Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacked Bank of India Site Labeled Trustworthy

Posted by kdawson on from the punching-a-hole-in-the-web-of-trust dept.

SkiifGeek writes "When the team at Sunbelt Software picked up on a sneaky hack present on the Bank of India website, it became a unique opportunity to see how anti-phishing and website trust verification tools were handling a legitimate site that had been attacked. Unfortunately, not one of the sites or tools identified that the Bank of India website was compromised and serving malware to all visitors The refresh time on a trust-brokering site is too long to be useful when a surf-by attack on a trusted site can take place in a matter of seconds, with a lifetime of hours, and with a victim base of thousands or greater."

4 of 54 comments (clear)

  1. Banks: Please Stop Using ActiveX ! by Gopal.V · · Score: 5, Insightful

    There are very few instances when I actually need to rdesktop in and use a Windows machine.

    One of those is when I've actually got to visit one of my online banking sites, which requires some obscure activex "security" extension to work. For someone who uses FF, noscript and occasional peeks at firebug, it really pisses me off when I have to disable all my own security checks to enable a site to "secure" itself.

    This is just another instance where I'd have been hit if I had been a user of the said bank (and had to use IE to browse it).

    --
    Quidquid latine dictum sit, altum videtur
    1. Re:Banks: Please Stop Using ActiveX ! by Anonymous Coward · · Score: 5, Interesting

      The main problem is that the Indian technical institutes rarely teach anything besides Microsoft products. So each year they produce many thousands of students who know of nothing but Windows, VB.NET, SQL Server, and ActiveX. When you only really know about one particular set of technologies, and virtually nothing about the alternatives, you'll usually make poor choices regarding which technologies to use. In the case of ActiveX, its use can easily lead to compromised systems and data.

  2. Re:Whoopdeedoo by garcia · · Score: 5, Insightful

    As stated, when someone like Doubleclick, Akamai or some other cache serving company gets compromised, then I will worry about things more.

    For some unknown reason, I hoped that financial institutions would have more online security than Doubleclick or Akamai.

  3. Anti-phishing tools shouldn't be used to determine by Glowing+Fish · · Score: 4, Interesting

    Anti-phishing tools shouldn't be used to determine which sites are good, they should be used to determine which sites are bad.
    These tools might have picked up thousands of shoddily done, fly by night phishing scams. It doesn't reflect badly on them if one well done, sophisticated cracked server can fool them. There is still going to be errors. These tools allow people to discount the most obvious hacks, and use their time on the 1% of most dangerous hacks.

    --
    Hopefully I didn't put any [] around my words.