IE Devs Criticize Bank Security Vulnerabilities

mrcaseyj writes "A post on the IE blog criticizes some banks for no longer using secure connections for entire login pages and only encrypting the password as it goes back to the bank. This prevents simple password sniffing but doesn't prevent a man in the middle attack from replacing the unsecured login page with one that has disabled encryption. This is especially a problem if you are using an unencrypted wireless connection such as at a coffee shop, because hackers can easily use the airpwn package to intercept the login page and steal your password. An easy remedy for when a secure page isn't available is to enter a bad username and password which usually brings up a secure page telling you to try again. But can you really trust your money to a bank that doesn't even offer the option of a secure login page?"

Fixed it for ya!

[tomhudson]

"But can you really trust your money to a bank that doesn't even offer the option of a secure login page?""

But can you really trust your money to a web browser and operating system that are the most hijacked in the world?"

There, fixed it for you.

Re:

[Constantine XVI]

If Ford made 90% of the cars in the world, they would also likely be the most crashed car in the world. Never mind that Ford are often fixed or repaired daily, the fact that the roadways are 90% Ford tends to skew the equation

Re:Fixed it for ya!

[Anonymous Coward]

If Apache made 70% of the webservers in the world, they would also likely be the most hacked webserver in the world ... Oh wait -- they do make 70% of the webservers in the world. Your metaphor fails.

So back to the obvious explanation: the IE team can't code for shit

Re:

[soloport]

If Apache made 70% of the webservers in the world, they would also likely be the most hacked webserver in the world ... Oh wait -- they do make 70% of the webservers in the world. Your metaphor fails.

So back to the obvious explanation: the IE team can't code for shit

Needs some modding up, please.

Re:

[ewanm89]

Find me a bank who uses apache? None, right how about on that uses IIS?

Re:

[AVryhof]

Hmm...

JP Morgan Chase?
http://www.jpmorganchase.com/ [jpmorganchase.com]

Looks like they use Apache 2.0.55

Bank Of America, HSBC, and my own bank all seem to use Sun-ONE-Web-Server/6.1

From what I've seen by typing Bank into Google, and Clicking on links... it looks like Sun-ONE is the most popular. I didn't see any IIS....

Re:Fixed it for ya!

[ThinkFr33ly]

An, indeed, they likely are the most hacked web servers in the world. IIS 6, on the other hand, appears to be extremely secure. Whether this is a factor of market share or code quality, we don't know.

Apache: http://secunia.com/search/?search=Apache [secunia.com]

IIS 6: http://secunia.com/product/1438/ [secunia.com]

The fact of the matter is that you do not have enough information to conclude that IE is more poorly coded that any other browser out there. You are coming to this conclusion based on assumptions, not based on facts.

Re:Fixed it for ya!

[nekokoneko]

Mod parent down! Nice try, but your search listed the vulnerabilities for all Apache related products (httpd 1.x, httpd 2.x, Tomcat, etc), totaling 383 advisories, while listing the vulnerabilites for only a specific version of IIS (IIS 6.0), totaling 3 advisories.
Comparing IIS 6.0 to, say, Apache 2.2, we see 3 advisories for each product. Also, the comparison fails for only comparing the number of advisories and not the severity level of each one of them. Granted, Apache 2.2 has one unpatched advisory compared to zero for IIS 6.0, but it is not nearly as clear cut and one sided as your post made it seem.

Re:

[ThinkFr33ly]

Well, I gave a link to the search results for Apache, as opposed to a specific Apache version, to allow people to compare the versions they choose. How convenient that in your comparison you chose to concentrate only on Apache 2.2, which has, by far, the fewest vulnerabilities of the Apache family.

To compare them somewhat accurately, one should compare IIS 6 with the version of Apache that has been out a similar amount of time, and, ideally, has a similar market share.

I guess this would mean you would compa

Re:

[ozmanjusri]

I guess this would mean you would compare IIS 6.0 to Apache 2.0. In that case, IIS 6.0 has 3, and Apache 2.0 has 33.

Another misleading post. Secunia only lists vendor supplied or publicly listed vulnerabilities. After the disaster that was IIS 5, MS stopped making that information available and now silently patches vulnerabilities they detect in-house.

Re:Fixed it for ya!

