?

Log in

No account? Create an account

Online banking - John C. Kirk

Mar. 3rd, 2010

09:33 pm - Online banking

Previous Entry Share Next Entry

In part 1 of my LUA series, I mentioned a virus that modified the HOSTS file on a PC. This meant that each time someone tried to connect to their banking website, they actually went to a fake website instead, even though they'd typed in the correct URL. This could also be a problem if your DNS server gets compromised, or if someone reconfigures your wireless router so that you use a rogue DNS server.

One way to protect yourself is to use https. If you know the correct address for the website, and you see a padlock in the address bar, you can be confident that this is the real site. (This isn't an absolute guarantee, e.g. if your PC is infected by a virus then it could add some self-signed certificates to your trusted store. However, it's certainly a step in the right direction.)Unfortunately, lots of banks haven't quite grasped this concept.

The good

PayPal are a shining example of how to do this right. If you go to:
http://www.paypal.com/
then you automatically get redirected to:
https://www.paypal.com/
You can access the secure site directly, and it has a green bar for "Extended Validation" (EV).

HSBC have two versions of their website:
http://www.hsbc.co.uk/
https://www.hsbc.co.uk/
Again, the secure site uses EV.

Halifax have two versions of their website:
http://www.halifax.co.uk/
https://www.halifax.co.uk/
They don't use EV (so the address bar is white rather than green), but I think a standard certificate is good enough for now.

The bad

Alliance & Leicester have two versions of their website:
http://www.alliance-leicester.co.uk/
https://www.alliance-leicester.co.uk/
The secure site uses EV, but I get a warning message because not all of the content is delivered using https. If you choose to just view the secure content, the address bar is green. If you choose to view everything, you don't get a padlock at all.

Lloyds TSB have their main website here:
http://www.lloydstsb.com/
However, changing "http" to "https" doesn't work:
https://www.lloydstsb.com/
I get an error, because the certificate was issued to "secure.lloydstsb.com". Even if I continue anyway, I can't see the site ("page not found"). Similarly, this site doesn't work either:
https://secure.lloydstsb.com/
They do in fact have a secure login site, which is here:
https://online.lloydstsb.co.uk/
It's not obvious, but it's something you could plausibly remember and type in.

Barclays have two versions of their website:
http://www.bank.barclays.co.uk/
https://www.bank.barclays.co.uk/
Like Alliance & Leicester, you get a warning message about the insecure content. Also, this is a slightly odd address for the website. The more obvious addresses would be:
http://www.barclays.co.uk/
https://www.barclays.co.uk/
These both redirect you to the http site. (It would obviously be better for the second one to redirect you to the https site.)

The ugly

Nationwide only offer an insecure site:
http://www.nationwide.co.uk/
The equivalent secure site simply doesn't exist:
https://www.nationwide.co.uk/
They do offer a secure site for online banking, but it's a bit of a cryptic address:
https://olb2.nationet.com/
Frankly, if I saw that in an email then I'd assume it was a phishing site.

The Royal Bank of Scotland offer a normal version of their website:
http://www.rbs.co.uk/
You can also go to the secure version:
https://www.rbs.co.uk/
However, this redirects you back to the insecure version! At this point, I think there's a fine line between stupidity and malice; they're going out of their way to stop people from using a secure connection. As the lolcats would say, "Ur doin it wrong!" The interesting thing is that they will let you use a secure connection when they advertise their security software:
https://www.rbs.co.uk/global/rapport.ashx
They also have a separate site to login to online banking (which uses EV):
https://www.rbsdigital.com/

NatWest are pretty similar to RBS, presumably because they're both part of "The Royal Bank of Scotland Group Plc". Again, they have a normal site:
http://www.natwest.com/
But their secure site just redirects you back to the insecure version:
https://www.natwest.com/
As with RBS, they offer a secure page to plug the Rapport software:
https://www.natwest.com/global/rapport.ashx
I don't know whether that software is any good, but I think they ought to get their own house in order before they ask me to reconfigure my PC. Their login page for online banking is here (using EV):
https://www.nwolb.com/
(Presumably that's an acronym for NatWest OnLine Banking.)

