Tuesday, April 25, 2006

Security time capsule opens up: SANS researcher emerges.

SANS NewsBites April 25, 2006 Vol. 8, Num. 33
-- snip --
--Researcher Warns Some Online Banking Sites Don't Provide Adequate Authentication (20 April 2006) SANS Institute chief research officer Johannes Ullrich says many widely used online banking sites do not use authentication technology to assure that they are who they claim to be. Banks would be well advised to send users to an HTTP Secure (HTTPS) web page which uses the Secure Sockets layer (SSL) security protocol instead of merely encrypting login forms.
Web pages that do not use HTTPS make themselves vulnerable to DNS spoofing in which attackers try to trick users into visiting phony web sites in an attempt to gather their account information.
Internet Storm Center: http://isc.sans.org/diary.php?storyid=1278
-- snip --

[Editor's Note (Axley): This is pure silliness. Their "head researcher" only now has discovered that this has been going on? I certainly applaud their efforts to raise awareness of the issue and clarify it as an authentication issue, not an encryption one, albeit late to the game, and will likely contribute my list to their list of financial institutions not authenticating their login pages (which are often on their homepages) with SSL. I had to deal with this issue at AT&T Wireless with their homepage and also am dealing with it as we speak at my present employer so it is not new. Many companies seem content these past few years to be "cream of the crap" instead of "cream of the crop" -- only striving to be "as good as" (read: "as bad as") the next guy. My prediction is that it won't stay this way since phishing is getting solidified as its own industry now. ]

No comments:

Post a Comment