[17414] in cryptography@c2.net mail archive
Re: AmEx unprotected login site
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Wed Jun 8 21:28:35 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: "Perry E. Metzger" <perry@piermont.com>
Cc: Jerrold Leichter <jerrold.leichter@smarts.com>,
Amir Herzberg <herzbea@macs.biu.ac.il>, cryptography@metzdowd.com
In-Reply-To: Your message of "Wed, 08 Jun 2005 19:01:37 EDT."
<8764woh2r2.fsf@snark.piermont.com>
Date: Wed, 08 Jun 2005 19:28:16 -0400
In message <8764woh2r2.fsf@snark.piermont.com>, "Perry E. Metzger" writes:
>
>"Steven M. Bellovin" <smb@cs.columbia.edu> writes:
>>>They're still doing the wrong thing. Unless the page was transmitted
>>>to you securely, you have no way to trust that your username and
>>>password are going to them and not to someone who cleverly sent you an
>>>altered version of the page.
>>
>> They're doing the wrong thing, and probably feel they have no choice.
>> Setting up an SSL session is expensive; most people who go to their
>> home page do not log in, and hence do not (to Amex) require
>> cryptographic protection.
>
>That's why Citibank and most well run bank sites have you click on a
>button on the front page to go to the login screen. There are ways to
>handle this correctly.
There's an attack there, too -- one can divert the link to the login
screen.
>
>The other major offender are organizations (such as portions of
>Verizon) that subcontract payment systems to third parties. They are
>training their users to expect to be directed to a site they don't
>recognize to enter in their credit card information. "Really! This is
>your vendor's payment site! Pay no attention to the URL and
>certificate!"
>
>That one in particular takes amazing brains...
>
It's a tough problem: they want to outsource the payment processing,
but don't have the infrastructure to do so properly.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