The Co-Operative Bank have a good reputation for high moral standards, and I've considered moving my accounts over to them. Sadly, they're a bit lacking in technical skills. Like RBS and NatWest, they have a normal website, and a secure site that just redirects back to the insecure one:
http://www.co-operativebank.co.uk/
https://www.co-operativebank.co.uk/
They do offer a secure login page, but it's a really clunky address:
https://welcome27.co-operativebank.co.uk/CBIBSWeb/start.do
With most banks, I've been able to simplify the address by going to the root. In this case, that would be:
https://welcome27.co-operativebank.co.uk/
Unfortunately, that just redirects me back to the insecure version of the main site.

Santander are similar to the Co-Op. They have two versions of their website, but the secure version redirects you to the insecure version:
http://www.santander.co.uk/
https://www.santander.co.uk/
They have a secure login page, but the address is even worse than the Co-Op's:
https://myonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/Logon?action=prepare
So, that earns them the bottom spot on my list.

Looking at the Co-Op and Santander, I'd guess that those URLs are subject to change, i.e. they expect you to get there from the insecure site, not to bookmark them. They may well do some kind of "load balancing", e.g. if they have 27 servers for the Co-Op site then they might redirect you to a different one each time. So, just to reiterate what I said above, if someone can put up a fake version of the main (insecure) site, they could redirect you to a fake login page, and it would be hard to spot the difference.

Edit: I've now set up a fake website to demonstrate what I'm talking about (see comments).

Comments:

[User Picture]
From:rjw1
Date:March 3rd, 2010 10:09 pm (UTC)
(Link)
then again the actual barclays online banking is https://ibank.barclays.co.uk which is what the login button takes you too. its also where your told to go to when you sign up.
goign to the http part of that does redirect to https.

in fact i only see the main site when i log out becuase i have ibank bookmarked.


next you need to investigate 3dsecure sites there even more fun :)
at least barclays get that right and use a subdomain of barclays.co.uk

(Reply) (Thread)
[User Picture]
From:johnckirk
Date:March 4th, 2010 12:19 am (UTC)
(Link)
Ah, that's useful to know - I just did Google searches to find the various bank websites, but if the bank gives out proper documentation then that's good.

I've come across the "Verified by Visa" pages a few times when I've been shopping online. So far I haven't had any trouble, but I'll keep my eyes open to research a future blog post :)
(Reply) (Parent) (Thread)
[User Picture]
From:susannahf
Date:March 3rd, 2010 10:41 pm (UTC)
(Link)
The co-op do I think have multiple servers (I'm fairly sure I've seen different numbers in the address). But I bookmark the main site, and then click through to the internet banking. I honestly don't see how that's so hard or bad.
(Reply) (Thread)
[User Picture]
From:johnckirk
Date:March 4th, 2010 12:04 am (UTC)
(Link)
The basic idea of phishing emails is that people won't notice a fake website if it's sufficiently similar to the real one. Looking in today's spam emails, I've got a message which claims to be from egg.com but actually takes me to:
http://www.yuhantool.co.kr/yuboard/skin/board/support/img/index.htm
The real website is:
https://your.egg.com/security/customer/login.aspx?URI=https://new.egg.com/customer/youraccounts
The URLs looks completely different, but the websites look quite similar.

Another approach is to make the URL look similar to the real one, e.g.
https://welcome27.co-operat1vebank.co.uk/
(I.e. an "i" replaced with a "1".)

Or:
https://welcome27.co-operativebank.example.co.uk/
(Sub-domain of different site.) I see that some enterprising company has registered the bank.com domain; if they were malicious (or got hacked), it would be pretty simple to set up convincing sub-sites, e.g.
www.barclays.bank.com

In your case, I'm sure that you do check the URL each time you log in, and you would spot a fake one. However, other people aren't so technically literate.

