April 21, 2006, 10:25 AM — Online bank customers may want to pay a little more attention to their browsers the next time they log in, because many of the most popular banking sites in the U.S. may be needlessly placing their customers at risk to online thieves, a noted security researcher warned Thursday.
At issue are the user login areas that can be found on banking sites such as Chase.com and Americanexpress.com, which ask users to submit their user ID and password information. Although these forms may be encrypted, they do not use authentication technology to prove they are genuine, according to Johannes Ullrich, chief research officer at the SANS Institute.
A more secure approach would be to force users to log in on a HTTPS (HyperText Transport Protocol Secure) Web page. HTTPS pages use the SSL (Secure Sockets Layer) security protocol, which not only encrypts the information on the page but also provides digital certificates to give assurance that the Web site in question is genuine.
"If the login form is not HTTPS, you don't know if it's the real thing," Ullrich said.
Web pages that do not use this type of secure connection are vulnerable to a type of attack known as DNS (Domain Name System) spoofing, where attackers attempt to trick Web browsers into visiting bogus Web sites. They do this by gaming the system used to convert Web addresses such as Bofa.com into the numerical Internet Protocol addresses used by computers to navigate the Internet.
This type of attack is technically challenging, however, and hackers generally find it far easier to trick users into giving up their user names and passwords using phishing techniques, Ullrich said.
Still, there's no good reason for banks to allow users to log in on pages that do not use SSL, Ullrich said. The SANS researcher has compiled a list of banks that includes information on their use of SSL authentication. https://www.securewebbank.com/loginssluse.html
Banks that require SSL authentication include Capital One Bank., Citigroup Inc., and Wells Fargo & Co.
Often banks include SSL login pages as an option, but they can be hard to find, Ullrich said. One trick for finding these pages, which will prompt Firefox and Internet Explorer to display a yellow lock icon on the bottom of the screen, is to submit a bad password on the home page. Often bank sites will redirect users to the SSL login page after this happens, he said.
Though he admits to logging in to pages that do not use SSL encryption himself, security consultant Richard Smith agreed that it would be safer for banks to direct their users to an HTTPS page for account logins. "It's only one extra step," he said. "The banks could do it, but I guess they feel that one extra step is too hard for people."
One of the banks that does not use SSL sign-in on its front page defended its practices. "It is more convenient for our customers and it is secure," said Bank of America Corp. spokeswoman Betty Riess.
Though Bank of America allows customers to enter their online IDs on the home page, they cannot submit passwords. The bank sends them to an HTTPS page and uses a technology called SiteKey to confirm to customers that they are at the legitimate Bank of America site before they enter their passwords.
"We're committed to safeguarding customer information online and we wouldn't do anything to compromise that security," Riess said.