[ad0gg]

Who says apache isn't the most hacked webserver? I highly doubt IIS is ever hacked, IIS6 which has been out for 4 years only has 3 exploits come out of which 2 were from components that aren't even installed by default and the exploit that is actually in IIS has a rating of "not critical". Apache on the other has 10% of its known security holes unpatched. It also has 10 fold more holes than IIS. I'd take an educated guess and say apache is hacked way more than IIS so your example fails.

IIS security holes [secunia.com]
Apache Security Holes [secunia.com]

Re:

[ThinkFr33ly]

People modded you as funny because they're so blinded by their hatred for Microsoft that they simply ignore data that suggests that a Microsoft product is more secure than their favorite open source product.

If you remove the data you used to back up your statement, you can see how they would find it funny.

Re:

[cryptoguy]

I'm no fan of IE, but firefox is equally vulnerable to this issue. It's caused by the way SSL / TLS is used by the app on the server.

Re:

[rblancarte]

The fact is that for an IE Dev to point fingers solely at the bank is joke.

There is a lot of blame to go around for unsecure bank transactions. In the example, we are presented w/ the whole case of user on unsecured wireless. I think the lack of security of the bank in that case is the end users - I never would do bank transactions on an unsecured network except in extreme cases.

Granted, I do believe that banks do share some responsibility. I think they would be best served to do all of their pages as se

Re:

[bendodge]

I have no problem with banking on an unencrypted network, if the whole site is https. All banks should have their whole site encrypted; plaintext ought not be an option.

Hooray for https://mail.google.com/ [google.com]

Re:

[jsight]

There is a lot of blame to go around for unsecure bank transactions. In the example, we are presented w/ the whole case of user on unsecured wireless. I think the lack of security of the bank in that case is the end users - I never would do bank transactions on an unsecured network except in extreme cases.

So then you never bank over the internet?

(hint... you should treat a wired internet connection that you "control" with just as much suspicion as a wireless one)

Re:Fixed it for ya!

[bberens]

Yes, because I'd much rather push my bank password through several other user's machines than to have my ISP route directly to the site. Tor is for anonymity, not data security.

Re:

[nschubach]

Oh, give the man a break, it was out of his scope. His function clearly only accepts input from it's parent and is completely oblivious to the point of the entire program. I thought all OOP (Object Oriented Posting) was supposed to be this way?

potmeetkettle

[miro f]

I must admit, I was looking for the "potmeetkettle" tag. Given that it's not there, the first post mentioning something similar was good enough, I suppose

Re:

[Gilmoure]

I prefer Kettlesmackpot. Hmmm...ksp...argle...drool...

One word answer: mattress

[Anonymous Coward]

Just put your money in your mattress and avoid all those newfangled bank things.

Security is expensive.

[Anonymous Coward]

I have worked with computer programmers who think they know how to write secure software, but don't. They know maybe one or two basic principles, and think they have it all figured out. I call this the "well no one told me" phenomenon.

Not every IT professional wants to spend lots of his free time researching the latest means of breaking into something, and defending against the break-in. So a lot of people just don't go out of their way to find out if they really know enough to write secure software...it

Re:

[computational super]

I don't have to know how to write secure software - I just need uncrackable keys, like "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0".

Re:

[Kelson]

Maybe, but putting the login page on an HTTPS site that you already have isn't a terribly expensive proposition -- especially when you consider that many of these banks used to do it that way. Someone made an effort to move the login form onto the HTTP site, change all the links, etc., which probably cost more than leaving it on the HTTPS site would have cost.

Re:

[tomhudson]

I just checked by going to log into my bank, and its only https ... I wonder how widespread this "http" problem really is?

Re:

[partenon]

In Brazil, we would say: "Olha o sujo falando do mal lavado...", which is something like "Look the dirty talking about the bad cleaned...".

Re:

[rikkus-x]

In the UK we'd mumble something about a pot and a kettle.

Re:

[compro01]

my bank allows PINs of up to 9 numbers, though some old/stupid ATMs have issues with PINs longer than 4 or 5 numbers, hence the reason why most people don't use more than 4.

Isn't this a little old?

[Hoover,L Ron]

Links goes to some 2 year old blog entry.

Re:Isn't this a little old?

[Don_dumb]

This whole article is basically just the same two posts the same submitter (mrcaseyj) made in this article http://it.slashdot.org/article.pl?sid=07/05/07/224 7244 [slashdot.org] earlier today. Now his posts may be interesting but anyone who was actually interested in this would have seen these posts today already.

