Major banking sites insecure, researcher warns

IDG News Service - Online bank customers may want to pay a little more attention to their browsers the next time they log in, because many of the most popular banking sites in the U.S. may be needlessly placing their customers at risk to online thieves, a noted security researcher warned Thursday.

At issue are the user log-in areas on sites like Chase.com and Americanexpress.com that ask customers to submit their ID and password information. Although these forms may be encrypted, they do not use authentication technology to prove they are genuine, according to Johannes Ullrich, chief research officer at the SANS Institute.

A more secure approach would be to force users to log in on an HTTP Secure (HTTPS) Web page. HTTPS pages use the Secure Sockets Layer (SSL) security protocol, which not only encrypts the information on the page but also provides digital certificates to give assurance that the Web site in question is genuine.

"If the log-in form is not HTTPS, you don't know if it's the real thing," Ullrich said.

Web pages that do not use this type of secure connection are vulnerable to a type of attack known as DNS spoofing, where attackers attempt to trick Web browsers into visiting bogus Web sites. They do this by gaming the system used to convert Web addresses, such as BofA.com, into the numerical IP addresses used by computers to navigate the Internet.

This type of attack is technically challenging, however, and hackers generally find it far easier to use phishing techniques to trick users into giving up their usernames and passwords, Ullrich said.

Still, there's no good reason for banks to allow users to log in on pages that do not use SSL, Ullrich said. The SANS researcher has compiled a list of banks that includes information on their use of SSL authentication.

Banks that require SSL authentication include Capital One Bank., Citigroup Inc., and Wells Fargo & Co.

Often banks include SSL log-in pages as an option, but they can be hard to find, Ullrich said. One trick for finding these pages, which will prompt Firefox and Internet Explorer to display a yellow lock icon on the bottom of the screen, is to submit a bad password on the home page. Often bank sites will redirect users to the SSL log-in page after that happens, he said.

Though he admits to logging in to pages that do not use SSL encryption himself, security consultant Richard Smith agreed that it would be safer for banks to direct their users to an HTTPS page for account log-ins. "It's only one extra step," he said. "The banks could do it, but I guess they feel that one extra step is too hard for people."

Bank of America Corp. does not use SSL sign-in on its front page, and it defended its practices. "It is more convenient for our customers and it is secure," said Bank of America spokeswoman Betty Riess.

Though Bank of America allows customers to enter their online IDs on the home page, users cannot submit passwords there. The bank sends customers to an HTTPS page and uses a technology called SiteKey to confirm to them that they are at the legitimate Bank of America site before they enter their passwords.

"We're committed to safeguarding customer information online, and we wouldn't do anything to compromise that security," Riess said.

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.