11/01/2006

Is Your Bank FAKING Login Security?!

Dan Kaminsky's had a very shocking lecture at the Toorcon 8 convention. He was discussing SSL and how certain sites pass login credentials from their home pages (usually http) to their encrypted pages (https). He found that 13 of the top 50 banks FAKE THEIR LOGIN SECURITY! (my words, not his, but I don't think he wouldn't disagree with me at all).

Dan found that these 13 banks were using "post-to-https" method to pass their user's credentials (NOTE: this is GROSSLY insecure as it broadcasts the id/password to ANY attacker). These banks do, however, go to the lengths of posting a fake "lock" gif and telling you it's safe because it's easier/cheaper than sending you to a secured page or scaling massive amounts of SSL traffic generated by each and every connection (Note: Dan mentions that
Wells Fargo bank does do this very method to secure its customers).

So, after listening to Dan's lecture (thanks HackaDay), I started to look into my bank's method. After looking at the code at my bank's homepage, I see that they are using a JS function to pass along this info. I'm not sure if it is insecure or not but I do know that they are not using "iframe" nor is the url of the homepage "https". So, how can I be sure my bank isn't broadcasting my id/password (i.e. my browser showing the "lock" gif in the status bar)?
By using a little "social engineering hack".

  • Goal: get to an actual secured page (i.e. "https") without switching banks.

At my bank's site there is a login section on the front page, I noticed that when I entered my id/password wrong the other day it took me to an "https" page to get me to login again...hmmmmm....so, today I went to the homepage, clicked "login" without any information and it took me straight to the "https" login page for secured login! SWEET, now I can go to the coffee shop AND not get pwn3d! I've not been able to try this out on the 13 banks noted above because Dan doesn't give their names. However, it does work on Bank of America's site (Note: I'm not saying that they are one of the 13 nor that they are insecure; I'm just saying that they move you from "http" to "https" with this hack).

Ok, so it's a "social engineering hack" on me but still it's MUCH safer than "saying your id/password out loud" every time you login which is kind of what you're doing.



No comments: