devitry.com

Tech in the country. Programming & Technology inovations.

Sunday, March 05, 2006

Is Your Bank's Login Really Secure? Probably Not!

After working in the internet banking industry for years, I get asked a lot about the security of banking sites. "Is my banking site secure?" Probably not. "Am I vulnerable to phishing or other attack?" Yes, almost anyone can fall for a phishing scam. "What is my bank doing to protect me?" Not enough. They think you want convenience over security.

To give you an example of how bad it is in the US financial industry, I list 10 major finanical sites with weak logins. The list includes Chase/Bank One, BoA, US Bank, Wachovia, Amex, Key Bank and more. These login pages are vulnerable to the "man in the middle" attack. You should never login to your bank from one of these pages. These logins are insecure because they are not placed on "https" pages. Listen to your browser, not the webpage.

"Don't the banks know about this problem? Why do they have insecure logins?" Marketing, convienence and backward compatibility with browsers not supporting encryption. They think that having a "secure login" on their homepage makes them look more secure. The fact is, any HTTP page can be modified in trasport to your browser, and can not be trusted for sensitive information.

"I'm a programmer. I looked at those logins and they submit to a secure site. How is that vulnerable? My browser will warn me if going to an insecure site!" The fact is, you can not always tell where a browser form is going by looking at that source of the page. I set up an example secure login that demonstrates how to hijack a secure login form. Go ahead, look at the source and tell me where the form is submitting to. It's not where you think. A hacker could modify your banks login page on the way to your browser, redirecting the login information to their secure server. The html of the page may not tell you and your browser would not warn you of an insecure submission.

"What can I do to proctect myself?" Very simple, always use HTTPS to login. Don't trust your bank's HTTP site. You can also try TrustBar for FireFox that will help you identify insecure login pages, and automatically redirect you to the secure page if available.