Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Devs Criticize Bank Security Vulnerabilities

Posted by Zonk on from the i-tend-to-like-that-little-lock-icon dept.

mrcaseyj writes "A post on the IE blog criticizes some banks for no longer using secure connections for entire login pages and only encrypting the password as it goes back to the bank. This prevents simple password sniffing but doesn't prevent a man in the middle attack from replacing the unsecured login page with one that has disabled encryption. This is especially a problem if you are using an unencrypted wireless connection such as at a coffee shop, because hackers can easily use the airpwn package to intercept the login page and steal your password. An easy remedy for when a secure page isn't available is to enter a bad username and password which usually brings up a secure page telling you to try again. But can you really trust your money to a bank that doesn't even offer the option of a secure login page?"

4 of 214 comments (clear)

  1. Isn't this a little old? by Hoover,L+Ron · · Score: 5, Informative

    Links goes to some 2 year old blog entry.

  2. Credit Unions by daeg · · Score: 5, Interesting

    I petitioned my credit union to force SSL on the entire bank website, complete with a few dozen signers (several of them with very large accounts). Shortly after the entire website is accessible via SSL only, with any HTTP page redirecting you to the homepage (SSL). Sometimes banking with a small credit union has its advantages.

    I suggest everyone do the same.

  3. Come on guys... by rob1980 · · Score: 5, Insightful

    Published Wednesday, April 20, 2005 6:44 PM by ieblog

    Two thousand and five.

  4. Re:Um... by jimicus · · Score: 5, Insightful

    Surely anyone who logs onto their bank site from a wireless connection in a coffee shop is just asking to get owned?

    Not really - this is the whole point of SSL. If you trust both endpoints, you don't much care about what's in the middle.

    Now, if you'd said "anyone who logs into their bank site from a random Internet cafe PC is just asking to get owned", I'd agree. It wouldn't require a great deal of sophistication to install keyloggers on every PC. Or if you're rather more sophisticated, you could set up some sort of proxy which sets up a MITM with every HTTPS session, presenting a self-signed certificate for $BANK and configure the client PC's with the appropriate certificate from the proxy's root CA.