Log in

No account? Create an account

Online banking - John C. Kirk

Mar. 3rd, 2010

09:33 pm - Online banking

Previous Entry Share Next Entry


[User Picture]
Date:March 4th, 2010 07:54 pm (UTC)
Yes, that's a fair point about the HOSTS file; if your system has been compromised then you're in big trouble.

Regarding upstream DNS poisoning, I think that this is where certificates are really valuable. Back in 2005, I wrote about code signing certificates, and I said:

"Basically, before you run an application, there are two questions you should ask:

a) Do I trust the person/company who wrote it?

b) Am I sure that they did actually write it (and that nobody has tampered with it since)?

Code signing only addresses the second question, not the first. So, it's just a part of the overall solution, but it is a necessary part."

For websites, there are two similar questions:
1) Is the domain name correct?
2) Does it have an SSL certificate (i.e. is there a padlock)?

I've now got my fake website demo up and running, which involves two pages:

1) The main website:
This has the correct domain name, but no certificate.

2) The login page:
This has a certificate, but it's the wrong domain name.

I can't get a certificate for the Co-op's domain. I could create one for myself, but it wouldn't be issued by a trusted CA, so this would display a warning message when anyone tried to access the site.

So, the ideal scenario is that you should go to the bank's website (by typing the URL or using a bookmark), and that initial "landing page" should be secured by an SSL certificate. Some banks support that, which is good. Other banks don't, which is bad.

I agree with some of your advice, although we may have to agree to differ on whether Windows is inherently less secure than other OSes :) Regarding anti-virus software, this has the problem of enumerating badness, so it will never provide full protection. In particular, I just wrote a small program to modify the HOSTS file; it has to be run elevated, but my anti-virus software (McAfee VirusScan Enterprise) doesn't complain. This isn't really a virus in the classical sense, since it's not infecting other files. Instead, the program is doing exactly what it's intended to do, and there can be legitimate reasons to modify that file (e.g. during a disaster recovery scenario). Some AV software may use heuristic methods to detect suspicious behaviour, although you then run the risk of false positives. If anyone wants to try it out, I'd be interested to know whether your AV complains.

You can download it from here:
(17kb, requires .NET framework 2.0).

If you prefer to compile the source yourself, that's here (89 kb):
(Reply) (Parent) (Thread)