Re:

[mrcaseyj]

I figured this was important enough to warrant a front page story. Both to inform a lot of users that wouldn't read the posts to some random security article, and to get enough publicity to spur the banks into action. The banks obviously know about this problem, so only a sufficient number of complaints would be likely to get them to fix it. Also, at the time, my posts weren't modded up as much as they are now. I wanted to get the issue well above the noise floor. As far as this being a link to a two year o

Deja Vu

[nacturation]

Must be a glitch in the matrix. This content is only 10 hours old [slashdot.org].
 

Nevermind Just The Login Page

[garett_spencley]

The entire session should be secured. Bank account numbers, credit card numbers, transaction histories, information about billers and automatic withdraw dates etc. are easily sniffed.

Just because they can't get your password doesn't mean they can't get useful information about you. Sniffing out an online banking session could be a big jackpot for an identity thief.

Re:

[ozbon]

I fully agree. Once you're logged in, it should all be through https 'til you log out again. That would seem pretty simple to me, but then, I am a Bear Of Little Brain. (allegedly)

Re:

[jc42]

Once you're logged in, it should all be through https 'til you log out again.

Uh, you missed the main point. "Once you're logged in" isn't good enough. Unless the login page (the whole page) is sent to you securely via https, what looks to you like a login page could be sending your login info in the clear to that Man in the Middle. He'll then use the info to drain your account.

You need to make sure that the login session itself is secured in its entirety. If security starts only "once you're logged in",

Re:

[ozbon]

Yep, sorry, my bad.

I did mean "From the start of the login process to the end of the logout process" - I just didn't actually say that.

Thanks for the correction!

Re:

[Kelson]

Generally the session itself *is* secured by SSL/TLS. The problem is that many banks have dropped that protection from the login page, meaning that a password thief can then get into your account.

Re:

[Spy Hunter]

That's kinda the point. These sites being talked about actually *do* secure the whole session. Except for the most important part: the logon form! This practice is widespread even today (chase.com, sprint.com, verizonwireless.com, just to name three I happen to use on a monthly basis).

Um...

[0123456]

"This is especially a problem if you are using an unencrypted wireless connection such as at a coffee shop"

Surely anyone who logs onto their bank site from a wireless connection in a coffee shop is just asking to get owned?

Re:

[LighterShadeOfBlack]

Surely anyone who logs onto their bank site from a wireless connection in a coffee shop is just asking to get owned?

- Not if the site is using the appropriate encryption mechanisms.

Re:Um...

[Anonymous Coward]

Surely anyone who logs onto their bank site from a wireless connection in a coffee shop is just asking to get owned?

Why? SSL protects you from MITM attacks and provides strong encryption & authentication.

That is exactly what SSL is for, to protect you from sniffers/spoofers between you and the website.

Re:

[compro01]

Why? SSL protects you from MITM attacks and provides strong encryption & authentication.

when it is being used properly, which it isn't.

Re:

[CBravo]

Bzzzt, wrong. As the man in the middle, I don't have to physically be in the middle. I can be on your insecure computer which has 0 day bugs which can become 0 day exploits.

I am not aware of any bank transaction system that is impervious to man in the middle attacks.

Do not trust what is on your monitor because it can always be fake.

Re:

[jareds]

That's not what "man in the middle" means. It refers to being in between in between the two endpoint computers. If you've compromised an endpoint computer, that's not a MITM attack.

Re:Um...

[jimicus]

Surely anyone who logs onto their bank site from a wireless connection in a coffee shop is just asking to get owned?

Not really - this is the whole point of SSL. If you trust both endpoints, you don't much care about what's in the middle.

Now, if you'd said "anyone who logs into their bank site from a random Internet cafe PC is just asking to get owned", I'd agree. It wouldn't require a great deal of sophistication to install keyloggers on every PC. Or if you're rather more sophisticated, you could set up some sort of proxy which sets up a MITM with every HTTPS session, presenting a self-signed certificate for $BANK and configure the client PC's with the appropriate certificate from the proxy's root CA.

Re:

[Z33kPhr3k]

2 factor auth prevents key loggers, but you need your own pc and secure dns to keep it private on the road.

BTW without secure dns, Google Apps is worthless toy for the enterprise. M$ is shaking in their boots.

