• United States



by Dave Gradijan

Researcher: Major Banking Sites Insecure

Apr 21, 20063 mins
CSO and CISOData and Information Security

Online bank customers may want to pay a little more attention to their browsers the next time they log in, because many of the most popular banking sites in the United States may be needlessly placing their customers at risk to online thieves, a noted security researcher warned Thursday.

At issue are the user login areas that can be found on banking sites such as and, which ask users to submit their user ID and password information. Although these forms may be encrypted, they do not use authentication technology to prove they are genuine, according to Johannes Ullrich, chief research officer at the SANS Institute.

A more secure approach would be to force users to log in on a hypertext transport protocol secure (HTTPS) webpage. HTTPS pages use the SSL security protocol, which not only encrypts the information on the page, but also provides digital certificates to give assurance that the website in question is genuine.

“If the login form is not HTTPS, you don’t know if it’s the real thing,” Ullrich said.

Webpages that do not use this type of secure connection are vulnerable to a type of attack known as DNS spoofing, where attackers attempt to trick Web browsers into visiting bogus websites. They do this by gaming the system used to convert Web addresses such as into the numerical IP addresses used by computers to navigate the Internet.

This type of attack is technically challenging, however, and hackers generally find it far easier to trick users into giving up their user names and passwords using phishing techniques, Ullrich said.

Still, there’s no good reason for banks to allow users to log in on pages that do not use SSL, Ullrich said. The SANS researcher has compiled a list of banks that includes information on their use of SSL authentication.

Banks that require SSL authentication include Capital One Bank, Citigroup, and Wells Fargo & Co.

Often banks include SSL login pages as an option, but they can be hard to find, Ullrich said. One trick for finding these pages, which will prompt Firefox and Internet Explorer to display a yellow lock icon on the bottom of the screen, is to submit a bad password on the homepage. Often, bank sites will redirect users to the SSL login page after this happens, he said.

Though he admits to logging on to pages that do not use SSL encryption himself, security consultant Richard Smith agreed it would be safer for banks to direct their users to an HTTPS page for account logins. “It’s only one extra step,” he said. “The banks could do it, but I guess they feel that one extra step is too hard for people.”

One of the banks that does not use SSL sign-in on its front page defended its practices. “It is more convenient for our customers and it is secure,” said Bank of America spokeswoman Betty Riess.

Though Bank of America allows customers to enter their online IDs on the homepage, they cannot submit passwords. The bank sends them to an HTTPS page and uses a technology called SiteKey to confirm to customers that they are at the legitimate Bank of America site before they enter their passwords.

“We’re committed to safeguarding customer information online, and we wouldn’t do anything to compromise that security,” Riess said.

-Robert McMillan, IDG News Service

For related CSO content, read Identity Protection.

Keep checking in at our Security Feed page for updated news coverage.