The catalyst for this post is that a couple of my work colleagues have wound up with fake anti-virus software installed on their machines. In one case I was able to clean up the laptop for her. The other person tried to "buy" the software, but it insisted on a zip code (which she didn't have), so she wound up paying Dell to clean the machine for her. Anyway, I've spent some time with both of them, trying to inform them about security. (I agree with what you've said before about user education.)

Ideally, I would just say to them "Always type 'https' at the start of the address, and make sure that you see the padlock. If you don't see the padlock, don't type in your password." So, for HSBC or PayPal, that's easy. For the Co-op, I have to say "Look closely at the address of the website, and make sure that it matches what you'd expect it to be", which is a harder skill.

For Santander, it's even worse, because the login page is on a completely different domain. I don't bank with them, so I vaguely remember seeing some posters about "Bank X is now Santander", and I assume that they used to be Abbey National, but I shouldn't have to research the corporate history before I log in.
(Reply) (Parent) (Thread)
[User Picture]
From:gaspodog
Date:March 4th, 2010 01:39 am (UTC)
(Link)
More importantly than checking the URL, you just don't click links in unsolicited emails - most real banks state in their terms that they will never email you directly asking for any of your security details. In fact, the sensible ones never ask you to enter your whole password at any point in their login process either.

My bank remind me of this fact pretty much every time I log in. I'd have to be pretty unobservant not to have read this advice by now. I tend to be of the opinion that beyond a certain point, users have to take some responsibility - good advice on sensible practice is trivially easy to find.

I still can't believe anybody actually clicks links in unsolicited email... But then, some people give their bank details to the 419 scammers too.
(Reply) (Parent) (Thread)
[User Picture]
From:johnckirk
Date:March 4th, 2010 02:29 am (UTC)
(Link)
Yes, I agree completely about "don't click links in emails". However, if there are people who do that (and don't notice the wrong address) then they would also be at risk from a fake (http) website that redirects them to a fake (https) login page.
(Reply) (Parent) (Thread)
[User Picture]
From:alexmc
Date:March 4th, 2010 08:31 am (UTC)
(Link)
If you have been an abbey customer then you would have been bombarded with stuff telling you that they are now Santander. No "research" required.
(Reply) (Parent) (Thread)
[User Picture]
From:johnckirk
Date:March 4th, 2010 10:22 am (UTC)
(Link)
That's not really the problem; if I used to be with Abbey then I'd recognise their old domain anyway. But what if I'm a brand new Santander customer - would they bombard me with stuff saying "We used to be called Abbey National"?
(Reply) (Parent) (Thread)
[User Picture]
From:alexmc
Date:March 4th, 2010 10:54 am (UTC)
(Link)
If you were a new Santander customer then everything you see would now be Santander, not Abbey/Abbey National.
(Reply) (Parent) (Thread)
[User Picture]
From:johnckirk
Date:March 4th, 2010 10:59 am (UTC)
(Link)
No, you don't - that's my whole point! As I said in the post above, here is the link for the secure login page on the Santander website:
https://myonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/Logon?action=prepare

Note that the domain there is "abbeynational.co.uk" rather than "santander.co.uk". So, as a new customer, should I be concerned that a completely different website is asking for my bank password?
(Reply) (Parent) (Thread)
[User Picture]
From:alexmc
Date:March 4th, 2010 11:19 am (UTC)
(Link)
ah, I see. Thanks.
(Reply) (Parent) (Thread)
[User Picture]
From:johnckirk
Date:March 4th, 2010 02:12 am (UTC)
(Link)
Following up on my previous comment, it occurs to me that I may not be explaining this very clearly. So, I've set up a demo website to demonstrate the risk. (I apologise in advance if this sounds patronising.)

1. On your PC, modify the HOSTS file to add this line:
88.202.220.227 www.co-operativebank.co.uk
(That's my static IP address at home - please don't report me for running a phishing site!)

