Amir Herzberg's
Phishing and Spoofing FAQ

  1. Why login sites should be protected by SSL?
  2. My bank site assures me that the password is encrypted in transit. Is it protected?
  3. My bank's site says `protected by SSL` and/or displays padlock sign; is it protected?
  4. What does the FDIC think of this?
  5. I use a one-time-password login mechanism, e.g. from a tiny device provided by my bank. Is this sufficient security?
  6. My bank presents a personalized greeting for me before I type my password. Is this sufficient to prevent spoofing?
  7. I always access my bank site by a bookmark or by typing the URL. Is there still a risk in using unprotected login page?
  8. My bank does not allow money transfer out of my account via online banking. Is there still a risk to my money if my online banking password is exposed?
  9. Is there a liability for a bank or another site that uses unprotected login pages?
  10. How come such important sites are unprotected?
  11. You show some of the most important login sites are unprotected. So, isn't this the norm?
  12. How can I detect unprotected and spoofed pages?
  13. How can I detect changes in my unprotected login page?
  14. Is there a performance / privacy penalty to the use of (some) anti-spoofing extensions (`bars`)?
  15. What should I do if I detect another unprotected login page?
  16. Is there a long-term goal for maintaining a list of unprotected login pages?
  17. Do you warn owners of unprotected login sites? How do they respond?
  18. Are there additional significant web-scams threats? Any countermeasures?
  19. Where can I learn more, see screenshots, etc.?

 

Questions with answers

 

  1. Why login sites should be protected by SSL?

 

Stealing of passwords and subsequent unauthorized access and abuse of accounts is possibly the most common fraud on the Net, and is causing substantial losses to individuals and corporations. The easiest and most common method for stealing passwords, is by creating a `spoofed` web site, i.e. a site which looks like the real login site, but collects the passwords for the attacker. The easiest and most common method to lead the user to the spoofed site is by sending him fake, misleading e-mail; this is called `phishing`. See more details in http://antiphishing.org. All browsers support the SSL and/or TLS protocols, which allows the browser to authenticate the identity of the web site before you enter your password to it, and then encrypt the password (and other sensitive information) in transit, to prevent disclosure to eavesdroppers.

 

  1. My bank site assures me that the password is encrypted in transit. Is it protected?

 

Encrypting the password prevents exposure by an eavesdropper, which is good. However, some web sites deploy encryption using a script in the login page, and do not invoke SSL/TLS before that, to authenticate the login page itself. Therefore, if the user received a spoofed login page, this will not be visible; of course, the spoofed page will send the password to the attacker.

 

  1. My bank's site says `protected by SSL` and/or displays padlock sign; is it protected?

 

Unfortunately, several sites including some major bank sites, e.g. Chase present a padlock and/or otherwise claim to use SSL and cryptography to protect the login process, while actually only encrypting the password in transit using a script in the login page. This is misleading and insecure, as explained above.

 

  1. What does the FDIC think about this?

 

On June 2005, the FDIC published 'Putting an End to Account-Hijacking Identity Theft Study Supplement'. I think it is well written and worth reading. In particular, in p. 22, under the heading `mutual authentication, they say: Financial institutions can aid consumers in differentiating legitimate sites from spoofed sites by authenticating their Web site to the client. More specifically, banking Web pages which collect sensitive information on form pages, or otherwise, should authenticate the page using digital certificates signed by a trusted authority prior to collecting the sensitive information. Certificates should be registered to easily identifiable business names rather than third party service providers to aid the consumer's understanding of the certificate's authenticity. This is exactly the point I'm trying to make with the Hall Of Shame, although maybe stated a bit more delicately and therefore, may require careful reading. I've sent e-mail to the FDIC to confirm my understanding and their response further supported my position, in fact they said I also understand the point you are making with regard to our discussion of mutual authentication.  I agree that we could have been a bit clearer. (My main reservation was that their text may be interpreted as if using SSL requires high costs, where they actually referred only to the use of SSL client authentication)

 

  1. I use a one-time-password login mechanism, e.g. from a tiny device provided by my bank. Is this sufficient security?

 

There are several good, secure one-time-password login mechanisms and devices. However, these devices (usually) only identify the user during the login process. It is possible to launch a spoofed web site that will pass the one-time-password to the correct bank site, and thereby obtain access to the account for the particular session. This attack is not so easy, mainly since it requires the attacker to exploit the login immediately, rather than providing her with a password which she can use later at her convenience. Still, proper identification of the site, using SSL/TLS protection, provides additional security also when using one-time-passwords.

  1. My bank presents a personalized greeting for me before I type my password. Is this sufficient to prevent spoofing?

 

A personalized greeting can allow users to detect a spoofed site, which is unaware of the greeting. However, the security of such solutions depends on implementations details, as follows. [To be completed]

 

  1. I always access my bank site by a bookmark or by typing the URL. Is there still a risk in using unprotected login page?

 

The risk is indeed reduced. However, an attacker who is able to intercept your messages, e.g. if you are using a wireless internet connection such as WiFi or if they control a switch or router that your information passes through, can still redirect you to a spoofed page. There are many ways to intercept communication on the Internet, and the SSL/TLS protocols are specifically designed to withstand such (strong) attackers.

 

  1. My bank does not allow money transfer out of my account via online banking. Is there still a risk to my money if my online banking password is exposed?

 

This depends. In particular, many banks, e.g. in the US, allow money transfer initiated by trustworthy financial institutions, out of their customers accounts (i.e. possibly your account). This assumes that the other financial institution obtained the approval of the account owner. A common method to validate this is by depositing small amounts in the account, and asking the owner to report details of these deposits. If the attacker has access to the transactions on your account, she may be able to provide this information and thereby transfer money out of your account.

 

  1. Is there a liability for a bank or another site that uses unprotected login pages?

 

This is a legal question, and while I have been reading about it and discussing it with lawyers, I cannot give legal advice. However, I think it is fair and reasonable to say that liability may exist in some cases. In particular, the claim for liability may be stronger if the injured party can prove a failure to maintain `duty of care`, and in particular negligence in spite of warnings. For example, I am warning all sites before adding them to the `hall of shame`, and add them only if they do not fix (i.e. protect) the login page.

 

  1. How come such important sites are unprotected?

 

Ask them J Seriously, there are some reasons. One is ignorance and negligence; the security indicators existing in most browsers are so hard to notice, that webmasters, as well as users and designers, sometimes do not notice the lack of protection. But, there are some other reasons. Performance and the cost of obtaining a certificate are often mentioned, but in reality, both of these are not significant obstacles and can be overcome easily (but some designers are not aware of this). One `real` problem is that many sites, especially the larger, use third-party hosting of their sites, possibly to reduce latency by providing the contents from a nearby server. In this case, there may be a dilemma: should the site use a certificate (and identify) of the third-party hosting it? Or should the site give its private key to the third-party?

 

Of course, there are simple, technical solutions to all these problems, with reasonable costs and overhead. A proof of that are the many sites that do provide secure login properly.

 

One interesting argument we heard was that there are most users will not notice if they receive an unprotected site instead of the protected site. This may be true using the weak security indicators in most current browsers. This can be addressed by installing improved security indicators (e.g. TrustBar) or using a browser with improved indicators (e.g. Netscape version 8).

 

  1. You show some of the most important login sites are unprotected. So, isn't this the norm?

 

Fortunately no! Most of the (serious) login pages are well protected. Just check we have a lot of sites in the `Hall of Shame`, but still only a tiny fraction of the login pages Try to find another one. It may not be too difficult, but you are likely to encounter a lot of protected login pages.

 

  1. How can I detect unprotected and spoofed pages?

 

To be completed: using existing browser UI, using TrustBar (http://AmirHerzberg.com/TrustBar), using other toolbars

 

  1. How can I detect changes in my unprotected login page?

 

To be completed: using new versions (0.4.1 or later) of TrustBar (http://AmirHerzberg.com/TrustBar) [add details!!]

 

  1. Is there a performance / privacy penalty to the use of (some) anti-spoofing extensions (`bars`)?

 

Few bars access a centralized server upon entering any new web page; this has significant overhead, and may be a privacy concern to many users. However, other bars, such as TrustBar, do not expose privacy in any way, and have no noticeable overhead.

 

  1. What should I do if I detect another unprotected login page?

 

We recommend you immediately contact the site owners to warn them and ask them to protect the site. You are also encouraged to inform us, so we can add the site to the Hall of Shame. You can inform us by email or by clicking the Hey! button, if you have installed TrustBar.

 

  1. Is there a long-term goal for maintaining a list of unprotected login pages?

 

Browser security indicators can use a list of unprotected login pages to warn the users of such pages. This may be a future feature of browsers and/or of extensions such as TrustBar. We are working on such a feature for TrustBar (in fact it is almost done).

 

  1. Do you warn owners of unprotected login sites? How do they respond?

 

Yes, we try to warn them before adding the site to the Hall of Shame. We had few sites which were fixed after our warnings, completely or at least partially. Unfortunately, most sites ignore the warning, argue about it, etc.; one site even sent us coupons for free use of their services

 

  1. Are there additional significant web-scams threats? Any countermeasures?

 

Yes, there are... (to be completed)

 

  1. Where can I learn more, see screenshots, etc.?

 

See information at http://AmirHerzberg.com/TrustBar.