Computerworld
Quick Menu
Search



Ads by TechWords

See your link here


Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Finance
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 
Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

Major banking sites insecure, researcher warns

Log-ins are usually encrypted, but not enough banks authenticate
 

Sign up to receive Security Resource Alerts

April 20, 2006 (IDG News Service) -- Online bank customers may want to pay a little more attention to their browsers the next time they log in, because many of the most popular banking sites in the U.S. may be needlessly placing their customers at risk to online thieves, a noted security researcher warned Thursday.

At issue are the user log-in areas on sites like Chase.com and Americanexpress.com that ask customers to submit their ID and password information. Although these forms may be encrypted, they do not use authentication technology to prove they are genuine, according to Johannes Ullrich, chief research officer at the SANS Institute.

A more secure approach would be to force users to log in on an HTTP Secure (HTTPS) Web page. HTTPS pages use the Secure Sockets Layer (SSL) security protocol, which not only encrypts the information on the page but also provides digital certificates to give assurance that the Web site in question is genuine.

"If the log-in form is not HTTPS, you don't know if it's the real thing," Ullrich said.

Web pages that do not use this type of secure connection are vulnerable to a type of attack known as DNS spoofing, where attackers attempt to trick Web browsers into visiting bogus Web sites. They do this by gaming the system used to convert Web addresses, such as BofA.com, into the numerical IP addresses used by computers to navigate the Internet.

This type of attack is technically challenging, however, and hackers generally find it far easier to use phishing techniques to trick users into giving up their usernames and passwords, Ullrich said.

Still, there's no good reason for banks to allow users to log in on pages that do not use SSL, Ullrich said. The SANS researcher has compiled a list of banks that includes information on their use of SSL authentication.

Banks that require SSL authentication include Capital One Bank., Citigroup Inc., and Wells Fargo & Co.

Often banks include SSL log-in pages as an option, but they can be hard to find, Ullrich said. One trick for finding these pages, which will prompt Firefox and Internet Explorer to display a yellow lock icon on the bottom of the screen, is to submit a bad password on the home page. Often bank sites will redirect users to the SSL log-in page after that happens, he said.

Though he admits to logging in to pages that do not use SSL encryption himself, security consultant Richard Smith agreed that it would be safer for banks to direct their users to an HTTPS page for account log-ins. "It's only one extra step," he said. "The banks could do it, but I guess they feel that one extra step is too hard for people."

Continued...
1 | 2 | NEXT  

Reprinted with permission from

IDG.net
Story copyright 2008 International Data Group. All rights reserved.


Print this Story Send Us Feedback E-mail this Story Digg! Digg this Story Slashdot this Story
"An approaching hurricane fortuitously recalls the famous statement on planning from Eisenhower. We should heed his words...." Read more...
Read more Security posts or See all Blogs
At 10, Google reiterates commitment to CIOs
Microsoft explains Seinfeld-Windows TV ad: just a 'teaser'
Continuing coverage: Google's Chrome browser
More top stories...
iPhone 3G owner sues Apple, AT&T over dropped calls, app crashes
Mozilla: Firefox is faster than Chrome
Upcoming Microsoft patch lineup could be 'massive,' says researcher
Users of Windows XP SP3 who try out IE8 Beta 2 won't be able to uninstall either one under certain circumstances.
Google has gone from innovative upstart to fat-and-happy industry leader in what seems like record time. Preston Gralla explains.
Microsoft's latest beta of IE8 includes better tab management, new services such as Web Slices and Accelerators, and the new 'porn mode.'
These leading-edge graduate schools are moving at the pace of the IT workplace, delivering coursework that's relevant to today's IT professionals.
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.
Four years from now, the IT field will be a vastly different place. Will you be ready?
All Zones
Application Performance Zone
Business Continuity Zone
The File Data Management Zone
Security Management Zone
ITIL Best Practices Zone
The SAS Zone
Business Intelligence and Analytics Zone
Windows Protection Zone
Identity & Security Management Zone

Ads by TechWords

See your link here
From Laggard to Leader: Transforming the Data Center
From Laggard to Leader: Transforming the Data Center
Register for this complimentary live webcast today!
Go to the webcast 
Computerworld Executive Bulletin: Building a Robust Antivirus Defense
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
(Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more.
Download this executive briefing download
Online Security Issues in Regulated Industries
Download this research paper, free for a limited time, compliments of Webroot!
(Source: Webroot Software) In June 2008, Computerworld invited IT and business leaders to participate in a survey on online security initiatives at their organizations. The goal of the survey was to better understand Web and e-mail security issues faced today within the regulated education, financial services, government and health care industries. The following report represents top-line results of that survey.
Download this white paper go
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Death to PST: Hidden Cost of Email Mismanagement
Extend, Replace, or Convert; which is the best way forward for COBOL Applications?
The Trend from Unix to Linux in SAP Data Centers
View more whitepapers