In article telecom25.154.8@telecom-digest.org, Gordon Burditt at
gordonb.mjj57@burditt.org wrote on 4/21/06 16:10:
>> At issue are the user login areas that can be found on banking sites
>> such as Chase.com and Americanexpress.com, which ask users to submit
>> their user ID and password information. Although these forms may be
>> encrypted, they do not use authentication technology to prove they are
>> genuine, according to Johannes Ullrich, chief research officer at the
>> SANS Institute.
>> A more secure approach would be to force users to log in on a HTTPS
>> (HyperText Transport Protocol Secure) Web page. HTTPS pages use the
>> SSL (Secure Sockets Layer) security protocol, which not only encrypts
>> the information on the page but also provides digital certificates to
>> give assurance that the Web site in question is genuine.
> SSL is an effective way of transmitting payment information securely to
> the thief operating a web site in such a way that the other thieves
> don't get the info first.
>> "If the login form is not HTTPS, you don't know if it's the real
>> thing," Ullrich said.
> If it's HTTPS, and you don't look at the certificate, you still don't
> know if it's the real thing. If you don't look at the certificate,
> you don't know it doesn't say: "Union of Nigerian Bank Fraud Artists,
> Third Pile of Money on the Left SUCKER, Nigerian Republic of Bank
> Fraud". I suspect just about anyone can get a real certificate if
> they use their real name on it, even if they are running a web site
> from inside a prison and freely admit it to Verisign. Saddam, have
> you applied for a certificate yet?
> If you don't pay attention to warnings about certificate authorities,
> I can make a certificate that looks just like a real bank certificate,
> and it will fool lots of people. However, it's more fun to make
> certificates for "Satan, Prince of Darkness", and few people will read
> it anyway. You do get a few browser warnings, however, I suspect a
> lot of people would click OK without thinking to a popup:
> You are about to install the Code Red Virus.
> Only an idiot would deliberately install a virus thinking
> it was anti-virus software. The install program will also
> drain your checking account and take your soul and first-born
> child. Install virus anyway?
>> Web pages that do not use this type of secure connection are
>> vulnerable to a type of attack known as DNS (Domain Name System)
>> spoofing, where attackers attempt to trick Web browsers into visiting
>> bogus Web sites.
> And if you don't read the certificates, you won't notice that you
> expected to be connected to Chased Bank and you're really connected to
> Henry's House of Hashish and Aftermarket Biological Weapons.
>> This type of attack is technically challenging, however, and hackers
>> generally find it far easier to trick users into giving up their user
>> names and passwords using phishing techniques, Ullrich said.
>> Though Bank of America allows customers to enter their online IDs on
>> the home page, they cannot submit passwords. The bank sends them to an
>> HTTPS page and uses a technology called SiteKey to confirm to
>> customers that they are at the legitimate Bank of America site before
>> they enter their passwords.
>> "We're committed to safeguarding customer information online and we
>> wouldn't do anything to compromise that security," Riess said.
> Bank of America has an interesting setup to avoid spoofing and
> man-in-the-middle attacks, and it involves the user a bit more. You
> set up an image (chosen from a set of what might be a few hundred), a
> caption, and some security questions and answers. (For example, I
> might select an image of a fire-breathing dragon, and caption it "my
> mother-in-law". I might also select a security question of "What is
> your favorite pet?" with the answer "9/11/2001". Of course, by
> choosing such wierd answers, I'd better remember the real answers as
> the question won't give much of a hint.)
> 1. You go to what is supposedly the login page.
> 2. You put in your ID (but not password)
> 3. If your computer has the BofA cookie on it for this account,
> skip to step 7
> 4. You are asked one of the security questions (I think an SSL page).
> 5. You answer it.
> 6. If your answer is correct, the web page offers to put a cookie on
> the computer you are using (but advises you not to if it's a public
> system).
> 7. You get a SSL page showing your selected image and the caption
> (Together, these are the site key.).
> You are advised *NOT* to enter your password if you don't see the
> correct site key. Enter your password.
> 8. You put in the password.
> 9. If it's correct, you're in, and the cookie from step 6 is added
> if requested.
> 10. You get the online banking page (SSL) for your account.
> If you usually log in from a small set of computers which by now have
> the cookie on them, you only do steps 1, 2, 7, 8, 9, and 10, and you
> should be suspicious of suddenly getting asked (for a
> man-in-the-middle attack) one of the security questions.
> Notes: if you refuse to accept cookies, you get asked the security
> question, but it still works. The cookie does NOT substitute for
> knowing the password.
> Although it's hardly foolproof, especially if the user isn't paying
> attention, it's different and it involves the user a bit more, so I
> think it's going to be more effective.
> Gordon L. Burditt
Our credit union started this option a few weeks ago, surprised me
since there was no warning, I found a member newsletter that had said
they were goin to start this. Also Walmart has it on their online
Pharmacy site to get into your account.
Steven Lichter (shlichter@sbcglobal.net)