Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacked Bank of India Site Labeled Trustworthy

Posted by kdawson on from the punching-a-hole-in-the-web-of-trust dept.

SkiifGeek writes "When the team at Sunbelt Software picked up on a sneaky hack present on the Bank of India website, it became a unique opportunity to see how anti-phishing and website trust verification tools were handling a legitimate site that had been attacked. Unfortunately, not one of the sites or tools identified that the Bank of India website was compromised and serving malware to all visitors The refresh time on a trust-brokering site is too long to be useful when a surf-by attack on a trusted site can take place in a matter of seconds, with a lifetime of hours, and with a victim base of thousands or greater."

5 of 54 comments (clear)

  1. How common a problem? by mordors9 · · Score: 3, Insightful

    That's the problem, how many consumers are sophisticated enough to even ask the right questions. They simply trust that their financial organization or any major web retailer has a secured site. Obviously there should be strict standards but who is going to enforce it. What authority would the agency actually have. As I have said before, there is still a lot to be said to walking into your local bank and being helped by a clerk that you see every week that you can shoot the shit with as they handle your transaction.

    1. Re:How common a problem? by Ash+Vince · · Score: 3, Insightful

      That's the problem, how many consumers are sophisticated enough to even ask the right questions. On a similar note I just went to the Site Advisor page for bank of india. (http://www.siteadvisor.com/sites/bankofindia.com)

      Especially amusing is the comment some moron has posted complaining about when Bank of India was getting a red rating. Basically he is saying how he used the site for three years and it must be a site advisor problem not a problem with the Bank of India website.

      How on earth do you come up with a technological solution that copes with people who even when they get a warning saying that the site they about to visit is dangerous carry on and visit the site anyway. I know that he should now have learnt his lesson (assuming he visited the site and got all that crap installed on his PC) but there must be alot more morons out there just like him.
      --
      I dont read /. to RTFA, I read /. to offend people in ignorance.
  2. Banks: Please Stop Using ActiveX ! by Gopal.V · · Score: 5, Insightful

    There are very few instances when I actually need to rdesktop in and use a Windows machine.

    One of those is when I've actually got to visit one of my online banking sites, which requires some obscure activex "security" extension to work. For someone who uses FF, noscript and occasional peeks at firebug, it really pisses me off when I have to disable all my own security checks to enable a site to "secure" itself.

    This is just another instance where I'd have been hit if I had been a user of the said bank (and had to use IE to browse it).

    --
    Quidquid latine dictum sit, altum videtur
    1. Re:Banks: Please Stop Using ActiveX ! by ScrewMaster · · Score: 3, Insightful

      For someone who uses FF, noscript and occasional peeks at firebug,

      Don't forget Privoxy.

      But yeah, the only thing I deliberately use Internet Exploiter for is Windowsupdate. Requiring an ActiveX control (ActiveX!) on a financial site is unacceptable, as is forcing visitors to use Explorer. Personally, I have the same setup you do, and the occasional site that requires Explorer doesn't get visited again. I also have several sites that I use for financial purposes, and they all support Firefox. If they didn't, I'd either switch institutions, or not use their site.

      One of those is when I've actually got to visit one of my online banking sites, which requires some obscure activex "security" extension to work.

      That's insane. I mean, the bank is assuming that their own security is perfect and will never be cracked, which is not realistic. When you get right down to it, you'd think that banks (of all organizations) would require the use of a more secure medium. Nothing would please me more than to navigate to my bank's Web site in Explorer and see a message "We're sorry, but due to ongoing security issues with Microsoft Internet Explorer, this site requires the use of a more capable browser" and see links to Firefox, Opera and others. When I first signed up at my current bank, it was the exact opposite, but fortunately I could just change the browser ID and it worked fine, no ActiveX crap.

      --
      The higher the technology, the sharper that two-edged sword.
  3. Re:Whoopdeedoo by garcia · · Score: 5, Insightful

    As stated, when someone like Doubleclick, Akamai or some other cache serving company gets compromised, then I will worry about things more.

    For some unknown reason, I hoped that financial institutions would have more online security than Doubleclick or Akamai.