nocturn
June 8th, 2006, 08:56 AM
I was reading SecurityFocus today and there was an article about phishing (recommended).
The article talked about how users fail to interpret browser cues to identify fake sites.
It also mentioned one real site, The Bank of the West. They have this notice on their main page:
Browser security indicators
You may notice when you are on our home page that some familiar indicators do not appear in your browser to confirm the entire page is secure. Those indicators include the small "lock" icon in the bottom right corner of the browser frame and the "s" in the Web address bar (for example, "https"). If the lock does not appear, the page is not secured.
To provide the fastest access to our home page, we have made signing in to Online Banking secure without making the entire page secure. You can be assured that your ID and passcode are secure and that only Bank of the West has access to them.
This is unbelievable.
I sent them the following E-mail and I'm very curious about the response. Security is very important to me and I'm shocked to see a major bank suggest such insecure behavior...
Hello
I stumbled onto your site today from a link in a securityfocus article about
phishing.
To my horror I read the following notice on your site:
"You may notice when you are on our home page that some familiar indicators do
not appear in your browser to confirm the entire page is secure. Those indicators
include the small "lock" icon in the bottom right corner of the browser frame and
the "s" in the Web address bar (for example, "https"). If the lock does not
appear, the page is not secured.
To provide the fastest access to our home page, we have made signing in to Online
Banking secure without making the entire page secure. You can be assured that
your ID and passcode are secure and that only Bank of the West has access to
them. "
As someone in the security field, I have spend the last 10 years trying to
educate people on safe computer practices, including E-mail security and checking
the visual cues on websites.
This little notice obliterates much of the things I have always told people to
look for when surfing sensitive sites.
The way your page handles SSL logins ignores much of the safety that this
technology offers. If users are directed to a duplicate of your site that is
visually identical to yours, they will not be able to verify if the login form
they use is really yours. If they have the skills to check after entering and
submitting their details, they will only learn that their information has fallen
into hostile hands AFTER it is too late.
I would like to ask you to take this matter up with a security expert, because
the security of online transactions is in the best interest of all of us but
organisations like yours are in a key position to make it happen.
Phishing today is a real problem, and it takes effort and dedication to fight it.
I do my part by educating people about what can happen to them and to do the most
basic things to avoid being an easy target, but that education requires that the
visual indications I teach them are present.
Thank you
Kind regards
The article talked about how users fail to interpret browser cues to identify fake sites.
It also mentioned one real site, The Bank of the West. They have this notice on their main page:
Browser security indicators
You may notice when you are on our home page that some familiar indicators do not appear in your browser to confirm the entire page is secure. Those indicators include the small "lock" icon in the bottom right corner of the browser frame and the "s" in the Web address bar (for example, "https"). If the lock does not appear, the page is not secured.
To provide the fastest access to our home page, we have made signing in to Online Banking secure without making the entire page secure. You can be assured that your ID and passcode are secure and that only Bank of the West has access to them.
This is unbelievable.
I sent them the following E-mail and I'm very curious about the response. Security is very important to me and I'm shocked to see a major bank suggest such insecure behavior...
Hello
I stumbled onto your site today from a link in a securityfocus article about
phishing.
To my horror I read the following notice on your site:
"You may notice when you are on our home page that some familiar indicators do
not appear in your browser to confirm the entire page is secure. Those indicators
include the small "lock" icon in the bottom right corner of the browser frame and
the "s" in the Web address bar (for example, "https"). If the lock does not
appear, the page is not secured.
To provide the fastest access to our home page, we have made signing in to Online
Banking secure without making the entire page secure. You can be assured that
your ID and passcode are secure and that only Bank of the West has access to
them. "
As someone in the security field, I have spend the last 10 years trying to
educate people on safe computer practices, including E-mail security and checking
the visual cues on websites.
This little notice obliterates much of the things I have always told people to
look for when surfing sensitive sites.
The way your page handles SSL logins ignores much of the safety that this
technology offers. If users are directed to a duplicate of your site that is
visually identical to yours, they will not be able to verify if the login form
they use is really yours. If they have the skills to check after entering and
submitting their details, they will only learn that their information has fallen
into hostile hands AFTER it is too late.
I would like to ask you to take this matter up with a security expert, because
the security of online transactions is in the best interest of all of us but
organisations like yours are in a key position to make it happen.
Phishing today is a real problem, and it takes effort and dedication to fight it.
I do my part by educating people about what can happen to them and to do the most
basic things to avoid being an easy target, but that education requires that the
visual indications I teach them are present.
Thank you
Kind regards