On The Insider: Britney's Bikini-Clad Top 10
BNET Business Network:
BNET
TechRepublic
ZDNet

April 27th, 2006

Many Banks failing to use SSL authentication

Posted by George Ou @ 1:27 pm

Categories: Security

Tags:

In a recent SANS blog, the issue that many banks are using non-SSL login forms has raised some serious concerns about the lack of good Banking security.  They even posted this Online Banking score board showing which Banks are practicing good security and which aren’t.

What’s actually happening is that Banks are using SSL for encryption, but they’re not using it to prove the Bank’s authenticity to you the customer.  Encryption is useless if you don’t know who you’re talking to is the entity you’re intending to talk to.  This means that it’s extremely easy to intercept and spoof a Bank that doesn’t use SSL login forms.  Unsuspecting users will login to a fake online Bank and enter their login credentials which get captured by the bad guys.  Once they have it, they can just transfer some money to their own bank accounts.

Among the ones listed in the bad security category, American Express was one of them.  Not only does American Express not use SSL authentication by default, but it uses a bad Digital Certificate even when you manually type in HTTPS in the address bar to force SSL authentication.  You get the warning below that "the name on the security certificate is invalid or does not match the name of the site".

When you click on the "View Certificate" button, you get the following which shows that the Certificate was actually assigned "a248.e.akamai.net" and not to "home.americanexpress.com" as it should be.  How am I suppose to know that I’m really visiting American Express?  The truth is you don’t when American Express refuses to do something as simple as getting a valid digital certificate.  Are we to believe that American Express can’t afford a valid $60/year Digital Certificate?  Shame on them!

USA Banks failing to use SSL authentication includes:

Outside of the USA, only HSBC fails to use SSL authentication though the list is still being updated.  This looks really ugly for the American Banking system as a whole and it’s time that they cleaned up their act and learn to use some basic cryptography.  If you have a bank on this hall of shame list where "SSL Login Form" is listed as "optional", be sure to complain to them that this is unacceptable.  I’ll also be following up with these banks and if they don’t do anything soon, I’ll be sure to escalate the issue to the proper channels.

