IE Devs Criticize Bank Security Vulnerabilities

mrcaseyj writes "A post on the IE blog criticizes some banks for no longer using secure connections for entire login pages and only encrypting the password as it goes back to the bank. This prevents simple password sniffing but doesn't prevent a man in the middle attack from replacing the unsecured login page with one that has disabled encryption. This is especially a problem if you are using an unencrypted wireless connection such as at a coffee shop, because hackers can easily use the airpwn package to intercept the login page and steal your password. An easy remedy for when a secure page isn't available is to enter a bad username and password which usually brings up a secure page telling you to try again. But can you really trust your money to a bank that doesn't even offer the option of a secure login page?"

Fixed it for ya!

[tomhudson (43916)]

"But can you really trust your money to a bank that doesn't even offer the option of a secure login page?""

But can you really trust your money to a web browser and operating system that are the most hijacked in the world?"

There, fixed it for you.

Re:

[Constantine XVI (880691)]

If Ford made 90% of the cars in the world, they would also likely be the most crashed car in the world. Never mind that Ford are often fixed or repaired daily, the fact that the roadways are 90% Ford tends to skew the equation

Re:Fixed it for ya!

[by Anonymous Coward]

If Apache made 70% of the webservers in the world, they would also likely be the most hacked webserver in the world ... Oh wait -- they do make 70% of the webservers in the world. Your metaphor fails.

So back to the obvious explanation: the IE team can't code for shit

Re:Fixed it for ya!

[ThinkFr33ly (902481)]

An, indeed, they likely are the most hacked web servers in the world. IIS 6, on the other hand, appears to be extremely secure. Whether this is a factor of market share or code quality, we don't know.

Apache: http://secunia.com/search/?search=Apache [secunia.com]

IIS 6: http://secunia.com/product/1438/ [secunia.com]

The fact of the matter is that you do not have enough information to conclude that IE is more poorly coded that any other browser out there. You are coming to this conclusion based on assumptions, not based on facts.

Re:Fixed it for ya!

[nekokoneko (904809)]

Mod parent down! Nice try, but your search listed the vulnerabilities for all Apache related products (httpd 1.x, httpd 2.x, Tomcat, etc), totaling 383 advisories, while listing the vulnerabilites for only a specific version of IIS (IIS 6.0), totaling 3 advisories.
Comparing IIS 6.0 to, say, Apache 2.2, we see 3 advisories for each product. Also, the comparison fails for only comparing the number of advisories and not the severity level of each one of them. Granted, Apache 2.2 has one unpatched advisory compared to zero for IIS 6.0, but it is not nearly as clear cut and one sided as your post made it seem.

Re:

[ThinkFr33ly (902481)]

Well, I gave a link to the search results for Apache, as opposed to a specific Apache version, to allow people to compare the versions they choose. How convenient that in your comparison you chose to concentrate only on Apache 2.2, which has, by far, the fewest vulnerabilities of the Apache family.

To compare them somewhat accurately, one should compare IIS 6 with the version of Apache that has been out a similar amount of time, and, ideally, has a similar market share.

I guess this would mean you would compa

Re:Fixed it for ya!

[ad0gg (594412)]

Who says apache isn't the most hacked webserver? I highly doubt IIS is ever hacked, IIS6 which has been out for 4 years only has 3 exploits come out of which 2 were from components that aren't even installed by default and the exploit that is actually in IIS has a rating of "not critical". Apache on the other has 10% of its known security holes unpatched. It also has 10 fold more holes than IIS. I'd take an educated guess and say apache is hacked way more than IIS so your example fails.

IIS security holes [secunia.com]
Apache Security Holes [secunia.com]

Re:

[cryptoguy (876410)]

I'm no fan of IE, but firefox is equally vulnerable to this issue. It's caused by the way SSL / TLS is used by the app on the server.

Re:

[rblancarte (213492)]

The fact is that for an IE Dev to point fingers solely at the bank is joke.

There is a lot of blame to go around for unsecure bank transactions. In the example, we are presented w/ the whole case of user on unsecured wireless. I think the lack of security of the bank in that case is the end users - I never would do bank transactions on an unsecured network except in extreme cases.

Granted, I do believe that banks do share some responsibility. I think they would be best served to do all of their pages as se

Re:

[bendodge (998616)]

I have no problem with banking on an unencrypted network, if the whole site is https. All banks should have their whole site encrypted; plaintext ought not be an option.

Hooray for https://mail.google.com/ [google.com]

Re:Fixed it for ya!

[bberens (965711)]

Yes, because I'd much rather push my bank password through several other user's machines than to have my ISP route directly to the site. Tor is for anonymity, not data security.

potmeetkettle

[miro f (944325)]

I must admit, I was looking for the "potmeetkettle" tag. Given that it's not there, the first post mentioning something similar was good enough, I suppose

One word answer: mattress

[by Anonymous Coward]

Just put your money in your mattress and avoid all those newfangled bank things.