Re:

[mrcaseyj]

Thus the problem with SSL, anyone can insert themselves and spoof as an endpoint. If I spoof as VeriSign and man in the middle attack you with the bank, there is no good way to protect against this.

Your web browser comes with a collection of public keys from registrars including Verisign. But your browser can't include every public key for every secure website. It would be too big a download and it would be hard to update. So the bank gets Verisign to put Verisign's digital signature on the bank's public

Re:

[bockelboy]

Surely anyone who logs onto their bank site from a wireless connection in a coffee shop is just asking to get owned?

Sure, but are they aware of this fact? I'd say about 75% of the people (random number) don't know the dangers in logging in on a wireless network.

For anecdotal evidence, yesturday I was sitting in a hotel with two public iMac terminals. A lady sat down and right off the bat asked her husband how to "turn the Apple off", by which I think she meant "how do I switch to windows".

People l

Don't trust any bank that relies on credentials

[bjourne]

Personally, I wouldn't trust any bank whose security system relies on user supplied credentials. Any bank that does not supply its customers with an electronic hardware-based security token is not trustworthy enough to handle my savings.

Re:

[SlOrbA]

Man ..

It's all software .. It's all software.

Re:

[popejeremy]

Hardware tokens present software cyphers, and cyphers can be spoofed.

Re:

[SEMW]

Could you elaborate? I'm no encryption expert, but if you have a hardware token, which receives a new key every 30 seconds from an encrypted radio signal, hashes the key together with a unique GUID that is different for each physical token, and displayes part of the hash; the user can use the displayed hash to logon, (it would only work for him b/c the unique GUID would be unique to him); and then 30 seconds later the bank sends out a new key over radio that's encrypted partly with the 30-second-old key (s

Re:

[SEMW]

Somewhere, the hashes are stored. Find those and the solution presents itself.

No they're not, they're hashes; they're produced on-the-fly with a hashing algorithm from a combination of the hardware GUID and the encryption key. Since the dongle and the bank's webserver would both be using the same (probably open-source) algorithm, the hashes they produce would be the same, hence they can compare them to verify security. Every 30 seconds the hash would be discarded and a new one generated from a new (randomly generated) encryption key that's sent to the dongle encrypted with the pre

Re:

[hab136]

Hardware tokens present software cyphers, and cyphers can be spoofed.

I've not heard of any working attacks against SecurID (or any other hardware token). Got any links?

Re:

[hab136]

IIRC, for SecurID, It is possible to emulate the harware token in software if the certificate is available.

Well, yeah, RSA sells a SecurID software token. It's obviously less secure, since it resides on your computer instead of in your hands.
http://www.rsa.com/node.aspx?id=1162 [rsa.com]

If it could desceretly be extracted from the device in some manner, that would really break the system

You need both the user's PIN and the number displayed on the token, so stolen/copied tokens aren't any use without also compromisi

Re:

[dvice_null]

What is wrong with software solutions? When I want to login to my bank I first need username, which is random. Then a password, which I can change. Then another password, which can be used only once. Bank sends these one-time-only passwords in a letter (100 in one letter, and a new letter is posted once they start to run out). Basicly they could provide them on a public website, because they can't be used unless you know the username and password also.

So tell me, how could a hardware solution be more secure

Re:

[hab136]

Personally, I wouldn't trust any bank whose security system relies on user supplied credentials. Any bank that does not supply its customers with an electronic hardware-based security token is not trustworthy enough to handle my savings.

What US banks offer this?

Credit Unions

[daeg]

I petitioned my credit union to force SSL on the entire bank website, complete with a few dozen signers (several of them with very large accounts). Shortly after the entire website is accessible via SSL only, with any HTTP page redirecting you to the homepage (SSL). Sometimes banking with a small credit union has its advantages.

I suggest everyone do the same.

Re:

[mashade]

USAA's site is all https and provides an immediate redirect if you type http://www.usaa.com/ [usaa.com] for example.

Wachovia's site is as the article describes and only gives you https after login. I wondered about it myself and so began going to the site by manually specifying https://www.wachovia.com/ [wachovia.com] -- this works and gives you SSL for the entire browsing session. You may want to type it manually every time, though it would be nice if all banks made their sites HTTPS only.

Re:

[Qzukk]

USAA's site is all https and provides an immediate redirect if you type http://www.usaa.com/ [usaa.com] for example.

