Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Devs Criticize Bank Security Vulnerabilities

Posted by Zonk on from the i-tend-to-like-that-little-lock-icon dept.

mrcaseyj writes "A post on the IE blog criticizes some banks for no longer using secure connections for entire login pages and only encrypting the password as it goes back to the bank. This prevents simple password sniffing but doesn't prevent a man in the middle attack from replacing the unsecured login page with one that has disabled encryption. This is especially a problem if you are using an unencrypted wireless connection such as at a coffee shop, because hackers can easily use the airpwn package to intercept the login page and steal your password. An easy remedy for when a secure page isn't available is to enter a bad username and password which usually brings up a secure page telling you to try again. But can you really trust your money to a bank that doesn't even offer the option of a secure login page?"

5 of 214 comments (clear)

  1. Credit Unions by daeg · · Score: 5, Interesting

    I petitioned my credit union to force SSL on the entire bank website, complete with a few dozen signers (several of them with very large accounts). Shortly after the entire website is accessible via SSL only, with any HTTP page redirecting you to the homepage (SSL). Sometimes banking with a small credit union has its advantages.

    I suggest everyone do the same.

    1. Re:Credit Unions by mashade · · Score: 3, Interesting

      USAA's site is all https and provides an immediate redirect if you type http://www.usaa.com/ for example.

      Wachovia's site is as the article describes and only gives you https after login. I wondered about it myself and so began going to the site by manually specifying https://www.wachovia.com/ -- this works and gives you SSL for the entire browsing session. You may want to type it manually every time, though it would be nice if all banks made their sites HTTPS only.

      --
      Technology tips and tricks.
  2. What me worry by packetmon · · Score: 4, Interesting

    Why should I really worry about security anyway they've either thrown away my information in a dumpster or were compromised...

    Scott Trade
    Verizon
    Bank of America
    Choicepoint
    Mastercard
    AT&T
    Department of Edumacashun
    Chase

    --
    Infiltrated dot Net
  3. Re:Fixed it for ya! by rblancarte · · Score: 3, Interesting

    The fact is that for an IE Dev to point fingers solely at the bank is joke.

    There is a lot of blame to go around for unsecure bank transactions. In the example, we are presented w/ the whole case of user on unsecured wireless. I think the lack of security of the bank in that case is the end users - I never would do bank transactions on an unsecured network except in extreme cases.

    Granted, I do believe that banks do share some responsibility. I think they would be best served to do all of their pages as secure. Therefore minimize the chance for information to be captured. But still I can't solely blame them.

    And it isn't to say that IE is without blame either ...

    RonB

    --
    It is human nature to take shortcuts in thinking.
  4. Re:Fixed it for ya! by ad0gg · · Score: 4, Interesting
    Who says apache isn't the most hacked webserver? I highly doubt IIS is ever hacked, IIS6 which has been out for 4 years only has 3 exploits come out of which 2 were from components that aren't even installed by default and the exploit that is actually in IIS has a rating of "not critical". Apache on the other has 10% of its known security holes unpatched. It also has 10 fold more holes than IIS. I'd take an educated guess and say apache is hacked way more than IIS so your example fails.

    IIS security holes
    Apache Security Holes

    --

    Have you ever been to a turkish prison?