Do you trust your online banking home page?
More precisely, has your bank made it impossible for you to do so? After reading Adam Shostack's blog item at Emergent Chaos, How not to train users, and following the thread begun by Peter Gutmann on the Cryptography mailing list, US Banks: Training the next generation of phishing victims, I wonder once again why we always sacrifice security for performance.
According to Gutmann's post and ensuing thread, many U.S. banks do not use SSL encryption on their home page. Of these, many home page host a customer login form. An SSL session is created when a visitor attempts to access an account from this form, but often to a different server, e.g., onlineservices.yourbanknamehere.com . This practice, ostensibly to boost performance for all visitors, creates an issue of trust. Without confirming the server SSL certificate for your banking institution, how can customers trust they have really visited your bank's home page and not that of a phisher?
I decided to investigate further. Using Ethereal LAN analyzer, I captured a session to my bank's home page, a.k.a., whatbankareyou.com. The home page is not SSL-protected, but customer login proceeds as I described above. This seems like a small matter, until you think about the ways that we are educating Internet users to detect and avoid phishing, e.g., "look for the padlock denoting 'secure site', your information is protected". Visiting online banking home pages no longer offers this simple but effective cue for unsophisticated users. I'll claim that it can be much worse. A phisher can compose a phishing email with a bogus URL - one that displays htttp://www.whatbankareyou.com but connects to a bogus site. At that site, the victim sees the account login form, but no reassuring padlock. Unfortunately, the customer's visited the bank before, so he's accustomed to the padlock being absent, and blithely enters his account information. Even if the customer is savvy enough to know that the bank diverts customer login to an SSL-protected page, a phisher can invest in a cheap SSL certificate, and recreate the redirect sequence to his own variant of "onlineservices.phishingsite.com". How many visitors will actually read beyond "onlineservices..." if the hyperlink is extremely long? (BTW, browser hijacking spyware and DNS cache poisoning are other vectors for this kind of attack, e.g., both could make a PC visit a different IP address than the one actually associated with www.whatbankareyou.com.)
I contacted my bank through customer service. The reply from my customer representative was only partially comforting:
I understand your concern regarding the security measures taken by whatbankareyou to ensure the safety of the Online Banking service for customers.
whatbankareyou has internal teams that work closely with law enforcement to continuously monitor and investigate fraudulent email and website scams that invoke any whatbankareyou brand. If there is the potential for significant impact to our customers, we have teams dedicated to alerting customers that may include reaching out directly to a customer, posting alert information on our website, or sending correspondence.
whatbankareyou is piloting a vendor anti-fraud/anti-phishing solution and evaluating multiple other vendor solutions to help in the upfront validation of online account access and the identification of newly launched attacks, or imminent attacks.
whatbankareyou is a member of DigitalPhishNet, a joint enforcement initiative between industry and law enforcement aimed at discovering the disabling phishing scams.
whatbankareyou is in the process of implementing a more robust message center that will provide customers with the confidence they need in their electronic communications with whatbankareyou.
I'm actually very pleased that whatbankareyou is aware of the phishing threat and is actively engaged in antiphishing activities. Overall, I'm a satisfied customer, with (now) a single exception.
I would be more than willing to wait a few seconds for my home page to load to be confident I've actually connected with whatbankareyou when I visit www.whatbankareyou.com...
Archived at http://www.securityskeptic.com/arc20051001.htm#BlogID473
by Dave Piscitello