Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacked Bank of India Site Labeled Trustworthy

Posted by kdawson on from the punching-a-hole-in-the-web-of-trust dept.

SkiifGeek writes "When the team at Sunbelt Software picked up on a sneaky hack present on the Bank of India website, it became a unique opportunity to see how anti-phishing and website trust verification tools were handling a legitimate site that had been attacked. Unfortunately, not one of the sites or tools identified that the Bank of India website was compromised and serving malware to all visitors The refresh time on a trust-brokering site is too long to be useful when a surf-by attack on a trusted site can take place in a matter of seconds, with a lifetime of hours, and with a victim base of thousands or greater."

13 of 54 comments (clear)

  1. How common a problem? by mordors9 · · Score: 3, Insightful

    That's the problem, how many consumers are sophisticated enough to even ask the right questions. They simply trust that their financial organization or any major web retailer has a secured site. Obviously there should be strict standards but who is going to enforce it. What authority would the agency actually have. As I have said before, there is still a lot to be said to walking into your local bank and being helped by a clerk that you see every week that you can shoot the shit with as they handle your transaction.

    1. Re:How common a problem? by Ash+Vince · · Score: 3, Insightful

      That's the problem, how many consumers are sophisticated enough to even ask the right questions. On a similar note I just went to the Site Advisor page for bank of india. (http://www.siteadvisor.com/sites/bankofindia.com)

      Especially amusing is the comment some moron has posted complaining about when Bank of India was getting a red rating. Basically he is saying how he used the site for three years and it must be a site advisor problem not a problem with the Bank of India website.

      How on earth do you come up with a technological solution that copes with people who even when they get a warning saying that the site they about to visit is dangerous carry on and visit the site anyway. I know that he should now have learnt his lesson (assuming he visited the site and got all that crap installed on his PC) but there must be alot more morons out there just like him.
      --
      I dont read /. to RTFA, I read /. to offend people in ignorance.
  2. Banks: Please Stop Using ActiveX ! by Gopal.V · · Score: 5, Insightful

    There are very few instances when I actually need to rdesktop in and use a Windows machine.

    One of those is when I've actually got to visit one of my online banking sites, which requires some obscure activex "security" extension to work. For someone who uses FF, noscript and occasional peeks at firebug, it really pisses me off when I have to disable all my own security checks to enable a site to "secure" itself.

    This is just another instance where I'd have been hit if I had been a user of the said bank (and had to use IE to browse it).

    --
    Quidquid latine dictum sit, altum videtur
    1. Re:Banks: Please Stop Using ActiveX ! by Anonymous Coward · · Score: 5, Interesting

      The main problem is that the Indian technical institutes rarely teach anything besides Microsoft products. So each year they produce many thousands of students who know of nothing but Windows, VB.NET, SQL Server, and ActiveX. When you only really know about one particular set of technologies, and virtually nothing about the alternatives, you'll usually make poor choices regarding which technologies to use. In the case of ActiveX, its use can easily lead to compromised systems and data.

    2. Re:Banks: Please Stop Using ActiveX ! by ScrewMaster · · Score: 3, Insightful

      For someone who uses FF, noscript and occasional peeks at firebug,

      Don't forget Privoxy.

      But yeah, the only thing I deliberately use Internet Exploiter for is Windowsupdate. Requiring an ActiveX control (ActiveX!) on a financial site is unacceptable, as is forcing visitors to use Explorer. Personally, I have the same setup you do, and the occasional site that requires Explorer doesn't get visited again. I also have several sites that I use for financial purposes, and they all support Firefox. If they didn't, I'd either switch institutions, or not use their site.

      One of those is when I've actually got to visit one of my online banking sites, which requires some obscure activex "security" extension to work.

      That's insane. I mean, the bank is assuming that their own security is perfect and will never be cracked, which is not realistic. When you get right down to it, you'd think that banks (of all organizations) would require the use of a more secure medium. Nothing would please me more than to navigate to my bank's Web site in Explorer and see a message "We're sorry, but due to ongoing security issues with Microsoft Internet Explorer, this site requires the use of a more capable browser" and see links to Firefox, Opera and others. When I first signed up at my current bank, it was the exact opposite, but fortunately I could just change the browser ID and it worked fine, no ActiveX crap.

      --
      The higher the technology, the sharper that two-edged sword.
    3. Re:Banks: Please Stop Using ActiveX ! by Shados · · Score: 2, Interesting

      Ironicaly, I went to a very Windows-heavy college (it did show unix, linux, intel assembly, and other non-MS centric stuff, but overall it was more than 50% windows), and they didn't show us ActiveX especially becuase of all its issues (and that was before .NET, too, back when ActiveX were sortoff relevent).