Right this second, Washington Mutual's site https://www.wamu.com/ [wamu.com] does the exact opposite, it redirects me back to http:/// [http]

It annoys me, but not enough to withdraw my cash. I just hit log in with the fields blank to get to the SSL page and then actually log in.

Re:

[demonbug]

My current credit union redirects to https automatically. Out of curiosity i also checked my last two banks - Wells Fargo seems to redirect to https as well, while US Bank doesn't appear to offer a secure login page from the http site. That one is a little annoying, as even if you leave the login blank and hit login it just pops up a dialog box and leaves you on the http site. You can just go to https, though.

Anyone know of a website that ranks banks on their online security? Might be interesting to tak

Re:

[UnknowingFool]

Yes, sometimes it seems to me that the credit union isn't out to get you for every dime. My credit union called me the other day to tell me how I could raise my interest rate on my savings accounts. Basically it entailed opening a different kind of account and transferrring the money over. They laid out the advantages and drawbacks and let me choose.

Re:

[AaronW]

Exactly. The Citibank web site I use for my credit card suffers from this exact problem. I can think of several ways one could implement a man-in-the-middle attack with the end user being none the wiser. Banks also need to train their users to not accept certificate failures and to use a bookmark on the https site.

All of my other financial web sites use https for logging on.

bank web security practices annoy

[Gary W. Longsine]

This same annoying tendency of banks has another artifact (it's probably not intentional). It typically prevents the user's password management scheme (like Keychain on Mac OS X and analogous 3rd party password managers for Windows) from working properly. Without a tool like this to support the effort, most people wind up using the same password for all their web logins, which exposes them to dramatically increased risk. (Bad guys can exploit this common human behavior by plucking username / password combinations from any arbitrary p0wn3d web site, and then testing them at all the banks.

Come on guys...

[rob1980]

Published Wednesday, April 20, 2005 6:44 PM by ieblog

Two thousand and five.

Re:

[Digital Vomit]

2000.5? Wow! That's almost seven years ago!

;-)

Re:

[Spy Hunter]

And yet, this problem continues to happen regularly, even on the sites of huge corporations which should know better. For example (just from sites I use regularly), chase.com, sce.com, verizonwireless.com, sprint.com. This vulnerability is *HUGE* and it deserves to be on Slashdot. If I own a public wireless hotspot, or even if I just happen to be *using* the same wireless access point as you, I can *trivially* steal your account when you visit these sites. This article is just as relevant today.

BTW, if

What me worry

[packetmon]

Why should I really worry about security anyway they've either thrown away my information in a dumpster or were compromised...

Scott Trade [consumeraffairs.com]
Verizon [consumeraffairs.com]
Bank of America [consumeraffairs.com]
Choicepoint [consumeraffairs.com]
Mastercard [consumeraffairs.com]
AT&T [consumeraffairs.com]
Department of Edumacashun [consumeraffairs.com]
Chase [consumeraffairs.com]

Great article, but

[reezle]

Great article, but WHICH BANKS are the problem?
I'd love to complain to my bank if it is guilty of these lapses, but how would I know?

Re:

[reezle]

Sure did... 30 seconds elapsed without a glimpse of revelation.
Thanks for your input though.

Re:

[Qzukk]

Step 1) Go to your bank's website.
Step 2) Look for the pretty little lock picture in your browser that tells you that the website is SSL encrypted.

Without the lock, there is no guarantee you're even on your bank's website when you click the login button that takes you to who knows where. ESPECIALLY when the bank helpfully puts a username/password form on the front page (see http://www.wamu.com/ [wamu.com] ) for you to fill out and hit submit and hope that the page it's submitting to actually IS encrypted.

I work with insurance companies, they suck

[Nicolas MONNET]

I work with insurance companies on IT issues, and if it's anything like bank -- it's the same kind of business -- they suck hard at computer security.

Their password policies for acessing extranets, for instance, are in most cases completely insane. They impose so many arbitrary constraints (such as changing the password monthly) in the name of security, no less, that invariably passwords en up being "password1", "password2" and so on. Furthermore most of them block an account after three unsuccesful login a

Jab at firefox

[emj]

Food for thought: The keystroke-sniffing attack gets even worse if your JS can run in the browser chrome, a feature offered by some browsers.

I wonder how a MITM attack could do that..

