Has there been a change in US banking regulations recently?
As part of a thread on another list, I noticed that Bank of America, who until recently didn't bother protecting the page where users are expected to enter their credentials with anything more substantial than a GIF of a padlock, now finally use HTTPS on their home page, and redirect HTTP to HTTPS (this only took them, what, about ten years to get right? Or is it fifteen? When did BofA first get a web presence?). Wachovia now do it too. And Citibank at least redirect you to an HTTPS page. And so does US Bank, after asking for your ID. What on earth happened? Was there a change in banking regulations in the last few months? Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Has there been a change in US banking regulations recently?
On Fri, 13 Aug 2010 23:59:18 +1200 Peter Gutmann wrote: > As part of a thread on another list, I noticed that Bank of > America, who until recently didn't bother protecting the page where > users are expected to enter their credentials with anything more > substantial than a GIF of a padlock, now finally use HTTPS on their > home page, and redirect HTTP to HTTPS (this only took them, what, > about ten years to get right? Or is it fifteen? When did BofA > first get a web presence?). Wachovia now do it too. And Citibank > at least redirect you to an HTTPS page. And so does US Bank, after > asking for your ID. > > What on earth happened? Was there a change in banking regulations > in the last few months? I don't know, but Chase, which years ago sent me a letter explaining exactly how crazy I was for complaining that their front page was sent in the clear, has also begun redirecting people to https. I'm unaware of a regulatory shift on this, but perhaps people have finally learned that doing otherwise is a bad idea. Perry -- Perry E. Metzgerpe...@piermont.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
RE: Has there been a change in US banking regulations recently?
On Fri, 13 Aug 2010 23:59:18 +1200 Peter Gutmann wrote: > As part of a thread on another list, I noticed that Bank of America, > who until recently didn't bother protecting the page where users are > expected to enter their credentials with anything more substantial > than a GIF of a padlock, now finally use HTTPS on their home page, and > redirect HTTP to HTTPS (this only took them, what, about ten years to > get right? Or is it fifteen? When did BofA first get a web > presence?). Wachovia now do it too. And Citibank at least redirect > you to an HTTPS page. And so does US Bank, after asking for your ID. > > What on earth happened? Was there a change in banking regulations in > the last few months? I'm usually pretty up-to-date on these regulations and I'm not aware of any recent changes. As for Wachovia's changes, you'll notice that it now says "A Wells Fargo Company" in smaller print beneath the Wachovia logo. That's the reason for their switch; our name on their (our?) site. Unfortunately, it appears that not all is working right. If you go to http://wachovia.com it redirects to https://www.wachovia.com just fine, but if you type in https://wachovia.com it does not redirect you and your browser will throw a domain name mismatch error because the certificate is for www.wachovia.com (Confirmed on IE8, Firefox 3.5, and Chrome 5). The browser treat these as near apocalyptic errors with huge warnings. Firefox especially. I've notified the appropriate people. Eric Lengvenis Information Security Architect Enterprise Information Security Architecture (EISA) This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Has there been a change in US banking regulations recently?
On Friday 13 August 2010 04:59, Peter Gutmann wrote: > As part of a thread on another list, I noticed that Bank of America, who > until recently didn't bother protecting the page where users are expected > to enter their credentials with anything more substantial than a GIF of a > padlock, now finally use HTTPS on their home page, and redirect HTTP to > HTTPS (this only took them, what, about ten years to get right? Or is it > fifteen? When did BofA first get a web presence?). Wachovia now do it > too. And Citibank at least redirect you to an HTTPS page. And so does US > Bank, after asking for your ID. > > What on earth happened? Was there a change in banking regulations in the > last few months? > > Peter. It wouldn't surprise me if there's been some blowback from the adoption of PCI-DSS (Payment Card Industry Data Security Standards). As someone who has had to help several small to medium size businesses comply with these 'voluntary' standards, the irony of the fact that the big banks that require them often aren't in compliance themselves hasn't escaped my notice. -- Jeff Simmons jsimm...@goblin.punk.net Simmons Consulting - Network Engineering, Administration, Security "You guys, I don't hear any noise. Are you sure you're doing it right?" -- My Life With The Thrill Kill Kult - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Has there been a change in US banking regulations recently?