      So not only those institutes may be Windows-only, but they're behind the time and pretty bad too. At least from what I read, not -all- of em are like that...

  3. Re:Whoopdeedoo by garcia · · Score: 5, Insightful

    As stated, when someone like Doubleclick, Akamai or some other cache serving company gets compromised, then I will worry about things more.

    For some unknown reason, I hoped that financial institutions would have more online security than Doubleclick or Akamai.

  4. Re:iframes... by ubernostrum · · Score: 3, Informative

    They're useful for doing in-place file uploads without refreshing the page (e.g., in a web app like Gmail where you'd want to add an attachment to a message), because that's the only way to do that.

  5. Anti-phishing tools shouldn't be used to determine by Glowing+Fish · · Score: 4, Interesting

    Anti-phishing tools shouldn't be used to determine which sites are good, they should be used to determine which sites are bad.
    These tools might have picked up thousands of shoddily done, fly by night phishing scams. It doesn't reflect badly on them if one well done, sophisticated cracked server can fool them. There is still going to be errors. These tools allow people to discount the most obvious hacks, and use their time on the 1% of most dangerous hacks.

    --
    Hopefully I didn't put any [] around my words.
  6. now if it were me... by oblonski · · Score: 2, Interesting

    ... I would implement the one-time password sent to mobile phone which is the method my internet banking site uses: you log in with card number, customer selcted pin and password

    the login page also has BIG warnings: do not click on any links (relating to your banking or purporting to be) or give your banking details to anyone on the internet or in an e-mail since the bank or it's employees will never ask for it

    then when you are on your profile page, before you can do any transaction at all, the site sends an SMS to your mobile with a one-time password only after entering this password are you allowed into your main account and can start banking i.e verifying your physical presence as well as being good security measure for online banking sessions

    of course you need to set all this up with your bank beforehand, but with new financial regulations in south africa you go through a long process of verifying your identity and proof of address in person in a bank each year, so from the beginning this type of scheme has robust security

    this has worked very well and i need to hear of an instance of it being circumvented other than criminals holding a gun to your head while you do your banking, which puts the whole thing in another category altogether

    people who get scammed by clicking on links and falling for Nigerian type fund relocation schemes only has their own stupidity and greed to blame

    only my 0.02

    --
    Move along now, nothing to see here! Go on!
    1. Re:now if it were me... by mlts · · Score: 3, Informative

      Banks, especially in the US, need a system like above for authentication, where its not just a single username and password protecting someone's accounts from total destruction. Some banks now use a system where you type in your username, it asks one of several personal questions, then your password, but that doesn't protect much against a keylogger, as an attacker can keep trying the questions until he/she finds the one that gets presented with an answer in the keysniffer's output.

      PayPal, eBay, and Verisign offer a rebranded Vasco keyfob that one can use. Enter in username, tab to the password field, enter in your password, then append the six digit number from the Digipass Go 3 (the OEM name), and you are in. Though this is not as well engineered as a SecurID system, it still forces a would-be thief to have physical custody of the keyfob and the password to the account.

      Some European banks use a system similar to the age-old one time password system found in BSD (S/Key or OPIE). You obtain a list of one time passwords on a piece of paper that you scratch off in the mail, and every time you log in, you scratch off the next one on the list. This can be attacked (there are some targeted phishing attacks to try to get users to type in multiple lines off the OTP paper), but it keeps a compromised user PC from becoming an entry point for an attacker.

      Lastly, there are always Aladdin eTokens that store a private client certificate. This is one of the more secure ways, because there are zero passwords used. The server asks the client (any web browser pretty much) for a certificate similar to how a SSL enabled web browser asks the web server for its cert, the web browser passes the signing request to the eToken, the eToken signs it on the physical card (the private key never leaves the eToken), and the server checks the validated cert against the user list and lets the user in. For academic places (universities), this is one of the absolute best ways to do things.

      All and all, probably the best solution would likely be a hybrid system, similar to an eToken NG-OTP keyfob, that allows a user to plug the token in and use it online with client certificates, or offline, typing the six digit number off the LCD screen.

      Disclaimer: I don't work for Aladdin, RSA, or Vasco, but like their products.

  7. Re:Anti-phishing tools shouldn't be used to determ by blowdart · · Score: 2, Informative

    But that's not what anti-phishing tools are they for. They should flag fake sites, not legit sites serving spyware. Regardless of the hack, the site itself was still the Bank of India site, and not a phished site. An iframe embedded in legit source is not a phishing scam. A toolbar that only checks for URL legitimacy would be correct in not flagging the site.

  8. Re:Looks to me..... by jimicus · · Score: 2, Interesting

    Maybe the malware it dishes out only affects Windows users. But if that part of the site has been compromised, what's to say there isn't also some surreptitious logging of user credentials going on?