They're really giving the phishers a hand

[internic]

While the article may be older than dirt, I'm glad the issue has been brought up, because many financial sites still haven't done anything about the problem. It always pisses me off when I go to my bank's or credit card companies' site and am confronted with a login prompt on an insecure page. To add insult to injury, they generally have put some sort of little lock icon next to the login fields. Oh, well great! That must mean it's secure!. I mean, surely no phishing site will think to put a lock icon

Still relies on a secure connection

[internic]

I'm not really sure how that solves the problem I was talking about. My complaint is when a bank has the login prompt on a page served up with http, not https. The SSL connection isn't made until you hit the button to submit your password, at which point it's a little late for authentication.

What you seem to be talking about is a mechanism by which the browser makes obvious changes in appearance when it connects to certain sites via https. If they're not using SSL in the first place, I don't think t

Mother's Maiden Name

[giafly]

HTTPS is the least of my worries. I'm more concerned that banks

1. Use insecure information such as mother's maiden name as proof of id
2. Phone me with account questions, and ask me to prove my ID, but are incapable of proving their ID
3. Send my credit cards and PINs using normal post
4. Don't tell me when they have done "3)" so I won't notice if the letters fail to arrive.
5. Don't give me the choice of turning off Internet access to my account

Pot calling the snowball black?

[Opportunist]

Yes, I'm aware that it should be the kettle. But in this case, that wouldn't do justice to (most) banks.

For almost all successful bank frauds here, the culprit was a trojan in the IE. Banks do hire very good people to secure their online money transfer routines (at least here, cannot vouch for the US). What fails, though, is the security on the user side.

Faciliated by IEs way of treating plugins. To slip a plugin into the IE, all you have to do is set a few registry keys. It does not even need any user inte

Oh come on

[wsanders]

How dare you make an informative post based on real facts? This is /.!!?!

Also, I think TFA may be conflating MITM with phishing. I'd like to see how many frauds have been really been succesfully perpetrated using real MITM (with contact back to the bank for something otehr than static content, as opposed to plain old phishing), It's not hard to set up a phishing site with a "real" SSL cert from some dodgy issuer, I've seen LOTS of those.

Still I'm a little baffled why MOST sites have non-SSL login pages - it

Re:

[Opportunist]

The number is very low. Most phishing that relies on servers under the attacker's control come as a joint attack of an attack that is based on trojans for the IE. There was an attack against banks in Turkey recently that used a bogus hosts-file, but it was SO badly written (in VB5... shudder) that I just can't take it serious compared to the other attacks there are.

"True" MITM attacks are exceedingly rare. Because of a minmaxing reason. Unfortunately NDAs keep me from telling much more, but ponder this: A t

Re:

[mrcaseyj]

A true MITM requires you to funnel all relevant traffic through your server.

Maybe for a "true" MITM attack. But airpwn can do a sort of partial MITM attack. When your browser sends off a request for your bank's web page over the wireless, airpwn quickly sends back a response to your computer before the real server does (because airpwn is closer and can respond quicker). As soon as your browser gets the page back, it closes the port and ignores the real bank server. When you submit the password from the fa

Also problem for major US companies

[DigitAl56K]

Recently I tried to purchase some clothes from Hanes.com, a company most Americans will be very familiar with.

As it turns out, all of the forms they send to your computer are encrypted. None of the data you send them back by filling out such forms are encrypted. Account logins, billing address, shipping address, card details - they all go plain text according to Firefox. I contacted Hanes customer support twice about this, only to be told that they use "industry standard encryption". "Yes", I said, "but onl

Fair point

[Midnight Thunder]

Ignoring any issues IE, or any other browser for that matter, may or may not have with regards to security the developers make a fair remark. In many ways this is like offering a high street bank the best cameras and locks only to have them not used. Browsers offer methods of data encryption that help provide security, but if the bank doesn't use them it doesn't really matter what was provided, it does matter, and cause concern, that they don't use them.

The other issue is that public wireless networks (the

I'm sorry, did I hear you right?

[Colin Smith]

You trust bankers at all? WTF? Bankers are the scum of the earth.

The banking system we have just now, the world over is the single largest scam ever created[1]. And it's backed and enforced by the various governments. Most people have no idea how our money and banking system works, they still think it's backed by gold or something. What bankers do, is take your money, invest it at a healthy rate of return and then give you marginally more than the rate of inflation, if they're feeling generous, less if they

Re:

[_Shad0w_]

Regardless, when is the last time a major bank failed?

