Robert McMillan, IDG News Service
Online bank customers may want to pay a little more attention to their
browsers the next time they log in, because many of the most popular
banking sites in the U.S. may be needlessly placing their customers at
risk to online thieves, a noted security researcher warned this week.
At issue are the user login areas that can be found on banking sites
such as Chase.com and Americanexpress.com, which ask users to submit
their user ID and password information. Although these forms may be
encrypted, they do not use authentication technology to prove they are
genuine, according to Johannes Ullrich, chief research officer at the
SANS Institute.
A more secure approach would be to force users to log in on a HTTPS
(HyperText Transport Protocol Secure) Web page. HTTPS pages use the
SSL (Secure Sockets Layer) security protocol, which not only encrypts
the information on the page but also provides digital certificates to
give assurance that the Web site in question is genuine.
"If the login form is not HTTPS, you don't know if it's the real
thing," Ullrich said.
Web pages that do not use this type of secure connection are
vulnerable to a type of attack known as DNS (Domain Name System)
spoofing, where attackers attempt to trick Web browsers into visiting
bogus Web sites.
This type of attack is technically challenging, however, and hackers
generally find it far easier to trick users into giving up their user
names and passwords using phishing techniques, Ullrich said.
SSL for Security
Still, there's no good reason for banks to allow users to log in on
pages that do not use SSL, Ullrich said. The SANS researcher has
compiled a list of banks that includes information on their use of SSL
authentication.
Banks that require SSL authentication include Capital One Bank,
Citigroup, and Wells Fargo.
Often banks include SSL login pages as an option, but they can be hard
to find, Ullrich said. One trick for finding these pages, which will
prompt Firefox and Internet Explorer to display a yellow lock icon on
the bottom of the screen, is to submit a bad password on the home
page. Often bank sites will redirect users to the SSL login page after
this happens, he said.
Though he admits to logging in to pages that do not use SSL encryption
himself, security consultant Richard Smith agreed that it would be
safer for banks to direct their users to an HTTPS page for account
logins. "It's only one extra step," he said. "The banks could do it,
but I guess they feel that one extra step is too hard for people."
One of the banks that does not use SSL sign-in on its front page
defended its practices. "It is more convenient for our customers and
it is secure," said Bank of America spokeswoman Betty Riess.
Though Bank of America allows customers to enter their online IDs on
the home page, they cannot submit passwords. The bank sends them to an
HTTPS page and uses a technology called SiteKey to confirm to
customers that they are at the legitimate Bank of America site before
they enter their passwords.
"We're committed to safeguarding customer information online and we
wouldn't do anything to compromise that security," Riess said.
Copyright 2006 PC World Communications, Inc.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. And, discuss this and other topics in our forum at
http://telecom-digest.org/forum (or)
http://telecom-digest.org/chat/index.html
Robert McMillan (idg@telecom-digest.org)