Search

Subscribe

Enter your email address below to subscribe to our privacy and security newsletter.

Menu

• Home
• Business/Corporate
• Computer Security
• Digital Signatures
• Encryption
• Firewalls
• Intrusion Detection
• Just Plain Silly
• Personal Security
• Privacy
• Residential Security
• Security Blogs
• Security Consultants
• Spam/Anti-Spam
• Training
• Uncategorized
• Viruses
• Wireless Security

Banks Not Using Secure Log-In Pages

By Ian Scott

You’d think with the vast numbers of phishing attempts, financial institutions would be doing everything they can do to help with preventative measures. But an unofficial survey shows some banks are lagging way behind.

Johannes Ullrich, SANS “Handler Of The Day” on April 19, 2006, checked out some financial institutions’ log in pages. In what Ullrich describes as ” getting worse and not better,” a number of American and International banks were found to use webpages outside of their Secure Server to log in for on-line banking accounts. (The Canadian institutions that were checked all required log-in from the Secure Server).

Now, this DOES NOT mean that the log-in information is not being sent securely. So far in the survey, it does appear that once the information is submitted and sent, it is sent through the Secure Server and therefore is encrypted in transit. In other words, once the “submit” button is clicked, the Secure Server transaction is in place, and the customer will find himself on a webpage on the Secure side of the server.

The problem though is that SSL is not only for providing encrypted traffic between the server and the web browser. It has another important function which is referred to as “authentication.” When a browser connects to a Secure Server, an opportunity is given to the individual behind the browser to check the credentials of the Security Certificate that is being used by the Secure Server. Most browsers by default will recognize those commonly issuued certificates by issuers that are known to use a secure methodology to determine the identity of the owner of a secure server before issuing a certificate.

However, anyone can issue their own Secure Server certificate. If your browser detects an unknown issuer, it is up to you to accept this certificate or not.

When you visit a Secure (SSL enabled) site, check out the certificate details and become familiar with the information that is available to you. The certificate will tell you if indeed the certificate is issued for the URL or website that you are visiting, the expiry date of the certificate, the organization to whom the certificate was issued, the level of encryption, and other information. What you are most interested in is that the certificate is indeed valid, and the organization name the certificate was issued to.

There are a couple of reasons (in context of this article) why knowing about SSL certificates is important:

1. With so many phishing attempts going on, it is important for you to know that the site you are on is indeed the one that you believe you should be visiting.

2. If the Institution’s webpage was cracked, the cracker could have placed a link to another Secure Site, perhaps even using a domain name that was similar to your financial institution’s name. By familiarizing oneself with the information that is provided with a certificate, you can help protect yourself against this.

So why are some financial institutions providing log-in widgets outside of their Secure Server? Who knows? Most likely it’s an attempt to make it convenient for their users to use the website - but in reality, there is nothing unconvenient by providing a link on the pages outside of the Secure Server to a log-in page inside the Secure Server. Whatever the reasons, providing a log-in widget on the unsecured side of the website is both dangerous from a security point of view and at the same time, makes it easier for scammers and phishers to take advantage of unsuspecting customers.

If you’re interested in the survey results thus far, regarding banks that don’t require the log-in information be submitted inside the Secure Server, take a look at Johannes Ullrich’s list. If you know of any banks not listed, I’m sure Johannes would appreciate knowing about them.

If you go Johanne’s link, you’ll note that it is on a Secure Server. You can tell this because instead of the standard http prefix, it is https. When you click on that link, depending on what browser you use, you should see an indication that the site is a “secure site” with the a lock icon. In Firefox and Internet Explorer, this Icon is located on the bottom of the browser. Opera V.8.5 shows the lock icon in the right hand side of the URL bar. These icons are clickable so that after clicking upon them, you should be able to see the details of the Server Certificate that has been assigned to the site.

Read more in: Personal Security, Privacy |

© SecPriv.com | About/Disclaimer | Privacy Policy