[Dshield] Banks Shifting Logins to Non-SSL Pages
womber at gmail.com
Tue Aug 23 14:10:35 GMT 2005
I was at a recent security users group and was talking to a CIO of a
large credit union organization. When I asked him if he did any online
banking his response was "Hell no!"
They still have to offer it because the customers will go elsewhere so
they can have the "convenience" of it.
I guess it is like smoking, people know it is bad for them but they
take are willing to take the risk. Although an unprotected sex analogy
is probably more fitting.
On 8/23/05, Fergie (Paul Ferguson) <fergdawg at netzero.net> wrote:
> Via Netcraft.
> After years of training customers to trust only SSL-enabled sites, banks are shifting their online banking logins to the unencrypted home pages of their websites. Although the data is encrypted once the user hits the "Sign In" button, the practice runs counter to years of customer conditioning, as well as the goals of the browser makers. Three of the five largest U.S. banks now display login forms on non-SSL home pages, including Bank of America, Wachovia and Chase, as well as financial services giant American Express.
> Web sites are generally reluctant to use "https" on busy home pages, since SSL involves a tradeoff: improved security, but slower response time. Consumers, meanwhile, prefer easy to-remember URLs for their online banking. In placing login screens on non-SSL home pages, banks are trying to have it both ways: fast page loading without the SSL-related performance hit. The login form's "action" URL points to an SSL-enabled https URL.
> Since the introduction of SSL, Internet users have been urged to check for the "golden lock" icon to ensure a web session is encrypted before conducting e-commerce transactions. As phishing has grown rampant, the Anti-Phishing Working Group and Federal Trade Commission have warned consumers to be sure a web page is using SSL before sharing personal information.
> Mindful of this, many of the banks using homepage logins include a link to security information. "You may notice when you are on our home page that some familiar indicators do not appear in your browser to confirm the entire page is secure," Bank of America notes in its security note, accessed by clicking an icon on the login form. "Those indicators include the small 'lock' icon in the bottom right corner of the browser frame and the 's' in the Web address bar (for example, 'https'). To provide the fastest access to our home page for all of our millions of customers and other visitors, we have made signing in to Online Banking secure without making the entire page secure. Please be assured that your ID and passcode are secure and that only Bank of America has access to them."
> This growing practice was criticized by Microsoft in April. "If the login form was delivered via HTTP, there's no guarantee it hasn't been changed between the server and the client," Microsoft's Eric Lawrence wrote on the IE7 blog. "A bad guy sitting on the wire between the two could simply retarget the POST to submit to a HTTPS site that he controls."
> - ferg
> "Fergie", a.k.a. Paul Ferguson
> Engineering Architecture for the Internet
> fergdawg at netzero.net or fergdawg at sbcglobal.net
> ferg's tech blog: http://fergdawg.blogspot.com/
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
More information about the list