Re: US Banks: Training the next generation of phishing victims
I probably wasted more time than anybody on this crazy topic, and in particular: 1. I keep `Hall of Shame` site of such unprotected login pages (even got me a DigiCrime title: Inter-Net Fraud League Commissioner!) 2. With others, we develop TrustBar, an improved security indicator toolbar for FireFox, which also tries to protect users of unprotected login pages, e.g. by automatically redirecting to protected pages when found. Some results/observations: 1. Few companies that had a dialog with me said their marketing/site design folks insist on login via the homepage, claiming this is so much better for consumers compared to a separate login page. I see this as a very very extreme case of `usability beats security`. 2. Same companies also claimed that using SSL on homepage is too much overhead. Extreme case of `performance beats security`. 3. One company responded (to my warning of their unprotected login and the fact I'm going to add them to `hall of shame`) by legal threats. Typical case of `pay lawyers a lot, to avoid doing things right`. 4. One company sent me coupons for free trades. Rare example, I'm afraid... -- Best regards, Amir Herzberg Associate Professor Department of Computer Science Bar Ilan University http://AmirHerzberg.com Try TrustBar - improved browser security UI: http://AmirHerzberg.com/TrustBar Visit my Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: US Banks: Training the next generation of phishing victims
Sidney Markowitz [EMAIL PROTECTED] writes: It looks like they are all getting their web sites from the same Hack-In-A- Box. My original comment on that was Looks like they got their security certification from the same cornflakes packet :-). An anonymous contributor sent in the following comment: -- Snip -- A possible reason that you are seeing similar, in some cases almost the same, language at those different companies web sites is that they may very well have outsourced their website design and/or management to the same company. Which also exmplains the similar approach to security. Back in the late 1990s when I was consulting, I saw brokerage firms doing the same thing. There were companies specializing in providing online trading who basically put together a web site with the brokerage firm's logo on the front, but the web sites were owned, managed and located at the online trading company. One such company that I know of was using Bourne-shell (horrors) for their cgi scripts. -- Snip -- https://www.bayfed.org gives me a warning about a certificate that expired over a year ago, then when I accept it redirects me to the unsecured http://www.bayfed.com. In addition, trying https://www.bayfed.com gives you the cert for www.bayfed.org. For any phishers reading this, looks like www.americanexpress.org and www.bankofamerica.org (and their corresponding certs) are still available... Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
US Banks: Training the next generation of phishing victims
Banks like Bank of America have taken some flak in the past for their awful online banking security practices. I was poking around their home page today because I wanted some screenshots to use as examples of how not to do it and I noticed the following incredible message, which appears when you click on the tiny padlock icon next to the login dialog: Browser security indicators You may notice when you are on our home page that some familiar indicators do not appear in your browser to confirm the entire page is secure. Those indicators include the small lock icon in the bottom right corner of the browser frame and the s in the Web address bar (for example, https). To provide the fastest access to our home page for all of our millions of customers and other visitors, we have made signing in to Online Banking secure without making the entire page secure. Again, please be assured that your ID and passcode are secure and that only Bank of America has access to them. Yep, no need to worry about those silly browser security indicators, just hand over your banking logon details to anything capable of displaying a Bank of America logo on a web page. (Another thing I noticed is that if you indicate that your logon state is WA or ID, you get sent to an HTTPS page which asks for your SSN alongside your name and password. Anyone know what legal requirement is behind that?) Amex is another example of this type of user training: Security is important to everyone! Please be assured that, although the home page itself does not have an https URL, the login component of this page is secure. When you enter your User ID and password, your information is transmitted via a secure environment, and once the login is complete, you will be redirected to our secure area. Wachovia has: Browser security indicators You may notice when you are on our home page that some familiar indicators do not appear in your browser to confirm the entire page is secure. Those indicators include the small lock icon in the bottom right corner of the browser frame and the s in the Web address bar (for example, https). To provide the fastest access to our home page, we have made signing in to Online Services secure without making the entire page secure. Again, please be assured that your ID and password are secure. (hmm, their admins must have gone to the same security night school as the BoA ones :-). Can anyone who knows Javascript better than I do figure out what the mess of script on those pages is doing? It looks like it's taking the username and password and posting it to an HTTPS URL, but it's rather spaghetti-ish code so it's a bit hard to follow what's going where. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: US Banks: Training the next generation of phishing victims
On Wed, Oct 12, 2005 at 09:36:58PM +1300, Peter Gutmann wrote: | | Can anyone who knows Javascript better than I do figure out what the mess of | script on those pages is doing? It looks like it's taking the username and | password and posting it to an HTTPS URL, but it's rather spaghetti-ish code so | it's a bit hard to follow what's going where. The phishers sure can, but they don't share. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: US Banks: Training the next generation of phishing victims
Peter Gutmann wrote: Can anyone who knows Javascript better than I do figure out what the mess of script on those pages is doing? It looks like it's taking the username and password and posting it to an HTTPS URL, but it's rather spaghetti-ish code so it's a bit hard to follow what's going where. Why have the log on your homepage at all? Why not just a link to the https login??? If the goal is to not have SSL overhead on the homepage, don't. Or is there some extra overhead for login processing that I don't know about? Is there some user dissatisfaction with an extra click to login? I suppose if you really wanted non-SSL logins, you could use a one-time passcodes system with variable length passcodes to prevent race attacks. -- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidsystems.com At last, two-factor authentication, without the hassle factor - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
