Many Banks failing to use SSL authentication

Many Banks failing to use SSL authentication

Summary: American Banks are getting in F in basic online Banking security by failing to prove to you who they are. See if your bank is on the list.

SHARE:
TOPICS: Security
102

In a recent SANS blog, the issue that many banks are using non-SSL login forms has raised some serious concerns about the lack of good Banking security.  They even posted this Online Banking score board showing which Banks are practicing good security and which aren't.

What's actually happening is that Banks are using SSL for encryption, but they're not using it to prove the Bank's authenticity to you the customer.  Encryption is useless if you don't know who you're talking to is the entity you're intending to talk to.  This means that it's extremely easy to intercept and spoof a Bank that doesn't use SSL login forms.  Unsuspecting users will login to a fake online Bank and enter their login credentials which get captured by the bad guys.  Once they have it, they can just transfer some money to their own bank accounts.

Among the ones listed in the bad security category, American Express was one of them.  Not only does American Express not use SSL authentication by default, but it uses a bad Digital Certificate even when you manually type in HTTPS in the address bar to force SSL authentication.  You get the warning below that "the name on the security certificate is invalid or does not match the name of the site".

When you click on the "View Certificate" button, you get the following which shows that the Certificate was actually assigned "a248.e.akamai.net" and not to "home.americanexpress.com" as it should be.  How am I suppose to know that I'm really visiting American Express?  The truth is you don't when American Express refuses to do something as simple as getting a valid digital certificate.  Are we to believe that American Express can't afford a valid $60/year Digital Certificate?  Shame on them!

USA Banks failing to use SSL authentication includes:

Outside of the USA, only HSBC fails to use SSL authentication though the list is still being updated.  This looks really ugly for the American Banking system as a whole and it's time that they cleaned up their act and learn to use some basic cryptography.  If you have a bank on this hall of shame list where "SSL Login Form" is listed as "optional", be sure to complain to them that this is unacceptable.  I'll also be following up with these banks and if they don't do anything soon, I'll be sure to escalate the issue to the proper channels.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

102 comments
Log in or register to join the discussion
  • Deceptive Post - pure FUD

    The American Express login page is not transmitted using https, but the post of login information back to the server is done over https. Check the JavaScipt that checks the form and then triggers the post.

    There's nothing sensitive being transmitted when you first go to the page. That starts when you hit login.

    Having https come up on load of the login form, while reassuring, is meaningless. A site loaded over plain http can post using https, and a site using https can post to a site using http. The only way to figure out what it's going to do for certain is to look at the HTML and associated javascript.

    As for your error message on displaying the login page, of course something like that is going to come up when you force a page to be loaded using https that was designed for http. Some of their stuff is being served by akamai. That's not at all uncommon for unencrypted traffic.

    If I worked for one of the institutions mentioned I would sue you for libel.
    Erik Engbrecht
    • You don't understand.

      Encryption is useless if you don't know who you're talking to is the entity you're intending to talk to
      georgeou
      • No question of that...

        ...and I think you could easily construct a valid critism of pretty much all online transactions around that point.

        You provided no valid proof that the sites in question were less secure than other sites. All you found were technically irrelevant signs.

        Now, would I submit a banking login to a page not loaded over https? Probably not, because I don't want to dig through the html and javascript to see if it's going to securely post my information to where I think it should go.

        But in the end what American Express is doing appear to be just as secure as what other banks do. The way it's doing it just raises a red flag that it might not be secure.

        American Express is using SSL for authentication. They just aren't putting the https in your address bar soon enough to give you a warm fuzzy about it. There's no question that they should change that because giving customers warm fuzzies is important.

        But the warm fuzzy is essentially meaninging.
        Erik Engbrecht
        • I didn't slander anyone, it's factual

          They're not going to be suing me or SANS or anyone, they should be ashamed instead.

          This is crypto authentication 101. If you don't see a problem, then I'm sorry for you. But I'm going to hammer these guys until they fix it.
          georgeou
          • So enlighten me

            How does posting login information to:
            https://sso.americanexpress.com/SSO/logon.fcc

            NOT involve SSL authentication? Because that's where the posted information is going.

