"Steven M. Bellovin" <[EMAIL PROTECTED]> writes: >>That's why Citibank and most well run bank sites have you click on a >>button on the front page to go to the login screen. There are ways to >>handle this correctly. > > There's an attack there, too -- one can divert the link to the login > screen.
Certainly, but at least then, the URL and the certificate won't point at Amex (or whomever). If you train your users properly, then they can avoid trouble even then. In the current case, by the time you see that there is a problem, it is too late. Furthermore, you're training your users to engage in a bad behavior. This is no different than Microsoft training their users to mindlessly open .exe files for years and years, only to reap the whirlwind when email viruses came along. The right behavior to encourage for people is "never enter in your userid and password for an important account on a page that you don't trust". They're training people to do the opposite. >>The other major offender are organizations (such as portions of >>Verizon) that subcontract payment systems to third parties. They are >>training their users to expect to be directed to a site they don't >>recognize to enter in their credit card information. "Really! This is >>your vendor's payment site! Pay no attention to the URL and >>certificate!" >> >>That one in particular takes amazing brains... >> > It's a tough problem: they want to outsource the payment processing, > but don't have the infrastructure to do so properly. They could delegate a "payments.verizon.com" DNS entry and hand the processor a "payments.verizon.com" certificate, with an expiry date quite similar to the date when their contract is up for renewal. I'd like to make my position on one thing here really clear, by the way. Since when is it considered acceptable to slack on fiduciary responsibility on the excuse that it is annoying and requires effort? No one would accept a bank saying "accounting is boring, and hard to do right, so we aren't going to keep track of your balance very well any more." No one would accept "we've decided that paying for a proper vault is expensive, so we're keeping your safe deposit box in the mens room." How is proper network security any different? This is a BANK. Keeping your money secure is what they are paid to do! Yes, it takes thought, planning, and some skill to have online security for a financial institution, but no one is obligated to own or run a bank. If you run a mortuary, you will have to deal with corpses. If you run a bank, you have to be mindful of security in handling money. As for merchants like Verizon, there is really no excuse for a for being unable to figure out how to process online credit card payments safely, whether on their own or through a contractor. No one obligates them to be in business, but if they're going to be, they have a duty to do things like keeping accurate customer accounts, paying their taxes, keeping track of who their shareholders are, and, yes, making sure that they deal with credit card acceptance non-hazardously. I know it is all a pain in the ass, but if one wants an easier life, one should be a subsistence farmer instead of a multinational corporation. Sure, I'd love not to have to deal with the annoying things I have to deal with, and I'd love not to have to pay my mortgage on time, and I'd love a pony and a mountain of gold. I'm an adult, though, so I accept that I can't have everything I want and I need to fulfill my obligations. Are we to expect less of AMERICAN EXPRESS? Of VERIZON? That's a non-starter as far as I'm concerned. If you want to have a life of excuses, you don't get to play with the grownups. Perry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