2. In your web browser, go to:
http://www.co-operativebank.co.uk/
(You can use your existing bookmark for this.) You should now be looking at the fake copy on my server, although it should look identical to the real site, including the real name in the address bar at the top. However, I haven't bothered to copy all the pages, so if you click "Current accounts" then you'll get a 404 error. (This will also confirm that you're on the fake site.)

(I've tested this from my home PC, and verified that I see the fake site. I haven't tried it from an external PC, so if this doesn't work then I'll need to tweak the firewall.)

3. Click the "Banking login" button (or the "Personal login" button in the drop down menu). This will take you to my fake version of the login page, but it is a secure connection with a genuine SSL certificate, so you'll see the padlock. (Since I'm not completely Evil, I haven't implemented the "OK" button, but there's no point in entering your details anyway.)

4. Close your browser, modify your HOSTS file again, and remove the line you added earlier.

So, here's the big question: would you have noticed anything suspicious about that login page if I hadn't warned you? How about the average user?

In this case, there's not much risk to you, because this demo relies on you mangling your own config file. However, suppose that I was corrupt. I could then go round to the PCs at work, and use my admin powers to modify their HOSTS files. Or, more simply, I could just reconfigure our DNS server, to affect everyone at once. That way, the next time someone used their office PC to do internet banking, I'd be able to steal all their money. I personally wouldn't do that, but what if someone else could guess my password? Or what if someone at our ISP is corrupt, and they modify their DNS records?

(I should point out that I'm not trying to say "my bank's the best" - I'm currently with Lloyds TSB, who I've put in the "bad" category.)

Anyway, hopefully this makes some sense, so you can see why I think the Co-op method is bad (even if you disagree with me).

Edited at 2010-03-04 02:24 am (UTC)
(Reply) (Parent) (Thread)
[User Picture]
From:gaspodog
Date:March 4th, 2010 11:54 am (UTC)
(Link)
The main problem here though is that if you've been infected with a virus which can modify your HOSTS file, then it's already managed to acquire root privileges. At this point, it can pretty much do what it wants - track your web usage, log your keystrokes, scrape the screen each time you log in to internet banking and build up you password over successive logins (getting around the "enter characters 1, 5, and 7 of your password" approach the sensible banks use).

The key user behaviour to reinforce in this instance is the installation of good antivirus software from a reputable supplier. Microsoft's Security Essentials is a pretty decent package which is completely free and very simple to use.

If your DNS has been poisoned further upstream, then there's not a lot you can do - assuming the fake site is a faithful facsimile of the real one. As you've noted, the phishing sites all have security certificates now, so they get the little padlock many users have been trained into associating with security. EV is a step beyond this, but it's surely only a matter of time before this method falls over in some way and we move on to the next. The technological aspects of the fraud are going to evolve in step with the countermeasures - the only constant here is user behaviour, and good practice in this regard remains pretty much the same regardless of the specific technology involved:

- Use strong passwords and don't share them with anybody else.
- Preferably use a different password for each service. At the very least your online banking password should be unique.
- Install antivirus software and keep it up to date (if using Windows).
- Delete unsolicited email - and at the very least never click links in said email.
- Be observant - keep an eye out for suspicious activity on your account, and if you're in any doubt about a transaction, call your bank.
Optionally:
- Don't use IE
- Don't use Windows

On the bank's side, they can help by doing the following:
- Educating their users at every opportunity.
- Never ask for entry of a complete password (NatWest do this, Bank of Scotland don't)
- Use 2-factor authentication for any money transfers out of accounts. (most do this with their 'card reader' devices now)

If banks do all of these things, it will help, but it's safe to assume any security feature they come up with will be broken at some point. It at least discourages more casual / less competent phishing strategies though.