            The title of your blog clearly states that it doesn't.
            Erik Engbrecht
          • You're skipping steps

            The first page is what's most important, that you know you're on American Express' website. It's too easy to spoof a site without it and you'd be handing your username/password to them. Don't tell me that normal people will crack the code open to see if it's going to https://sso.americanexpress.com/SSO/logon.fcc. There is no way that's going to happen. This is totally unacceptable.
            georgeou
          • Re: You're skipping steps

            I don't get it. If I type in www.americanexpress.com or click on my bookmark that I created previously, where else am I going to get to, besides American Express? Your concerns do seem overblown.
            stv@...
          • Very easy to hijack

            If you're using a Wireless LAN with no encryption (many homes and all hotspots) or you're running WEP, it's extremely easy to take over your network and be the man in the middle. From there, http://www.americanexpress.com can easily be spoofed and you'd be handing your username/password to the attacker. With httpS://www.americanexpress.com, the hijacker cannot spoof the certificate and you'd know. The hijacker might try and trick you in to accepting a bogus certificate, but you'd at least get some warning.

            Another way to spoof a site is if a DNS server is hijacked and you're being fed the wrong IP address. Again, httpS would help you determine that there is a problem.
            georgeou
          • That's not the linkI use to login to AMEX

            That's interesting, that's not the link I use to log in to AMEX--the link I use goes to a secured page and there are no problems with the certificate (I'm using IE 7 Beta 2 which is pretty good about pointing out problems with certificates). If you'd like to try it: https://www99.americanexpress.com/myca/logon/us/en/en_US/logon/LogLogon.jsp?DestPage=https%3A%2F%2Fwww99.americanexpress.com%2Fmyca%2Facctsumm%2Fus%2Faction%3Frequest_type%3Dauthreg_acctAccountSummary%26entry_point%3Dlnk_homepage%26aexp_nav%3Dsc_checkbill
            frank_s
          • He's right...this time

            [b]It's too easy to spoof a site without it and you'd be handing your username/password to them.[/b]

            There isn't much in the technical side of things George and I agree on, but he's right this time. If you're loading the form off port 80 and posting over ssl, it makes it that much easier for phishing attacks to spoof the login page.

            Is it really that much more overhead or that confusing to establish the session over SSL? That's got "marketing department" written all over it. Probably some comment like "Our customers get confused with the certificate information so why put them through that?"

            It's a small point but still valid. And one of those things that happens when the marketing tail is wagging the IT dog.
            Chad_z
          • Neither here nor there

            But slander and libel aren't the same, by definition, but you know that.
            D T Schmitz
          • I stand corrected, only your TITLE is pure FUD

            The title of your blog is pure FUD.

            That's what I get for jumping down instead of carefully reading it.

            Once again I fall victim to your sensationalistic titles. I have to learn to stop clicking on them.
            Erik Engbrecht
          • Title is correct

            The Banks are not proving themselves to you, that's priority number 1. They're failing to authenticate to you. All they're doing is SSL encryption which may or may not be on as far as the user is concerned unless they crack open to code.

            So banks are encrypting authentication material, but they're skipping the most important part which is to prove to you that they are who they say they are. As for the Akamai excuse, that?s their problem not mine. This is Online Banking we?re talking about.
            georgeou
          • Title is deceptive

            The SANs blog is short, factual, and to the point.

            Your blog entices people to jump the gun, which I did, so touche. I suppose I should stop critizing you for doing your job (getting hits for zdnet).
            Erik Engbrecht
          • Like I said, banks are NOT using SSL authentication

            They're only doing SSL on the backend server which isn't visible to the user. They're not doing it where it counts, on the main visible page itself.
            georgeou
          • George, you aren't too clear on this

            Here's the subject for your post:
            >Like I said, banks are NOT using SSL authentication<

            You even put the word NOT in caps. A casual reader who didn't know you, would think that you are stating that banks are NOT using SSL.

            Then in the body of the same post you state:
            >They're only doing SSL on the backend server which isn't visible to the user.<

            Which would lead the reader to believe that banks ARE in fact using SSL (but in a way invisible to the vistor), which contradicts the statement you made in the subject.

            I agree with you that banks should straighten this out just so that you and everyone else aren't so confused about what going on with their web sites.

            BTW, I purposely made the subject of this post ambiguous as an homage to you. Just keep us on our toes George.
            WiredGuy
          • Oh but I am clear

            They are using SSL for encryption, but they're failing to do it on the main page to Authenticate themselves to you.
            georgeou
          • George, your beating a dead horse.

            I just logged onto my bank and it is https and the lock on the lower info is closed. My bank is Washington Mutual. You source or you are missinforming ZDnet readers. Shame, shame, shame on you.

            Walt
            sykandtyed
          • No, shame on you

            I'm not misinforming anyone. I just checked again and they're prompting for username and password on an HTTP page. You have no way of knowing if you're on Washington Mutual or not.
            georgeou
          • url

            wouldnt the washington mutual site indicate whther you are at wamu or not???
            richvball44