Gordon Burditt <gordonb.mjj57@burditt.org> wrote:
>> Web pages that do not use this type of secure connection are
>> vulnerable to a type of attack known as DNS (Domain Name System)
>> spoofing, where attackers attempt to trick Web browsers into visiting
>> bogus Web sites.
> And if you don't read the certificates, you won't notice that you
> expected to be connected to Chased Bank and you're really connected to
> Henry's House of Hashish and Aftermarket Biological Weapons.
You're right, most people don't pay attention to the certificate
warnings and even if they did they wouldn't understand how to
determine if it was a legitimate concern or not. I however, do.
American Express always has an annoying SSL cert misconfiguration of
some sort or other from time to time. I know they have these
problems, however, still check them when they occur, however if it had
been someone like, say, my mom, I'm sure she wouldn't have a clue.
> Bank of America has an interesting setup to avoid spoofing and
> man-in-the-middle attacks, and it involves the user a bit more.
That's pretty interesting but it still doesn't do anything about any
type of keylogging software that might be on the machine. This is one
of the reasons I now will never use public computers while traveling
or even friend's machines. I always explain to them that it's not
that I don't trust them, I just don't trust what they may not know is
running on their computer. So, I boot a known quantity (Knoppix
Linux) and use that to do any banking. You would be amazed however at
the number of ignorant internet cafe owners that are 1) "Confident"
they have no viruses/trojans 2) so hard headed and ignorant they won't
allow you to boot a live Linux CD (that's the point I walk out of the
place and find somewhere else).
Citibank UK (apparently not in the US, just checked their page) has
implemented what seems to be, on the surface a good system for
keyloggers. However, it is crap. They pop a java "keyboard" applet
up, not only every time you enter your password to login, but EVERY
time you do any type of transactions in your accounts once you are
already logged on. They keyboard they present to you would be very
visible to anyone standing over your shoulder and it is time
consuming/cumbersome to enter your password. I have argued with them
over this extensively that, this in and of itself, exposes you to
someone "shoulder surfing" your password. They could do what my
friend has told me Banco do Brasil is doing and randomize the keyboard
along with making the letters very faint so they are hard to view from
afar.
There is another more complex attack that could probably be done
against this Citibank UK "virtual keyboard", it wouldn't be hard for
someone to map the mouse movements and determine what the password was
by taking the letters on the furthest extremes, take a guess the first
time, and if that doesn't work simply shift the mapping once or twice
(this would depend on how closely grouped the letters in your password
were, the further apart, the easier it would be to guess it quickly).
Something else which, would likely (I am not sure about this) would be
to attach a debugger to the JVM on the machine and simply grab the
password through this method, after all, if they have compromised the
machine locally they should be able to do this. Randomizing the
keyboard would also solve, at least, the mouse movement mapping
attack.
As noted, the Citibank UK and US both do things differently for not
only their banking sites, but also their credit card sites. The UK
banking site uses a completely different login system, the UK credit
card uses another, and the US banking/credit card system seem to use a
common one. How is that for consistency, even with the same company?!
This is a big problem without an easy solution but maybe it could be
mitigated by having banks adhere to a standard for online
authentication processes rather than such a mixed bag. The sum of
what could be agreed upon as secure would hopefully turn out to be
much better than any of the half assed systems they're using today and
if nothing else would only require "user training" as to what is "bad"
and "good" once, most non technical people just can't deal with too
much complexity when it comes to things like this and that is why they
always click "OK" regardless.
P.S. One thing I would love while travelling would be "revocable one
time passwords" for sites like this. You request from a known safe
computer, say, 10 one time use passwords/tokens, then take them with
you. If they get lost/stolen you can immediately cancel/revoke these
so they can't be used. This would at least allow you to use,
relatively securely, an "unfriendly" computer in a situation where you
have little choice.
B. Wright (bmwright@xmission.com)