Barings Bank.

Re:

[Colin Smith]

Every now and then one of you antibank nuts crawls out of the woodwork.

Coming from an Anonymous Coward.

Regardless, when is the last time a major bank failed? How many depositors lost money when that bank failed?

Who said anything about failure? I'm talking about the normal operation, and how many depositors lose money? Every single one with an account returning less than the rate of inflation.

the main reason gold is valuable is because people think it is valuable.

As well as the other features, gold has an inherently limited supply, hence the perception of value. Dollars or in fact, any of the existing currencies, do not. Particularly when banks have been allowed to loan out the same cash tens or hundreds of times and charge interest on each of the loa

Banks have a much bigger problem

[cdn-programmer]

Banks have a much bigger problem than this. With the amount of spyware out there and the almost total lack of understanding of what vulnerabilities this exposes, probably more than 1/3 of the passwords and account details are known by Black Hats.

There are many ways to slip money out of accounts it isn't funny.

Trading accounts:

Create a series of bad trade orders. Offset these with legitimate trade orders in legitimate accounts. There are many thinly traded companies where it is easy to figure out who has the buy order and who has the sell order. All one has to do on a thinly traded company for instance is place a lowball buy order and have the victim's account buy shares at whatever price and then sell them into the lowball. This can be triggered from instance by a stop loss order. Once the shares are owned they can then be sold to another victim.

Chequing accounts: Create fraudulent transactions by paying for goods not ordered. These goods can even be shipped to create a semblance of legitimacy. By the time any of these goods arrive and the transactions are noticed the perpetrators are long gone with their loot.

Its quite easy to create a series of dummy companies to accomplish this. Of course, since this is e-commerce one would obtain valid certificates ahead of time.

This is one reason that secure communications offer limited protection. A felon in Jail can always get his lawyer to register a corporation for him and these are legitimate corporations. Its just they are run by crooks. But then Enron was run by crooks too it would seem. In fact, there are a HUGE number of companies run by crooks. Lots of people invest in them.

I'm in the bank business

[JustAnotherReader]

I've spent nearly a decade as a developer for a major California bank. I can't imagine that the SEC would allow any bank website to NOT use SSL. That's the most basic layer of security. But just to let you folks know that your data is safe, here are a few of the other things we do to keep your money and data safe from harm:

• We also ask for your zip code and make sure it matches the user info we have on file.
• We log the IP address you came from and the time. We do this for several reasons. The most common is that if we see 3 bad log in attempts in a row we lock your account. If we see several locked accounts spawning from the same IP address then we may have someone attempting to hack passwords. If that happens emails are automatically sent and pagers start going off. We notify our security people at once when that happens.
• The password you enter is encrypted in our database via a public private key encryption. But we never generated the private key. We can tell if your password, when passed through the public key, matches what we have in our database. But we can't tell you what your password actually is. Even we don't know. That way if somebody ever gets into our database they can't use the password information.
• We don't allow html or javascript in a user name, password field, account name or anywhere else that the user can enter data. We don't want a simple page display to run a rogue script.
• We have a tremendous amount of safeguards to protect your account information from attacks from inside the bank, behind the firewall. Access to different apps are limit to certain staff via LDAP. All data changes create a record of the change with data on who changed it, what application was used to change it and who was logged into that app at the time. Every bank employee from the managers to the bank tellers is fingerprinted and goes through an FBI background check. Access to data is limited to those who need access to do their jobs. Physical access to the servers is severely limited to a select few.
• The entire server and database infrastructure of the bank is duplicated in a 2nd location hundreds of miles away from the main servers. This database is being updated in real time so if any attack (whether a hack attack or a physical attack) brings down the system we do an immediate fail over to the backup system. This fail over and fail back system is tested regularly. I've been to that location. The servers are underground in a building with thick walls and no windows.

These really are just a few of the many many things we do to protect your data. In fact, I deleted 2 of the list items that I originally wrote about because I didn't want to give away any information that could be useful to a potential crook.

We take security very seriously for two main reasons. First, we're liable for any losses you have due to a security breach. But more importantly, we can't afford to lose the faith of our customers. If they don't trust us they'll take their money somewhere else. The actual financial loss from an attack on our system would be minor compared to the loss of trust from our customers.