>What on earth happened? Was there a change in banking regulations in >the last few months? No, but we know that banks move in herds, and they mostly talk to each other, not anyone with outside expertise. More likely someone noticed that computers are a lot faster than they were a decade ago, you can do all the crypto you want and your 8 core 3 GNz servers are still I/O bound, so the traditional folklore that SSL is so slow you use it only where absolutely mandatory no longer applies and you might as well use SSL on everything. Then he went to a meeting and told all his friends. I've been noticing something similar at abuse.net, a service I run where people can publish their domains' abuse contacts. The folklore in small credit unions is that you're supposed to hide your domain's registration details using a proxy service, I think due to a misreading of an old letter from the NCUA. Earlier this year someone at a meeting must have told them that it would be a good idea to register with abuse.net, so I've been getting a stream of attempted registrations from small credit unions with proxy registration, which I reject. About half of them get the hint, turn off the proxy, and try again, the other half give up. R's, John - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Has there been a change in US banking regulations recently?
> What on earth happened? Was there a change in banking regulations in the last > few months? Possibly it's related to PCI DSS and other work that BITS has been doing. Also, if one major player cleans up their act and sings about how cool they are, then that can cause the ice to break. Another possibility is that a number of people in financials have been able to get security funding despite the banking disasters because the risk managers know that the last thing they need is a security brouhaha while they are partially owned by government and thus voters. I bet on synergies between both. If I were a CSO at a bank, I might encourage a colleague to make a presentation about how their security cleanups position them to get an advantage at getting out from under the thumb of the feds over their competitors. Then I would make sure the finance guys got a leaked copy. Jon - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
RE: Has there been a change in US banking regulations recently?
>Jon Callas wrote: > > Possibly it's related to PCI DSS and other work that BITS has been doing. > > > Another possibility is... the risk managers > know that the last thing they need is a security brouhaha while they are > partially owned by government and thus voters. > > I bet on synergies between both. > I agree. I think it is just the 100th monkey effect. Eric Lengvenis InfoSec Arch. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
RE: Has there been a change in US banking regulations recently?
> Jeff Simmons wrote: > It wouldn't surprise me if there's been some blowback from the adoption of > PCI-DSS (Payment Card Industry Data Security Standards). As someone who > has > had to help several small to medium size businesses comply with these > 'voluntary' standards, the irony of the fact that the big banks that require > them often aren't in compliance themselves hasn't escaped my notice. I'd like to clarify a bit. PCI-DSS wasn't developed by the big banks. It isn't usually enforced by big banks except insofar as they are liable for PCI-DSS compliance when outsourcing to or partnering with other companies. So they may be forcing it on the SMBs you've worked with because they're liable in some way. PCI-DSS was the brainchild of Visa. I'm a member of X9F (X9F6 is the payment card security standards committee) and we wrote an open letter back in 2005 to Visa and Mastercard asking them not to set new, separate standards for the financial sector but to work from within X9F. They ignored us. Even though you clearly indicate that they aren't truly voluntary via your use of quotes, when the PCI group (VISA et al.) can unilaterally level huge fines and/or penalties for non-compliance they really are compulsory. Luckily, PCI-DSS compliance != security. Or is that unluckily because of how much money is wasted complying that could be better spent securing. Eric Lengvenis InfoSec Arch - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Has there been a change in US banking regulations recently?
On 08/13/2010 02:12 PM, Jon Callas wrote: What on earth happened? Was there a change in banking regulations in the last few months? Possibly it's related to PCI DSS and other work that BITS has been doing. Also, if one major player cleans up their act and sings about how cool they are, then that can cause the ice to break. Another possibility is that a number of people in financials have been able to get security funding despite the banking disasters because the risk managers know that the last thing they need is a security brouhaha while they are partially owned by government and thus voters. I bet on synergies between both. If I were a CSO at a bank, I might encourage a colleague to make a presentation about how their security cleanups position them to get an advantage at getting out from under the thumb of the feds over their competitors. Then I would make sure the finance guys got a leaked copy. Jon the original requirement for SSL deployment was that it was on from the original URL entered by the user. The drop-back to using SSL for only small subset ... was based on computational load caused by SSL cryptography in the online merchant scenario, it cut thruput by 90-95%; alternative to handle the online merchant scenario for total user interaction would have required increasing the number of servers by factor of 10-20. One possibility is that the institution has increased the server capacity ... and/or added specific hardware to handle the cryptographic load. A lot of banking websites are not RYO (roll-your-own), internally developed ... but stuff they by from vendor and/or have the website wholly outsourced. Also some number of large institutions have their websites outsourced to vendors with large replicated sites at multiple places in the world ... and users interaction gets redirected to the closest server farm. I've noticed this periodically when the server farm domain name and/or server farm SSL certificate bleeds thru ... because of some sort of configuration and/or operational problems (rather than seeing the institution SSL certificate that I thot I was talking to). Another possibility is that the vendor product that they may be using for the website and/or the outsourcer that is being used ... has somehow been upgraded (software &/or hardware). -- virtualization experience starting Jan1968, online at home since Mar1970 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com