Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Devs Criticize Bank Security Vulnerabilities

Posted by Zonk on from the i-tend-to-like-that-little-lock-icon dept.

mrcaseyj writes "A post on the IE blog criticizes some banks for no longer using secure connections for entire login pages and only encrypting the password as it goes back to the bank. This prevents simple password sniffing but doesn't prevent a man in the middle attack from replacing the unsecured login page with one that has disabled encryption. This is especially a problem if you are using an unencrypted wireless connection such as at a coffee shop, because hackers can easily use the airpwn package to intercept the login page and steal your password. An easy remedy for when a secure page isn't available is to enter a bad username and password which usually brings up a secure page telling you to try again. But can you really trust your money to a bank that doesn't even offer the option of a secure login page?"

10 of 214 comments (clear)

  1. Credit Unions by daeg · · Score: 5, Interesting

    I petitioned my credit union to force SSL on the entire bank website, complete with a few dozen signers (several of them with very large accounts). Shortly after the entire website is accessible via SSL only, with any HTTP page redirecting you to the homepage (SSL). Sometimes banking with a small credit union has its advantages.

    I suggest everyone do the same.

    1. Re:Credit Unions by mashade · · Score: 3, Interesting

      USAA's site is all https and provides an immediate redirect if you type http://www.usaa.com/ for example.

      Wachovia's site is as the article describes and only gives you https after login. I wondered about it myself and so began going to the site by manually specifying https://www.wachovia.com/ -- this works and gives you SSL for the entire browsing session. You may want to type it manually every time, though it would be nice if all banks made their sites HTTPS only.

      --
      Technology tips and tricks.
  2. bank web security practices annoy by Gary+W.+Longsine · · Score: 2, Interesting

    This same annoying tendency of banks has another artifact (it's probably not intentional). It typically prevents the user's password management scheme (like Keychain on Mac OS X and analogous 3rd party password managers for Windows) from working properly. Without a tool like this to support the effort, most people wind up using the same password for all their web logins, which exposes them to dramatically increased risk. (Bad guys can exploit this common human behavior by plucking username / password combinations from any arbitrary p0wn3d web site, and then testing them at all the banks.

    --
    If you mod me down, I shall become more powerful than you could possibly imagine.
  3. What me worry by packetmon · · Score: 4, Interesting

    Why should I really worry about security anyway they've either thrown away my information in a dumpster or were compromised...

    Scott Trade
    Verizon
    Bank of America
    Choicepoint
    Mastercard
    AT&T
    Department of Edumacashun
    Chase

    --
    Infiltrated dot Net
  4. Re:Fixed it for ya! by rblancarte · · Score: 3, Interesting

    The fact is that for an IE Dev to point fingers solely at the bank is joke.

    There is a lot of blame to go around for unsecure bank transactions. In the example, we are presented w/ the whole case of user on unsecured wireless. I think the lack of security of the bank in that case is the end users - I never would do bank transactions on an unsecured network except in extreme cases.

    Granted, I do believe that banks do share some responsibility. I think they would be best served to do all of their pages as secure. Therefore minimize the chance for information to be captured. But still I can't solely blame them.

    And it isn't to say that IE is without blame either ...

    RonB

    --
    It is human nature to take shortcuts in thinking.
  5. Re:Don't trust any bank that relies on credentials by popejeremy · · Score: 2, Interesting

    Hardware tokens present software cyphers, and cyphers can be spoofed.

  6. Re:Fixed it for ya! by ewanm89 · · Score: 2, Interesting

    Find me a bank who uses apache? None, right how about on that uses IIS?

  7. Banks have a much bigger problem by cdn-programmer · · Score: 2, Interesting

    Banks have a much bigger problem than this. With the amount of spyware out there and the almost total lack of understanding of what vulnerabilities this exposes, probably more than 1/3 of the passwords and account details are known by Black Hats.

    There are many ways to slip money out of accounts it isn't funny.

