Re: Bank Of America - sign on process - how is this secure?

From: Barry Margolin (barmar@genuity.net)
Date: 11/27/02 

From: Barry Margolin <barmar@genuity.net>
Date: Wed, 27 Nov 2002 16:31:26 GMT

In article <3DE4C5C9.4020509@telia.com>,
Henrick Hellström <henrick@streamsec.se> wrote:
>Do you mean that the converse might be the case, i.e. that the login
>page is a https page displayed with a pad lock, while the user password
>is sent unencrypted to a http URL?

It's possible. As has been mentioned, most browsers warn about this by
default when you click on the submit button, but users often disable many
of the security warnings (they produce lots of false alarms, and most users
are not savvy enough to distinguish the real problems from the false ones).

>I don't think that is likely to be an issue when it comes to internet
>banking. What you describe would make the bank liable for any damages
>caused by stolen passwords and user identities. It's in the best
>interest of the bank not to publish such login pages at their site. The
>user might rely on the fact that the login form is authentic (because of
>the pad lock) and that the bank is responsible for whatever it does.

If your identity is stolen as a result of this, I expect you'd have a hard
time proving that it was done during a transaction with this bank. So even
if they were liable, they could probably avoid a significant judgement
against them.

BTW, I just read a message in RISKS that said that eBay's password-change
page sends the new password to the server over an unencrypted connection!
You'd think that a company like eBay would know better, wouldn't you? 

-- 
Barry Margolin, barmar@genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
Quantcast