> At issue are the user login areas that can be found on banking sites
> such as Chase.com and Americanexpress.com, which ask users to submit
> their user ID and password information. Although these forms may be
> encrypted, they do not use authentication technology to prove they are
> genuine, according to Johannes Ullrich, chief research officer at the
> SANS Institute.
> A more secure approach would be to force users to log in on a HTTPS
> (HyperText Transport Protocol Secure) Web page. HTTPS pages use the
> SSL (Secure Sockets Layer) security protocol, which not only encrypts
> the information on the page but also provides digital certificates to
> give assurance that the Web site in question is genuine.
SSL is an effective way of transmitting payment information securely to
the thief operating a web site in such a way that the other thieves
don't get the info first.
> "If the login form is not HTTPS, you don't know if it's the real
> thing," Ullrich said.
If it's HTTPS, and you don't look at the certificate, you still don't
know if it's the real thing. If you don't look at the certificate,
you don't know it doesn't say: "Union of Nigerian Bank Fraud Artists,
Third Pile of Money on the Left SUCKER, Nigerian Republic of Bank
Fraud". I suspect just about anyone can get a real certificate if
they use their real name on it, even if they are running a web site
from inside a prison and freely admit it to Verisign. Saddam, have
you applied for a certificate yet?
If you don't pay attention to warnings about certificate authorities,
I can make a certificate that looks just like a real bank certificate,
and it will fool lots of people. However, it's more fun to make
certificates for "Satan, Prince of Darkness", and few people will read
it anyway. You do get a few browser warnings, however, I suspect a
lot of people would click OK without thinking to a popup:
You are about to install the Code Red Virus.
Only an idiot would deliberately install a virus thinking
it was anti-virus software. The install program will also
drain your checking account and take your soul and first-born
child. Install virus anyway?
> Web pages that do not use this type of secure connection are
> vulnerable to a type of attack known as DNS (Domain Name System)
> spoofing, where attackers attempt to trick Web browsers into visiting
> bogus Web sites.
And if you don't read the certificates, you won't notice that you
expected to be connected to Chased Bank and you're really connected to
Henry's House of Hashish and Aftermarket Biological Weapons.
> This type of attack is technically challenging, however, and hackers
> generally find it far easier to trick users into giving up their user
> names and passwords using phishing techniques, Ullrich said.
> Though Bank of America allows customers to enter their online IDs on
> the home page, they cannot submit passwords. The bank sends them to an
> HTTPS page and uses a technology called SiteKey to confirm to
> customers that they are at the legitimate Bank of America site before
> they enter their passwords.
> "We're committed to safeguarding customer information online and we
> wouldn't do anything to compromise that security," Riess said.
Bank of America has an interesting setup to avoid spoofing and
man-in-the-middle attacks, and it involves the user a bit more. You
set up an image (chosen from a set of what might be a few hundred), a
caption, and some security questions and answers. (For example, I
might select an image of a fire-breathing dragon, and caption it "my
mother-in-law". I might also select a security question of "What is
your favorite pet?" with the answer "9/11/2001". Of course, by
choosing such wierd answers, I'd better remember the real answers as
the question won't give much of a hint.)
1. You go to what is supposedly the login page.
2. You put in your ID (but not password)
3. If your computer has the BofA cookie on it for this account, skip to step 7
4. You are asked one of the security questions (I think an SSL page).
5. You answer it.
6. If your answer is correct, the web page offers to put a cookie on
the computer you are using (but advises you not to if it's a public
system).
7. You get a SSL page showing your selected image and the caption
(Together, these are the site key.).
You are advised *NOT* to enter your password if you don't see the
correct site key. Enter your password.
8. You put in the password.
9. If it's correct, you're in, and the cookie from step 6 is added
if requested.
10. You get the online banking page (SSL) for your account.
If you usually log in from a small set of computers which by now have
the cookie on them, you only do steps 1, 2, 7, 8, 9, and 10, and you
should be suspicious of suddenly getting asked (for a
man-in-the-middle attack) one of the security questions.
Notes: if you refuse to accept cookies, you get asked the security
question, but it still works. The cookie does NOT substitute for
knowing the password.
Although it's hardly foolproof, especially if the user isn't paying
attention, it's different and it involves the user a bit more, so I
think it's going to be more effective.
Gordon L. Burditt
Gordon Burditt (gordonb.mjj57@burditt.org)