Security is expensive.

[by Anonymous Coward]

I have worked with computer programmers who think they know how to write secure software, but don't. They know maybe one or two basic principles, and think they have it all figured out. I call this the "well no one told me" phenomenon.

Not every IT professional wants to spend lots of his free time researching the latest means of breaking into something, and defending against the break-in. So a lot of people just don't go out of their way to find out if they really know enough to write secure software...it

Isn't this a little old?

[Hoover,L Ron (610796)]

Links goes to some 2 year old blog entry.

Re:Isn't this a little old?

[Don_dumb (927108)]

This whole article is basically just the same two posts the same submitter (mrcaseyj) made in this article http://it.slashdot.org/article.pl?sid=07/05/07/224 7244 [slashdot.org] earlier today. Now his posts may be interesting but anyone who was actually interested in this would have seen these posts today already.

Nevermind Just The Login Page

[garett_spencley (193892)]

The entire session should be secured. Bank account numbers, credit card numbers, transaction histories, information about billers and automatic withdraw dates etc. are easily sniffed.

Just because they can't get your password doesn't mean they can't get useful information about you. Sniffing out an online banking session could be a big jackpot for an identity thief.

Re:

[ozbon (99708)]

I fully agree. Once you're logged in, it should all be through https 'til you log out again. That would seem pretty simple to me, but then, I am a Bear Of Little Brain. (allegedly)

Um...

[0123456 (636235)]

"This is especially a problem if you are using an unencrypted wireless connection such as at a coffee shop"

Surely anyone who logs onto their bank site from a wireless connection in a coffee shop is just asking to get owned?

Re:

[LighterShadeOfBlack (1011407)]

Surely anyone who logs onto their bank site from a wireless connection in a coffee shop is just asking to get owned?

- Not if the site is using the appropriate encryption mechanisms.

Re:Um...

[by Anonymous Coward]

Surely anyone who logs onto their bank site from a wireless connection in a coffee shop is just asking to get owned?

Why? SSL protects you from MITM attacks and provides strong encryption & authentication.

That is exactly what SSL is for, to protect you from sniffers/spoofers between you and the website.

Re:Um...

[jimicus (737525)]

Surely anyone who logs onto their bank site from a wireless connection in a coffee shop is just asking to get owned?

Not really - this is the whole point of SSL. If you trust both endpoints, you don't much care about what's in the middle.

Now, if you'd said "anyone who logs into their bank site from a random Internet cafe PC is just asking to get owned", I'd agree. It wouldn't require a great deal of sophistication to install keyloggers on every PC. Or if you're rather more sophisticated, you could set up some sort of proxy which sets up a MITM with every HTTPS session, presenting a self-signed certificate for $BANK and configure the client PC's with the appropriate certificate from the proxy's root CA.

Re:

[bockelboy (824282)]

Surely anyone who logs onto their bank site from a wireless connection in a coffee shop is just asking to get owned?

Sure, but are they aware of this fact? I'd say about 75% of the people (random number) don't know the dangers in logging in on a wireless network.

For anecdotal evidence, yesturday I was sitting in a hotel with two public iMac terminals. A lady sat down and right off the bat asked her husband how to "turn the Apple off", by which I think she meant "how do I switch to windows".

People l

Don't trust any bank that relies on credentials

[bjourne (1034822)]

Personally, I wouldn't trust any bank whose security system relies on user supplied credentials. Any bank that does not supply its customers with an electronic hardware-based security token is not trustworthy enough to handle my savings.

Re:

[SlOrbA (957553)]

Man ..

It's all software .. It's all software.

Re:

[popejeremy (878903)]

Hardware tokens present software cyphers, and cyphers can be spoofed.

Credit Unions

[daeg (828071)]

I petitioned my credit union to force SSL on the entire bank website, complete with a few dozen signers (several of them with very large accounts). Shortly after the entire website is accessible via SSL only, with any HTTP page redirecting you to the homepage (SSL). Sometimes banking with a small credit union has its advantages.

I suggest everyone do the same.

Re:

[mashade (912744)]

USAA's site is all https and provides an immediate redirect if you type http://www.usaa.com/ [usaa.com] for example.

Wachovia's site is as the article describes and only gives you https after login. I wondered about it myself and so began going to the site by manually specifying https://www.wachovia.com/ [wachovia.com] -- this works and gives you SSL for the entire browsing session. You may want to type it manually every time, though it would be nice if all banks made their sites HTTPS only.

Re:

[Qzukk (229616)]

USAA's site is all https and provides an immediate redirect if you type http://www.usaa.com/ [usaa.com] for example.