If users learn and keep in mind all the things stated above, then it becomes an awful lot harder to be defrauded. Never assume you won't be though - complacency is the criminal's best friend.
(Reply) (Parent) (Thread)
[User Picture]
From:susannahf
Date:March 4th, 2010 12:08 pm (UTC)
(Link)
That all sounds like very sensible advice

Incidentally - you mention 2-factor authentication. When I use this to verify transactions with the Co-op, they always remind me to do an extra check step. The way their system works is that once you've entered your pin on the card reader, it asks you for a numerical transaction code, and then it provides you with a response to this, which you enter on the website. So the co-op website gives you the transaction code, and you give back the response.
The last 4 digits of the transaction code *always* correspond to the last 4 digits of the recipient's account number. Now, theoretically, I shouldn't have to check this, right? Because I'm using the co-op's site and they are giving me all this data. But what if there was a man-in-the-middle attack that was feeding me data from the co-op but then, when I try to make a transaction, changing the destination of the money? Everything would look OK except that those 4 digits would almost certainly not match. And I would go "eeep", cancel the transaction, and phone them up. And even if the scammers were clever enough to remove that code from the html they served me, all the many times I've used the system have trained me to check this number, because it's highlighted as a really important step each time (including what to do if they don't match).

The power of user edumacation.
(Reply) (Parent) (Thread)
[User Picture]
From:susannahf
Date:March 4th, 2010 12:13 pm (UTC)
(Link)
Re-reading, when I refer to removing "that code", what I mean is the code that goes "oi check that those numbers match THIS IS REALLY REALLY IMPORTANT, if they don't match then don't enter anything and call us on this number NOW!"
(Reply) (Parent) (Thread)
[User Picture]
From:johnckirk
Date:March 4th, 2010 08:02 pm (UTC)
(Link)
That sounds useful - I don't have 2-factor authentication with Lloyds TSB, so if someone intercepted my passwords then they could do as many transactions as they liked.
(Reply) (Parent) (Thread)
[User Picture]
From:johnckirk
Date:March 4th, 2010 07:54 pm (UTC)
(Link)
Yes, that's a fair point about the HOSTS file; if your system has been compromised then you're in big trouble.

Regarding upstream DNS poisoning, I think that this is where certificates are really valuable. Back in 2005, I wrote about code signing certificates, and I said:

"Basically, before you run an application, there are two questions you should ask:

a) Do I trust the person/company who wrote it?

b) Am I sure that they did actually write it (and that nobody has tampered with it since)?

Code signing only addresses the second question, not the first. So, it's just a part of the overall solution, but it is a necessary part."


For websites, there are two similar questions:
1) Is the domain name correct?
2) Does it have an SSL certificate (i.e. is there a padlock)?

I've now got my fake website demo up and running, which involves two pages:

1) The main website:
http://www.co-operativebank.co.uk/
This has the correct domain name, but no certificate.

2) The login page:
https://jck.golgotha.org.uk/Coop/login.html
This has a certificate, but it's the wrong domain name.

I can't get a certificate for the Co-op's domain. I could create one for myself, but it wouldn't be issued by a trusted CA, so this would display a warning message when anyone tried to access the site.

So, the ideal scenario is that you should go to the bank's website (by typing the URL or using a bookmark), and that initial "landing page" should be secured by an SSL certificate. Some banks support that, which is good. Other banks don't, which is bad.

I agree with some of your advice, although we may have to agree to differ on whether Windows is inherently less secure than other OSes :) Regarding anti-virus software, this has the problem of enumerating badness, so it will never provide full protection. In particular, I just wrote a small program to modify the HOSTS file; it has to be run elevated, but my anti-virus software (McAfee VirusScan Enterprise) doesn't complain. This isn't really a virus in the classical sense, since it's not infecting other files. Instead, the program is doing exactly what it's intended to do, and there can be legitimate reasons to modify that file (e.g. during a disaster recovery scenario). Some AV software may use heuristic methods to detect suspicious behaviour, although you then run the risk of false positives. If anyone wants to try it out, I'd be interested to know whether your AV complains.

You can download it from here:
http://www.golgotha.org.uk/livejournal/20100303/Hosts.exe
(17kb, requires .NET framework 2.0).

If you prefer to compile the source yourself, that's here (89 kb):
http://www.golgotha.org.uk/livejournal/20100303/Hosts.zip
(Reply) (Parent) (Thread)