My Bank tried to force me to switch.

[SeaFox]

I had a fully encrypted account login page bookmarked and used it, and at some point in the future they add an encrypted login area sections to their non-encrypted front page. I ignored it because I preferred to use the old page I had bookmarked. Several months later I got a message after logging in that I was using an old version of the login page that would be going away soon, and to start logging in from the front page and change my bookmarks accordingly.

I ignored it, and now, several more months later,

Re:

[LighterShadeOfBlack]

Damn! This is like Rosie O' Donnell calling you fat and obnoxious.

It doesn't mean you're not fat and obnoxious though does it?

Re:Cringe

[LighterShadeOfBlack]

I cringe a little whenever I visit a bank or CC site ans see .asp or .aspx at the end of the URL.

Why, are you afraid of snakes?

They're just file extensions buddy, they can't hurt you.

Re:

[Sobrique]

Big banks have the tools and means, but also a whole wall of 'change control' that requires you to explain in detail why, exactly, you think the way they're doing it is moronic, and to assess it's impact exhaustively alongside the relative costing of project to redesign and implement a solution.

Re:

[LighterShadeOfBlack]

Maybe you just need one correct definition of irony, because I don't see anything ironic here.

Oh wait, IE is known for having exploits, therefore an IE developer talking about security of any kind, even SSL/TLS which IE supports fully, correctly and handles sensibly, is ironic, right? That's ironic indeed. You and Alanis Morisette should team up and write a song about these things you find ironic. I'd listen, I really would.

Re:

[I'm Don Giovanni]

Email systems have never been secure (besides the login/handshake).

Re:

[whoever57]

Email systems have never been secure (besides the login/handshake).

Huh? You never downloaded your email over an SSL connection? IMAP supports a STARTTLS command, so do many SMTP servers. Gmail supports STARTTLS on SMTP, so it's not like only a few small email providers support this extension.

Also, you are wrong about the login. Traditional POP logins (ie, without SSL) are insecure.

Re:

[SEMW]

...Since when has hotmail been a bank?

You should never be sending sensitive information over nonencrypted email in any case. Securing the hotmail login page and then sending your bank details by email would be rather like locking the barn door, then demolishing large parts of the other three walls of the barn, whilst keeping the lock intact. Utterly pointless. And that applies to any webmail system, not just hotmail.

Re:

[Tarlus]

I don't think Hotmail was developed by the IE team.

If Microsoft in general were to make that criticism toward banks, then it would be hypocrisy.

Re:

[LighterShadeOfBlack]

Newsflash:

Microsoft does.

And don't tell me about how it's a big company. It's a big black pot talking shit to the kettle.

Fuck Microsoft.
If there's anything that banks need to be told, it's that they need to quit checking user-agent headers and redirecting us to stupid pages telling us to use Internet Explorer.

I can't believe you got modded insightful for this. If that article had been made by the Firefox team your post would've no doubt been something along the lines of "yeah, stick it to the man! Fuck those big business banks and their insecure products. OPEN SOURCE 4EVA1!!!1!". But because it's a Microsoft employee who is writing something quite correctly about a major security issue affecting millions of people and billions of pounds/dollars/yen/whatever then "Fuck Microsoft", right? This guy works on a comp

Re:

[AaronW]

Citibank is one of the financial institutions who is vulnerable due to their lack of https as well. I'm fairly pissed off at them over that and other problems with their web interface which is mostly designed for IE only.

Re:

[mrcaseyj]

An easy remedy for when a secure page isn't available is to enter a bad username and password which usually brings up a secure page telling you to try again

If I was going to create a phishing website, not only would I have the fake frontend, but I'd simulate the login failed behavior of the website as well. That way I'd get not only the login information the user believes is valid for the faked website, but I'd also harvest multiple login/password combinations from that user. So entering a fake username/

Re:

[mrcaseyj]

No duh, you can't spoof a cert. But show us what field in the cert includes the ip address for the fqdn listed the cn field? It doesn't exist! Again, how do you ensure the ip address the dns server resolved for www.citibank.com is really the ip address CitiBank.

It doesn't matter what the IP address is. Once your bank gets one certificate authority to sign their mybank.com public key, no other trusted certificate authority will sign another public key for the domain mybank.com. If the crook makes his own p