Wednesday, April 27, 2005

US Bank, Bank of America & Chase still force users to be vulnerable to ID theft

Posted in the highly recommended Risks Digest:

This may have been discussed before, but with the recent spate of DNS cache poisoning attacks and fake WiFi hotspot proliferation I believe it has new relevance.

I was actually rather shocked to find that U.S. Bank, Chase and Bank of America all still *force* users to enter their login and password on an insecure page. This exposes account holders to a great risk of their credentials being stolen. The login forms on their genuine home pages are submitted to a secure site, as they claim.

The problem is that you need security *before* you enter your data. If DNS, a router or a proxy server anywhere along the path to their server were compromised, the login page could be substituted for one that submits to another site or injected with JavaScript that sends info elsewhere, asynchronously, before it goes to the real destination. Without an SSL certificate chain there is no way to verify that the insecure page with the form came from a trusted source and no way short of exhaustive code inspection to tell where the form data is actually going.

BankOne, Wells Fargo, Citi, Washington Mutual, Bank of the West, Key Bank and Sun Trust all offer SSL versions of their login page, but for some reason, U.S. Bank, BofA and Chase redirect to an insecure site or return an error when trying to connect with SSL. You *can't* log in securely, even if you try. The existence of this kind of obvious and fundamental security mistake after all the publicity about this category of attack (note that all these banks *do* have a user education page on phishing/fraud prevention!) is definitely something to keep in mind when choosing a bank.

- Brad Hill