Banking Sites (like Chase.com and Americanexpress.com) Security Questioned
By Angsuman Chakraborty, Gaea News NetworkWednesday, May 3, 2006
Johannes Ullrich, chief research officer of the prestigious SANS institute said that many of the most popular banking sites may be needlessly placing their customers at risk and I agree with him.
The key issue is the user login areas that can be found on banking sites like Chase.com or American Express.com which ask users to submit their user ID and password information. Although these forms are mostly encrypted, they do not use authentication technology to prove they are genuine.
A more secure approach would be to force users to log in on a HTTPS web page. HTTPS pages use the SSL (Secure Sockets Layer) security protocol, which not only encrypts the information on the page but also provides digital certificates to give assurance that the website in question is genuine.
“If the login form is not HTTPS, you don’t know if it’s the real thing,” Ullrich said.
Web pages that do not use this type of secure connection are vulnerable to DNS spoofing attack where Attackers attempt to trick browsers into visiting bogus sites.
Bank of America, one of the banks that does not use SSL sign-in on its front page, defended its practices. “It is more convenient for our customers and it is secure,” said Bank of America spokeswoman Betty Riess. via TechWorld
I disagree. A https page is as convenient as a http page in terms of ease of access. It may be slightly slower but that is not an excuse for compromising customer security.
On the flip side we also have to realize that https pages by itself does not guarantee security. Very few people I know actually check the certificate for authenticity. And many would actually use a site even if the certificate is invalid or incorrect. Common people today are not, in general, educated about the function and value of SSL certificates.
A litmus test? Ask your granny what does that https icon stand for.