Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Devs Criticize Bank Security Vulnerabilities

Posted by Zonk on from the i-tend-to-like-that-little-lock-icon dept.

mrcaseyj writes "A post on the IE blog criticizes some banks for no longer using secure connections for entire login pages and only encrypting the password as it goes back to the bank. This prevents simple password sniffing but doesn't prevent a man in the middle attack from replacing the unsecured login page with one that has disabled encryption. This is especially a problem if you are using an unencrypted wireless connection such as at a coffee shop, because hackers can easily use the airpwn package to intercept the login page and steal your password. An easy remedy for when a secure page isn't available is to enter a bad username and password which usually brings up a secure page telling you to try again. But can you really trust your money to a bank that doesn't even offer the option of a secure login page?"

21 of 214 comments (clear)

  1. Fixed it for ya! by tomhudson · · Score: 3, Funny

    "But can you really trust your money to a bank that doesn't even offer the option of a secure login page?""

    But can you really trust your money to a web browser and operating system that are the most hijacked in the world?"

    There, fixed it for you.

    1. Re:Fixed it for ya! by cryptoguy · · Score: 3, Insightful

      I'm no fan of IE, but firefox is equally vulnerable to this issue. It's caused by the way SSL / TLS is used by the app on the server.

    2. Re:Fixed it for ya! by rblancarte · · Score: 3, Interesting

      The fact is that for an IE Dev to point fingers solely at the bank is joke.

      There is a lot of blame to go around for unsecure bank transactions. In the example, we are presented w/ the whole case of user on unsecured wireless. I think the lack of security of the bank in that case is the end users - I never would do bank transactions on an unsecured network except in extreme cases.

      Granted, I do believe that banks do share some responsibility. I think they would be best served to do all of their pages as secure. Therefore minimize the chance for information to be captured. But still I can't solely blame them.

      And it isn't to say that IE is without blame either ...

      RonB

      --
      It is human nature to take shortcuts in thinking.
    3. Re:Fixed it for ya! by bberens · · Score: 4, Insightful

      Yes, because I'd much rather push my bank password through several other user's machines than to have my ISP route directly to the site. Tor is for anonymity, not data security.

      --
      Check out my lame java blog at www.javachopshop.com
    4. Re:Fixed it for ya! by Anonymous Coward · · Score: 4, Insightful

      If Apache made 70% of the webservers in the world, they would also likely be the most hacked webserver in the world ... Oh wait -- they do make 70% of the webservers in the world. Your metaphor fails.

      So back to the obvious explanation: the IE team can't code for shit

    5. Re:Fixed it for ya! by ThinkFr33ly · · Score: 3, Informative

      An, indeed, they likely are the most hacked web servers in the world. IIS 6, on the other hand, appears to be extremely secure. Whether this is a factor of market share or code quality, we don't know.

      Apache: http://secunia.com/search/?search=Apache

      IIS 6: http://secunia.com/product/1438/

      The fact of the matter is that you do not have enough information to conclude that IE is more poorly coded that any other browser out there. You are coming to this conclusion based on assumptions, not based on facts.

    6. Re:Fixed it for ya! by ad0gg · · Score: 4, Interesting
      Who says apache isn't the most hacked webserver? I highly doubt IIS is ever hacked, IIS6 which has been out for 4 years only has 3 exploits come out of which 2 were from components that aren't even installed by default and the exploit that is actually in IIS has a rating of "not critical". Apache on the other has 10% of its known security holes unpatched. It also has 10 fold more holes than IIS. I'd take an educated guess and say apache is hacked way more than IIS so your example fails.

      IIS security holes
      Apache Security Holes

      --

      Have you ever been to a turkish prison?

    7. Re:Fixed it for ya! by nekokoneko · · Score: 4, Informative

      Mod parent down! Nice try, but your search listed the vulnerabilities for all Apache related products (httpd 1.x, httpd 2.x, Tomcat, etc), totaling 383 advisories, while listing the vulnerabilites for only a specific version of IIS (IIS 6.0), totaling 3 advisories.
      Comparing IIS 6.0 to, say, Apache 2.2, we see 3 advisories for each product. Also, the comparison fails for only comparing the number of advisories and not the severity level of each one of them. Granted, Apache 2.2 has one unpatched advisory compared to zero for IIS 6.0, but it is not nearly as clear cut and one sided as your post made it seem.

  2. Isn't this a little old? by Hoover,L+Ron · · Score: 5, Informative

    Links goes to some 2 year old blog entry.

