« Vishing - Voice Phishing
Huge Privacy Breaches in Medicare and Medicaid »

Think your Bank Login is Secure? Think Again!

I have spent several days trying to convince my business bank that its login is unsecure. Of course they do not believe me (or they do and choose not to do anything to rectify the situation since they did at one time have a secure login page).

The bank login page URL starts with http:. Why is this unsecure? Because there is no way to verify that the web page I am looking at is the bank’s login page. Someone could have intercepted the request for the bank login page and replaced it with their own (called spoofing or man-in-the-middle attack) - then when the login ID and password are entered, the bad guy gets it rather than the bank.

When you type in (or use a bookmark) http://www.my-unsecure-bank.com this request is sent to the my-unsecure-bank.com server, the web page constructed then sent back to your browser (in HTML) so it is displayed. As you can see, someone can intercept the request and return their own login page. This is easily done in wireless environments such as coffee houses or airports.

My bank tells me that the login/password information is sent securely to the bank. After looking at the HTML code (look for: … form .. action=https:// …) I agreed the login form did use a secure connection to send the login information…but how do I know the web page I’m looking at is the banks? That is when they decided to end the conversation.

BTW, if the login page starts with https:// you can verify the page is your banks by clicking on the yellow padlock and seeing that the bank is indeed listed.Which brings up another point - even if the login page URL starts with https:// (which only tells you the web page being viewed is from your bank) the login data sent to the bank may not be secured. Unfortunately, to verify the data being sent is secured involves looking at the web page’s HTML code and making sure the login form has, as it’s action, a secure URL (i.e. starting with https://)). To date, there is no visual way to ensure the web page AND the login form are both secure - and you cannot rely on your bank to help you.

Doug

This entry was posted on Wednesday, August 23rd, 2006 at 9:24 am and is filed under Online security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

You must be logged in to post a comment.