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 102 Talkback(s)
RE
YOU SIR ARE A JOKE TO THIS COMMUNITY..WITH YOUR FOOLISH IMMATURE BEHAVIOR.. OF ADVERTISING SOMETHING THAT IS REALLY DUMB...WHO IN THEIR RIGHT MIND WHEN RECIEVING A LOAN ..THINKS YOU PAY NO INTEREST..A... (Read the rest)
Posted by: dalemxx Posted on: 05/22/07 You are currently: a Guest | | Terms of Use
Deceptive Post - pure FUD  Erik Engbrecht | 04/27/06
You don't understand.  georgeou | 04/27/06
No question of that...  Erik Engbrecht | 04/27/06
I didn't slander anyone, it's factual  georgeou | 04/27/06
So enlighten me  Erik Engbrecht | 04/27/06
You're skipping steps  georgeou | 04/27/06
Re: You're skipping steps  stv@... | 04/27/06
Very easy to hijack  georgeou | 04/27/06
That's not the linkI use to login to AMEX  frank_s | 04/28/06
He's right...this time  Chad_z | 04/28/06
Neither here nor there  D-T-Schmitz | 04/27/06
I stand corrected, only your TITLE is pure FUD  Erik Engbrecht | 04/27/06
Title is correct  georgeou | 04/27/06
Title is deceptive  Erik Engbrecht | 04/27/06
Like I said, banks are NOT using SSL authentication  georgeou | 04/27/06
George, you aren't too clear on this  WiredGuy | 04/28/06
Oh but I am clear  georgeou | 04/28/06
George, your beating a dead horse.  sykandtyed | 04/28/06
No, shame on you  georgeou | 04/28/06
url  richvball44 | 05/07/06
Hat's off  pkr@... | 05/01/06
George Ou is clueless  sharikou | 06/05/06
George You do not have credibility  xyz10_z | 04/28/06
wow-- you're ignorant  kckn4fun | 05/02/06
And yet you don't really know who you are loggin into...  Boomslang | 05/18/06
Did you give a Grace Period to American Express?  zdnet reader | 04/27/06
This isn't a PoC  georgeou | 04/27/06
No George, didn't you or Zdent contact American Express before  zdnet reader | 04/29/06
screw you and AMEX  kckn4fun | 05/02/06
Absolutely not his job  PassingThru | 05/02/06
SSL and Keyloggers  D-T-Schmitz | 04/27/06
That's only a breach on your end  georgeou | 04/27/06
Don't tell me  tombalablomba | 04/28/06
Yes, we're ashamed  georgeou | 04/28/06
You are the second - I don't know what to call you-  sykandtyed | 04/28/06
I'm the Technical Director in this company  georgeou | 04/28/06
smartcards! what next?  suirauqa | 05/10/06
Thanks TomB  D-T-Schmitz | 04/29/06
From the SANs blog  Erik Engbrecht | 04/27/06
Good points George  Richard Flude | 04/27/06
An important question that's not being asked here...  Mr. Roboto | 04/27/06
American Banks are clueless  georgeou | 04/27/06
It's a matter of taking risks  cesarbravov | 05/02/06
OT: interesting news  Richard Flude | 04/27/06
Users need an automatic protection solution - CallingID provides it  yoramnis | 04/28/06
Should Chase be on your list?  maddog@... | 04/28/06
What good is it if you send encrypted data to the bad guys?  georgeou | 04/28/06
Bank of America  chaimlavan | 04/28/06
I can't remember what picture half the time  georgeou | 04/28/06
..  richvball44 | 05/07/06
Before or after you login?  The King's Servant | 04/28/06
First you enter your username  ebrke | 04/28/06
It's called Sitekey  Grayson Peddie | 04/28/06
Bank of America DOES use SSL -- please change erroneous story  buran | 04/28/06
Actually, he said that it was optional..  The King's Servant | 04/28/06
Loved your post!!!  luke_sg | 04/28/06
No, I won't change the blog  georgeou | 04/28/06
I seem to remember another George who got  sykandtyed | 04/28/06
For the third and last time, there is no error  georgeou | 04/28/06
interesting..  richvball44 | 05/07/06
Bank Of America and also American Express both provide SSL login  kaushiksen | 04/28/06
I really don't care, it's not the default  georgeou | 04/28/06
No SSL by default . . .  ebrke | 04/28/06
You can offload SSL  georgeou | 04/28/06
Agreed...  ju1ce | 04/28/06
good point  richvball44 | 05/07/06
Scotiabank in Canada  ju1ce | 04/28/06
Royal Bank in Canada has it too...  ju1ce | 04/28/06
That's what I said  georgeou | 04/28/06
ROYAL BANK OF CANADA - CORPORATE BULLY  corporatebully | 01/26/07
RE  dalemxx | 05/22/07
Confused  dancac | 04/28/06
Those are not the default pages  georgeou | 04/28/06
Further to confused  dancac | 04/28/06
The links you provided are safe  georgeou | 04/28/06
a peek  richvball44 | 05/07/06
I've tried a few of those sites and they are the  sykandtyed | 04/28/06
Ah, but that's not acceptible  georgeou | 04/28/06
I think people should pay attention to George Ou  CobraA1 | 04/29/06
Yeah, Yahoo does the same thing  georgeou | 04/29/06
Woa.net  Outside T. Box | 05/01/06
Additionally ...  David A. Pimentel | 05/01/06
For once I agree with George  NetArch. | 05/01/06
What about the OCC, FDIC, etc?  cesarbravov | 05/02/06
Banks use of SSL for login  bruce@... | 05/02/06
The much-repeated point is: not good enough  PassingThru | 05/02/06
missing the point  reskew | 05/05/06
Commonality  webstalkers@... | 05/05/06
Credibility lost in the first paragraph continues throughout  webcreate | 05/08/06
B of A uses SSL  zipalot | 05/08/06
SiteKey doesn't excuse no SSL on the login page  georgeou | 05/16/06
Credibility lost in the first paragraph continues throughout  webcreate | 05/08/06
You don't get it  georgeou | 05/16/06
Hijack happens all the time-PayPal is hit  benedict1 | 05/09/06
Chase Bank  jhockeyref | 05/09/06
Ok, make that default then  georgeou | 05/16/06
Encryption Algorithms  MichaelHunt | 05/09/06
"Everybody's doing it...." That's our excuse  CitizenW | 05/10/06
I'm sick of the excuses  georgeou | 05/16/06
You're so off it isn't even funny  georgeou | 05/16/06
Washington Mutual Example  tgliang | 05/17/06
HSBC US ok  swenzn | 12/15/06

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

Top Rated

    advertisement

    Archives

    ZDNet Blogs

    White Papers, Webcasts, and Downloads

    SmartPlanet

    Click Here