    1. Re:Isn't this a little old? by Don_dumb · · Score: 3, Informative

      This whole article is basically just the same two posts the same submitter (mrcaseyj) made in this article http://it.slashdot.org/article.pl?sid=07/05/07/224 7244 earlier today. Now his posts may be interesting but anyone who was actually interested in this would have seen these posts today already.

      --
      If this were really happening, what would you think?
  3. Nevermind Just The Login Page by garett_spencley · · Score: 4, Insightful

    The entire session should be secured. Bank account numbers, credit card numbers, transaction histories, information about billers and automatic withdraw dates etc. are easily sniffed.

    Just because they can't get your password doesn't mean they can't get useful information about you. Sniffing out an online banking session could be a big jackpot for an identity thief.

  4. Don't trust any bank that relies on credentials by bjourne · · Score: 4, Insightful

    Personally, I wouldn't trust any bank whose security system relies on user supplied credentials. Any bank that does not supply its customers with an electronic hardware-based security token is not trustworthy enough to handle my savings.

    --
    Football Odds
  5. Credit Unions by daeg · · Score: 5, Interesting

    I petitioned my credit union to force SSL on the entire bank website, complete with a few dozen signers (several of them with very large accounts). Shortly after the entire website is accessible via SSL only, with any HTTP page redirecting you to the homepage (SSL). Sometimes banking with a small credit union has its advantages.

    I suggest everyone do the same.

    1. Re:Credit Unions by mashade · · Score: 3, Interesting

      USAA's site is all https and provides an immediate redirect if you type http://www.usaa.com/ for example.

      Wachovia's site is as the article describes and only gives you https after login. I wondered about it myself and so began going to the site by manually specifying https://www.wachovia.com/ -- this works and gives you SSL for the entire browsing session. You may want to type it manually every time, though it would be nice if all banks made their sites HTTPS only.

      --
      Technology tips and tricks.
  6. Come on guys... by rob1980 · · Score: 5, Insightful

    Published Wednesday, April 20, 2005 6:44 PM by ieblog

    Two thousand and five.

  7. What me worry by packetmon · · Score: 4, Interesting

    Why should I really worry about security anyway they've either thrown away my information in a dumpster or were compromised...

    Scott Trade
    Verizon
    Bank of America
    Choicepoint
    Mastercard
    AT&T
    Department of Edumacashun
    Chase

    --
    Infiltrated dot Net
  8. Re:Um... by Anonymous Coward · · Score: 4, Insightful

    Surely anyone who logs onto their bank site from a wireless connection in a coffee shop is just asking to get owned?

    Why? SSL protects you from MITM attacks and provides strong encryption & authentication.

    That is exactly what SSL is for, to protect you from sniffers/spoofers between you and the website.

  9. Re:Cringe by LighterShadeOfBlack · · Score: 3, Insightful

    I cringe a little whenever I visit a bank or CC site ans see .asp or .aspx at the end of the URL. Why, are you afraid of snakes?

    They're just file extensions buddy, they can't hurt you.
    --
    Spelling mistakes, grammatical errors, and stupid comments are intentional.
  10. One word answer: mattress by Anonymous Coward · · Score: 3, Funny

    Just put your money in your mattress and avoid all those newfangled bank things.

  11. Re:Um... by jimicus · · Score: 5, Insightful

    Surely anyone who logs onto their bank site from a wireless connection in a coffee shop is just asking to get owned?

    Not really - this is the whole point of SSL. If you trust both endpoints, you don't much care about what's in the middle.

    Now, if you'd said "anyone who logs into their bank site from a random Internet cafe PC is just asking to get owned", I'd agree. It wouldn't require a great deal of sophistication to install keyloggers on every PC. Or if you're rather more sophisticated, you could set up some sort of proxy which sets up a MITM with every HTTPS session, presenting a self-signed certificate for $BANK and configure the client PC's with the appropriate certificate from the proxy's root CA.

  12. Mother's Maiden Name by giafly · · Score: 3, Insightful
    HTTPS is the least of my worries. I'm more concerned that banks
    1. Use insecure information such as mother's maiden name as proof of id
    2. Phone me with account questions, and ask me to prove my ID, but are incapable of proving their ID
    3. Send my credit cards and PINs using normal post
    4. Don't tell me when they have done "3)" so I won't notice if the letters fail to arrive.
    5. Don't give me the choice of turning off Internet access to my account
    --
    Reduce, reuse, cycle