[Dshield] Banks Shifting Logins to Non-SSL Pages

Justin S jgs316 at gmail.com
Tue Aug 23 20:54:05 GMT 2005


On 8/23/05, Tony Earnshaw <tonye at billy.demon.nl> wrote:
> 
> [...]
> 
> I could *never* believe that this would happen to me with my own
> security-paranoid bank, ING Netherlands. If it did, I'd soon find
> another bank, small as may be, more security consci(enti)ous.
> 


So the initial form page is encryted too instead of just the form
post.  Big deal.  Instead of the attacker intercepting and chaning the
form post to his server, he starts a little sooner and changes your
dns response to point to his server.  Just because the initial form
page was secure doesn't mean there isn't a way to still get around it.
 If you're that parinoid then maybe you shouldn't use online banking.

The thing I find amusing is the people that are most parinoid about
internet banking are the ones that have no problem handing over a
paper check to a clerk at a store that has their name, address, phone
number ,drivers license number, bank name, and account number on it. 
If people want security they should quit using checks.  (my two cents)



More information about the list mailing list