Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Devs Criticize Bank Security Vulnerabilities

Posted by Zonk on from the i-tend-to-like-that-little-lock-icon dept.

mrcaseyj writes "A post on the IE blog criticizes some banks for no longer using secure connections for entire login pages and only encrypting the password as it goes back to the bank. This prevents simple password sniffing but doesn't prevent a man in the middle attack from replacing the unsecured login page with one that has disabled encryption. This is especially a problem if you are using an unencrypted wireless connection such as at a coffee shop, because hackers can easily use the airpwn package to intercept the login page and steal your password. An easy remedy for when a secure page isn't available is to enter a bad username and password which usually brings up a secure page telling you to try again. But can you really trust your money to a bank that doesn't even offer the option of a secure login page?"

18 of 214 comments (clear)

  1. Nevermind Just The Login Page by garett_spencley · · Score: 4, Insightful

    The entire session should be secured. Bank account numbers, credit card numbers, transaction histories, information about billers and automatic withdraw dates etc. are easily sniffed.

    Just because they can't get your password doesn't mean they can't get useful information about you. Sniffing out an online banking session could be a big jackpot for an identity thief.

  2. Um... by 0123456 · · Score: 2, Insightful

    "This is especially a problem if you are using an unencrypted wireless connection such as at a coffee shop"

    Surely anyone who logs onto their bank site from a wireless connection in a coffee shop is just asking to get owned?

    1. Re:Um... by Anonymous Coward · · Score: 4, Insightful

      Surely anyone who logs onto their bank site from a wireless connection in a coffee shop is just asking to get owned?

      Why? SSL protects you from MITM attacks and provides strong encryption & authentication.

      That is exactly what SSL is for, to protect you from sniffers/spoofers between you and the website.

    2. Re:Um... by jimicus · · Score: 5, Insightful

      Surely anyone who logs onto their bank site from a wireless connection in a coffee shop is just asking to get owned?

      Not really - this is the whole point of SSL. If you trust both endpoints, you don't much care about what's in the middle.

      Now, if you'd said "anyone who logs into their bank site from a random Internet cafe PC is just asking to get owned", I'd agree. It wouldn't require a great deal of sophistication to install keyloggers on every PC. Or if you're rather more sophisticated, you could set up some sort of proxy which sets up a MITM with every HTTPS session, presenting a self-signed certificate for $BANK and configure the client PC's with the appropriate certificate from the proxy's root CA.

    3. Re:Um... by Z33kPhr3k · · Score: 2, Insightful

      2 factor auth prevents key loggers, but you need your own pc and secure dns to keep it private on the road.

      BTW without secure dns, Google Apps is worthless toy for the enterprise. M$ is shaking in their boots.

  3. Don't trust any bank that relies on credentials by bjourne · · Score: 4, Insightful

    Personally, I wouldn't trust any bank whose security system relies on user supplied credentials. Any bank that does not supply its customers with an electronic hardware-based security token is not trustworthy enough to handle my savings.

    --
    Football Odds
    1. Re:Don't trust any bank that relies on credentials by SlOrbA · · Score: 2, Insightful

      Man ..

      It's all software .. It's all software.

  4. Come on guys... by rob1980 · · Score: 5, Insightful

    Published Wednesday, April 20, 2005 6:44 PM by ieblog

    Two thousand and five.

  5. Re:Cringe by Anonymous Coward · · Score: 1, Insightful

    I cringe a little whenever I visit a bank or CC site ans see .asp or .aspx at the end of the URL.

    Why?

  6. Re:Fixed it for ya! by cryptoguy · · Score: 3, Insightful

    I'm no fan of IE, but firefox is equally vulnerable to this issue. It's caused by the way SSL / TLS is used by the app on the server.

  7. Great article, but by reezle · · Score: 2, Insightful

    Great article, but WHICH BANKS are the problem?
    I'd love to complain to my bank if it is guilty of these lapses, but how would I know?

  8. Re:Cringe by LighterShadeOfBlack · · Score: 3, Insightful

    I cringe a little whenever I visit a bank or CC site ans see .asp or .aspx at the end of the URL. Why, are you afraid of snakes?

    They're just file extensions buddy, they can't hurt you.
    --
    Spelling mistakes, grammatical errors, and stupid comments are intentional.
  9. Re:Low tech banks by Sobrique · · Score: 2, Insightful

    Big banks have the tools and means, but also a whole wall of 'change control' that requires you to explain in detail why, exactly, you think the way they're doing it is moronic, and to assess it's impact exhaustively alongside the relative costing of project to redesign and implement a solution.

  10. Security is expensive. by Anonymous Coward · · Score: 2, Insightful

    I have worked with computer programmers who think they know how to write secure software, but don't. They know maybe one or two basic principles, and think they have it all figured out. I call this the "well no one told me" phenomenon.

    Not every IT professional wants to spend lots of his free time researching the latest means of breaking into something, and defending against the break-in. So a lot of people just don't go out of their way to find out if they really know enough to write secure software...it is easer to assume that one's current knowledge is sufficient and to let one's employer take the heat when something surprising comes up.

    Furthermore, employers don't like sending their employees off to training which ultimately will not increase their bottom line, and which may not even turn out to be necessary at all (after all, he DOES believe he can write secure software...). Worse yet, employers don't want to hire people to try to hack into their site, seeing as how that costs a lot of money and time too, and there is no guarantee that the third party actually tried hard.

    The end result is quite predictable: insecurity all around.

  11. Re:Fixed it for ya! by bberens · · Score: 4, Insightful

    Yes, because I'd much rather push my bank password through several other user's machines than to have my ISP route directly to the site. Tor is for anonymity, not data security.

    --
    Check out my lame java blog at www.javachopshop.com
  12. Mother's Maiden Name by giafly · · Score: 3, Insightful
    HTTPS is the least of my worries. I'm more concerned that banks
    1. Use insecure information such as mother's maiden name as proof of id
    2. Phone me with account questions, and ask me to prove my ID, but are incapable of proving their ID
    3. Send my credit cards and PINs using normal post
    4. Don't tell me when they have done "3)" so I won't notice if the letters fail to arrive.
    5. Don't give me the choice of turning off Internet access to my account
    --
    Reduce, reuse, cycle
  13. Re:hypocrisy by Anonymous Coward · · Score: 1, Insightful

    Newsflash:

    Microsoft does.

    And don't tell me about how it's a big company. It's a big black pot talking shit to the kettle.

    Fuck Microsoft.
    If there's anything that banks need to be told, it's that they need to quit checking user-agent headers and redirecting us to stupid pages telling us to use Internet Explorer.

  14. Re:Fixed it for ya! by Anonymous Coward · · Score: 4, Insightful

    If Apache made 70% of the webservers in the world, they would also likely be the most hacked webserver in the world ... Oh wait -- they do make 70% of the webservers in the world. Your metaphor fails.

    So back to the obvious explanation: the IE team can't code for shit