Right this second, Washington Mutual's site https://www.wamu.com/ [wamu.com] does the exact opposite, it redirects me back to http:/// [http]

It annoys me, but not enough to withdraw my cash. I just hit log in with the fields blank to get to the SSL page and then actually log in.

Re:

[UnknowingFool (672806)]

Yes, sometimes it seems to me that the credit union isn't out to get you for every dime. My credit union called me the other day to tell me how I could raise my interest rate on my savings accounts. Basically it entailed opening a different kind of account and transferrring the money over. They laid out the advantages and drawbacks and let me choose.

bank web security practices annoy

[Gary W. Longsine (124661)]

This same annoying tendency of banks has another artifact (it's probably not intentional). It typically prevents the user's password management scheme (like Keychain on Mac OS X and analogous 3rd party password managers for Windows) from working properly. Without a tool like this to support the effort, most people wind up using the same password for all their web logins, which exposes them to dramatically increased risk. (Bad guys can exploit this common human behavior by plucking username / password combinations from any arbitrary p0wn3d web site, and then testing them at all the banks.

Come on guys...

[rob1980 (941751)]

Published Wednesday, April 20, 2005 6:44 PM by ieblog

Two thousand and five.

Re:

[Digital Vomit (891734)]

2000.5? Wow! That's almost seven years ago!

;-)

What me worry

[packetmon (977047)]

Why should I really worry about security anyway they've either thrown away my information in a dumpster or were compromised...

Scott Trade [consumeraffairs.com]
Verizon [consumeraffairs.com]
Bank of America [consumeraffairs.com]
Choicepoint [consumeraffairs.com]
Mastercard [consumeraffairs.com]
AT&T [consumeraffairs.com]
Department of Edumacashun [consumeraffairs.com]
Chase [consumeraffairs.com]

Great article, but

[reezle (239894)]

Great article, but WHICH BANKS are the problem?
I'd love to complain to my bank if it is guilty of these lapses, but how would I know?

Re:

[reezle (239894)]

Sure did... 30 seconds elapsed without a glimpse of revelation.
Thanks for your input though.

Re:

[Qzukk (229616)]

Step 1) Go to your bank's website.
Step 2) Look for the pretty little lock picture in your browser that tells you that the website is SSL encrypted.

Without the lock, there is no guarantee you're even on your bank's website when you click the login button that takes you to who knows where. ESPECIALLY when the bank helpfully puts a username/password form on the front page (see http://www.wamu.com/ [wamu.com] ) for you to fill out and hit submit and hope that the page it's submitting to actually IS encrypted.

I work with insurance companies, they suck

[Nicolas MONNET (4727)]

I work with insurance companies on IT issues, and if it's anything like bank -- it's the same kind of business -- they suck hard at computer security.

Their password policies for acessing extranets, for instance, are in most cases completely insane. They impose so many arbitrary constraints (such as changing the password monthly) in the name of security, no less, that invariably passwords en up being "password1", "password2" and so on. Furthermore most of them block an account after three unsuccesful login a

Jab at firefox

[emj (15659)]

Food for thought: The keystroke-sniffing attack gets even worse if your JS can run in the browser chrome, a feature offered by some browsers.

I wonder how a MITM attack could do that..

They're really giving the phishers a hand

[internic (453511)]

While the article may be older than dirt, I'm glad the issue has been brought up, because many financial sites still haven't done anything about the problem. It always pisses me off when I go to my bank's or credit card companies' site and am confronted with a login prompt on an insecure page. To add insult to injury, they generally have put some sort of little lock icon next to the login fields. Oh, well great! That must mean it's secure!. I mean, surely no phishing site will think to put a lock icon

Mother's Maiden Name

[giafly (926567)]

HTTPS is the least of my worries. I'm more concerned that banks

1. Use insecure information such as mother's maiden name as proof of id
2. Phone me with account questions, and ask me to prove my ID, but are incapable of proving their ID
3. Send my credit cards and PINs using normal post
4. Don't tell me when they have done "3)" so I won't notice if the letters fail to arrive.
5. Don't give me the choice of turning off Internet access to my account

Pot calling the snowball black?

[Opportunist (166417)]

Yes, I'm aware that it should be the kettle. But in this case, that wouldn't do justice to (most) banks.

For almost all successful bank frauds here, the culprit was a trojan in the IE. Banks do hire very good people to secure their online money transfer routines (at least here, cannot vouch for the US). What fails, though, is the security on the user side.

Faciliated by IEs way of treating plugins. To slip a plugin into the IE, all you have to do is set a few registry keys. It does not even need any user inte

Banks have a much bigger problem

[cdn-programmer (468978)]

Banks have a much bigger problem than this. With the amount of spyware out there and the almost total lack of understanding of what vulnerabilities this exposes, probably more than 1/3 of the passwords and account details are known by Black Hats.

There are many ways to slip money out of accounts it isn't funny.

