.com gives you the cert for www.bayfed.org. For any phishers reading this, looks like www.americanexpress.org and www.bankofamerica.org (and their corresponding certs) are still available... Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: US Banks: Training the next generation of phishing victims
Peter Gutmann wrote: > (hmm, their admins must have gone to the same security night school as the BoA > ones :-). I don't understand how big companies can be willing to send their customers through multilayer telephone menu hell just to be put on hold for 20 minutes, but think that it is unacceptable to have to click a "Secure Online Banking" button on the home page before entering their id and password. As you have pointed out, the latter seems to be the standard for banks outside the US, and I'm sure it works for them. It looks like they are all getting their web sites from the same Hack-In-A-Box. I just checked out my credit union in the US that used to be an example of doing things right so I could say something nice about them here, but it appears that their online management have also been replaced by the same pod people since I last had a reason to do online transactions with them. When I entered the http://www.bayfed.org URL that I'm familiar with, the first thing that happened was an immediate and invisible redirect to http://www.bayfed.com. Ok, maybe they finally bought that domain and decided to standardize on it. The behavior I remember it having a couple of years ago was an immediate redirect to https://www.bayfed.org. There on the home page is a form to enter my member number and password and a login button. Next to it is a turquoise padlock icon labeled "security advisory". The word "advisory" led to me to think, "Aha, they've succumbed to the dark side under management pressure, but at least they are going to warn me that this is not really secure and if I want to prevent any phishing attack I should do something like click on the login button without entering my information, then actually enter on the secured site". Nope. Hovering the mouse over the icon tells me that they secure their transactions using 128-bit SSL and I can get more information by clicking on the icon. Clicking it brings up a page saying... Yes, the same pod people wrote their web site: "Online Security Policy You may notice when you are on our public web site that some familiar indicators do not appear in your browser to confirm the entire page is secure. These indicators include the small "padlock" icon in your browser's status area and the "https" prefix in the Address bar. To provide all of our users with the fastest and most responsive possible access to our web site, we have chosen to make the process of signing in to Online Banking secure without unnecessarily securing any additional pages on the public web site. Again, please be assured that your member number, password and other information are secure, and that Bay Federal alone has access to them: only public, non-sensitive web pages will remain unsecured, while any page that collects or reveals your sensitive personal information will continue to be handled with the strictest available security measures." Hmm, one difference from the BoA and Wachovia examples is that this is under the heading "Security Policy". It can be argued that their unsecured home page, which collects a member number and password, violates the portion of the policy that says "only public, non-sensitive web pages will remain unsecured, while any page that collects or reveals your sensitive personal information will continue to be handled with the strictest available security measures". By the way, it does get worse. https://www.bayfed.org gives me a warning about a certificate that expired over a year ago, then when I accept it redirects me to the unsecured http://www.bayfed.com. Clicking on the login button on the home page without entering my ID and password does not take me to a secured page that gives me a chance to log in securely -- Just a page that says that the ID and/or password are not valid, with no exit other than the browser back button. So there appears to be no way to get to an SSL secured login page even if I wanted to. Well, there is a way. If I notice the URL of the invalid user error page I can guess that https://ebanking.bayfed.com/ might work, and indeed it does present a login page. Thanks, BayFed. -- Sidney Markowitz http://www.sidney.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: US Banks: Training the next generation of phishing victims
Peter Gutmann wrote: > > Can anyone who knows Javascript better than I do figure out what the mess of > script on those pages is doing? It looks like it's taking the username and > password and posting it to an HTTPS URL, but it's rather spaghetti-ish code so > it's a bit hard to follow what's going where. > Why have the log on your homepage at all? Why not just a link to the https login??? If the goal is to not have SSL overhead on the homepage, don't. Or is there some extra overhead for login processing that I don't know about? Is there some user dissatisfaction with an extra click to login? I suppose if you really wanted non-SSL logins, you could use a one-time passcodes system with variable length passcodes to prevent race attacks. -- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidsystems.com At last, two-factor authentication, without the hassle factor - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: US Banks: Training the next generation of phishing victims
On Wed, Oct 12, 2005 at 09:36:58PM +1300, Peter Gutmann wrote: | | Can anyone who knows Javascript better than I do figure out what the mess of | script on those pages is doing? It looks like it's taking the username and | password and posting it to an HTTPS URL, but it's rather spaghetti-ish code so | it's a bit hard to follow what's going where. The phishers sure can, but they don't share. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
US Banks: Training the next generation of phishing victims
Banks like Bank of America have taken some flak in the past for their awful online banking security practices. I was poking around their home page today because I wanted some screenshots to use as examples of how not to do it and I noticed the following incredible message, which appears when you click on the tiny padlock icon next to the login dialog: Browser security indicators You may notice when you are on our home page that some familiar indicators do not appear in your browser to confirm the entire page is secure. Those indicators include the small "lock" icon in the bottom right corner of the browser frame and the "s" in the Web address bar (for example, "https"). To provide the fastest access to our home page for all of our millions of customers and other visitors, we have made signing in to Online Banking secure without making the entire page secure. Again, please be assured that your ID and passcode are secure and that only Bank of America has access to them. Yep, no need to worry about those silly browser security indicators, just hand over your banking logon details to anything capable of displaying a Bank of America logo on a web page. (Another thing I noticed is that if you indicate that your logon state is WA or ID, you get sent to an HTTPS page which asks for your SSN alongside your name and password. Anyone know what legal requirement is behind that?) Amex is another example of this type of user training: Security is important to everyone! Please be assured that, although the home page itself does not have an "https" URL, the login component of this page is secure. When you enter your User ID and password, your information is transmitted via a secure environment, and once the login is complete, you will be redirected to our secure area. Wachovia has: Browser security indicators You may notice when you are on our home page that some familiar indicators do not appear in your browser to confirm the entire page is secure. Those indicators include the small "lock" icon in the bottom right corner of the browser frame and the "s" in the Web address bar (for example, "https"). To provide the fastest access to our home page, we have made signing in to Online Services secure without making the entire page secure. Again, please be assured that your ID and password are secure. (hmm, their admins must have gone to the same security night school as the BoA ones :-). Can anyone who knows Javascript better than I do figure out what the mess of script on those pages is doing? It looks like it's taking the username and password and posting it to an HTTPS URL, but it's rather spaghetti-ish code so it's a bit hard to follow what's going where. Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
