Ads by TechWords

See your link here
Receive the latest technology news and information.
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
Cloud Computing
View all newsletters




Privacy Policy
 

Major banking sites insecure, researcher warns

Log-ins are usually encrypted, but not enough banks authenticate

April 20, 2006 12:00 PM ET

IDG News Service - Online bank customers may want to pay a little more attention to their browsers the next time they log in, because many of the most popular banking sites in the U.S. may be needlessly placing their customers at risk to online thieves, a noted security researcher warned Thursday.

At issue are the user log-in areas on sites like Chase.com and Americanexpress.com that ask customers to submit their ID and password information. Although these forms may be encrypted, they do not use authentication technology to prove they are genuine, according to Johannes Ullrich, chief research officer at the SANS Institute.

A more secure approach would be to force users to log in on an HTTP Secure (HTTPS) Web page. HTTPS pages use the Secure Sockets Layer (SSL) security protocol, which not only encrypts the information on the page but also provides digital certificates to give assurance that the Web site in question is genuine.

"If the log-in form is not HTTPS, you don't know if it's the real thing," Ullrich said.

Web pages that do not use this type of secure connection are vulnerable to a type of attack known as DNS spoofing, where attackers attempt to trick Web browsers into visiting bogus Web sites. They do this by gaming the system used to convert Web addresses, such as BofA.com, into the numerical IP addresses used by computers to navigate the Internet.

This type of attack is technically challenging, however, and hackers generally find it far easier to use phishing techniques to trick users into giving up their usernames and passwords, Ullrich said.

Still, there's no good reason for banks to allow users to log in on pages that do not use SSL, Ullrich said. The SANS researcher has compiled a list of banks that includes information on their use of SSL authentication.

Banks that require SSL authentication include Capital One Bank., Citigroup Inc., and Wells Fargo & Co.

Often banks include SSL log-in pages as an option, but they can be hard to find, Ullrich said. One trick for finding these pages, which will prompt Firefox and Internet Explorer to display a yellow lock icon on the bottom of the screen, is to submit a bad password on the home page. Often bank sites will redirect users to the SSL log-in page after that happens, he said.

Though he admits to logging in to pages that do not use SSL encryption himself, security consultant Richard Smith agreed that it would be safer for banks to direct their users to an HTTPS page for account log-ins. "It's only one extra step," he said. "The banks could do it, but I guess they feel that one extra step is too hard for people."

Bank of America Corp. does not use SSL sign-in on its front page, and it defended its practices. "It is more convenient for our customers and it is secure," said Bank of America spokeswoman Betty Riess.

Though Bank of America allows customers to enter their online IDs on the home page, users cannot submit passwords there. The bank sends customers to an HTTPS page and uses a technology called SiteKey to confirm to them that they are at the legitimate Bank of America site before they enter their passwords.

"We're committed to safeguarding customer information online, and we wouldn't do anything to compromise that security," Riess said.


Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.

Jump to comments

Security

Additional Resources

WHITE PAPER
Approximately 60 percent of data migration projects overrun time or budget, while some fail completely. Download this white paper, "Enhancing Your Chance for Successful Data Migration," to learn the critical steps you need to take to execute a data migration project with minimum cost and risk to your business.
WHITE PAPER
Read the Gartner research note to learn why the TCO of a server-based computing deployment used to deliver all applications to users is around 50% lower than that of an unmanaged desktop deployment.
WHITE PAPER
Economic downturns have a tendency to accelerate emerging technologies, boost the adoption of effective solutions, and punish solutions that are not cost competitive or that are out of synch with industry trends. This IDC White Paper presents the results of an IDC survey of 330 companies in Western Europe, Asia/Pacific and the Americas that measures the receptiveness to Linux and takes into consideration changing views driven by the disruptive economic environment that businesses face today.

White Papers & Webcasts

Share our Strength
Download Now  

Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...

Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.

Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...