Trading accounts:

Create a series of bad trade orders. Offset these with legitimate trade orders in legitimate accounts. There are many thinly traded companies where it is easy to figure out who has the buy order and who has the sell order. All one has to do on a thinly traded company for instance is place a lowball buy order and have the victim's account buy shares at whatever price and then sell them into the lowball. This can be triggered from instance by a stop loss order. Once the shares are owned they can then be sold to another victim.

Chequing accounts: Create fraudulent transactions by paying for goods not ordered. These goods can even be shipped to create a semblance of legitimacy. By the time any of these goods arrive and the transactions are noticed the perpetrators are long gone with their loot.

Its quite easy to create a series of dummy companies to accomplish this. Of course, since this is e-commerce one would obtain valid certificates ahead of time.

This is one reason that secure communications offer limited protection. A felon in Jail can always get his lawyer to register a corporation for him and these are legitimate corporations. Its just they are run by crooks. But then Enron was run by crooks too it would seem. In fact, there are a HUGE number of companies run by crooks. Lots of people invest in them.

I'm in the bank business

[JustAnotherReader (470464)]

I've spent nearly a decade as a developer for a major California bank. I can't imagine that the SEC would allow any bank website to NOT use SSL. That's the most basic layer of security. But just to let you folks know that your data is safe, here are a few of the other things we do to keep your money and data safe from harm:

• We also ask for your zip code and make sure it matches the user info we have on file.
• We log the IP address you came from and the time. We do this for several reasons. The most common is that if we see 3 bad log in attempts in a row we lock your account. If we see several locked accounts spawning from the same IP address then we may have someone attempting to hack passwords. If that happens emails are automatically sent and pagers start going off. We notify our security people at once when that happens.
• The password you enter is encrypted in our database via a public private key encryption. But we never generated the private key. We can tell if your password, when passed through the public key, matches what we have in our database. But we can't tell you what your password actually is. Even we don't know. That way if somebody ever gets into our database they can't use the password information.
• We don't allow html or javascript in a user name, password field, account name or anywhere else that the user can enter data. We don't want a simple page display to run a rogue script.
• We have a tremendous amount of safeguards to protect your account information from attacks from inside the bank, behind the firewall. Access to different apps are limit to certain staff via LDAP. All data changes create a record of the change with data on who changed it, what application was used to change it and who was logged into that app at the time. Every bank employee from the managers to the bank tellers is fingerprinted and goes through an FBI background check. Access to data is limited to those who need access to do their jobs. Physical access to the servers is severely limited to a select few.
• The entire server and database infrastructure of the bank is duplicated in a 2nd location hundreds of miles away from the main servers. This database is being updated in real time so if any attack (whether a hack attack or a physical attack) brings down the system we do an immediate fail over to the backup system. This fail over and fail back system is tested regularly. I've been to that location. The servers are underground in a building with thick walls and no windows.

These really are just a few of the many many things we do to protect your data. In fact, I deleted 2 of the list items that I originally wrote about because I didn't want to give away any information that could be useful to a potential crook.

We take security very seriously for two main reasons. First, we're liable for any losses you have due to a security breach. But more importantly, we can't afford to lose the faith of our customers. If they don't trust us they'll take their money somewhere else. The actual financial loss from an attack on our system would be minor compared to the loss of trust from our customers.

Re:

[LighterShadeOfBlack (1011407)]

Damn! This is like Rosie O' Donnell calling you fat and obnoxious.

It doesn't mean you're not fat and obnoxious though does it?

Re:Cringe

[LighterShadeOfBlack (1011407)]

I cringe a little whenever I visit a bank or CC site ans see .asp or .aspx at the end of the URL.

Why, are you afraid of snakes?

They're just file extensions buddy, they can't hurt you.

Re:

[Sobrique (543255)]

Big banks have the tools and means, but also a whole wall of 'change control' that requires you to explain in detail why, exactly, you think the way they're doing it is moronic, and to assess it's impact exhaustively alongside the relative costing of project to redesign and implement a solution.

Re:

[LighterShadeOfBlack (1011407)]

Maybe you just need one correct definition of irony, because I don't see anything ironic here.

Oh wait, IE is known for having exploits, therefore an IE developer talking about security of any kind, even SSL/TLS which IE supports fully, correctly and handles sensibly, is ironic, right? That's ironic indeed. You and Alanis Morisette should team up and write a song about these things you find ironic. I'd listen, I really would.

Re:

[I'm Don Giovanni (598558)]

Email systems have never been secure (besides the login/handshake).

Re:

[SEMW (967629)]

...Since when has hotmail been a bank?

You should never be sending sensitive information over nonencrypted email in any case. Securing the hotmail login page and then sending your bank details by email would be rather like locking the barn door, then demolishing large parts of the other three walls of the barn, whilst keeping the lock intact. Utterly pointless. And that applies to any webmail system, not just hotmail.