    Trading accounts:

    Create a series of bad trade orders. Offset these with legitimate trade orders in legitimate accounts. There are many thinly traded companies where it is easy to figure out who has the buy order and who has the sell order. All one has to do on a thinly traded company for instance is place a lowball buy order and have the victim's account buy shares at whatever price and then sell them into the lowball. This can be triggered from instance by a stop loss order. Once the shares are owned they can then be sold to another victim.

    Chequing accounts: Create fraudulent transactions by paying for goods not ordered. These goods can even be shipped to create a semblance of legitimacy. By the time any of these goods arrive and the transactions are noticed the perpetrators are long gone with their loot.

    Its quite easy to create a series of dummy companies to accomplish this. Of course, since this is e-commerce one would obtain valid certificates ahead of time.

    This is one reason that secure communications offer limited protection. A felon in Jail can always get his lawyer to register a corporation for him and these are legitimate corporations. Its just they are run by crooks. But then Enron was run by crooks too it would seem. In fact, there are a HUGE number of companies run by crooks. Lots of people invest in them.

  8. I'm in the bank business by JustAnotherReader · · Score: 2, Interesting
    I've spent nearly a decade as a developer for a major California bank. I can't imagine that the SEC would allow any bank website to NOT use SSL. That's the most basic layer of security. But just to let you folks know that your data is safe, here are a few of the other things we do to keep your money and data safe from harm:

    • We also ask for your zip code and make sure it matches the user info we have on file.
    • We log the IP address you came from and the time. We do this for several reasons. The most common is that if we see 3 bad log in attempts in a row we lock your account. If we see several locked accounts spawning from the same IP address then we may have someone attempting to hack passwords. If that happens emails are automatically sent and pagers start going off. We notify our security people at once when that happens.
    • The password you enter is encrypted in our database via a public private key encryption. But we never generated the private key. We can tell if your password, when passed through the public key, matches what we have in our database. But we can't tell you what your password actually is. Even we don't know. That way if somebody ever gets into our database they can't use the password information.
    • We don't allow html or javascript in a user name, password field, account name or anywhere else that the user can enter data. We don't want a simple page display to run a rogue script.
    • We have a tremendous amount of safeguards to protect your account information from attacks from inside the bank, behind the firewall. Access to different apps are limit to certain staff via LDAP. All data changes create a record of the change with data on who changed it, what application was used to change it and who was logged into that app at the time. Every bank employee from the managers to the bank tellers is fingerprinted and goes through an FBI background check. Access to data is limited to those who need access to do their jobs. Physical access to the servers is severely limited to a select few.
    • The entire server and database infrastructure of the bank is duplicated in a 2nd location hundreds of miles away from the main servers. This database is being updated in real time so if any attack (whether a hack attack or a physical attack) brings down the system we do an immediate fail over to the backup system. This fail over and fail back system is tested regularly. I've been to that location. The servers are underground in a building with thick walls and no windows.

    These really are just a few of the many many things we do to protect your data. In fact, I deleted 2 of the list items that I originally wrote about because I didn't want to give away any information that could be useful to a potential crook.

    We take security very seriously for two main reasons. First, we're liable for any losses you have due to a security breach. But more importantly, we can't afford to lose the faith of our customers. If they don't trust us they'll take their money somewhere else. The actual financial loss from an attack on our system would be minor compared to the loss of trust from our customers.

  9. Re:Fixed it for ya! by ad0gg · · Score: 4, Interesting
    Who says apache isn't the most hacked webserver? I highly doubt IIS is ever hacked, IIS6 which has been out for 4 years only has 3 exploits come out of which 2 were from components that aren't even installed by default and the exploit that is actually in IIS has a rating of "not critical". Apache on the other has 10% of its known security holes unpatched. It also has 10 fold more holes than IIS. I'd take an educated guess and say apache is hacked way more than IIS so your example fails.

    IIS security holes
    Apache Security Holes

    --

    Have you ever been to a turkish prison?