Online banking customers logging onto the HSBC website last week were confronted by potentially confusing warnings about a security certificate. Business banking customers logging onto ukbusiness.hsbc.com were greeted with a notice that the site couldn't be verified because its certificate had expired. HSBC said the problem …
Imagine a safety critical system...
Imagine a safety critical system with a firewall that checks the certificate. This is the scenario the sellers of firewalls are after to defend against 'terrorist' cyber attacks.
Now imagine that they forget to renew the certificate and bingo, they can no longer turn on the safety cooler on your nuclear reactor because the firewall rejects the commands to do it.
I think they should continue to do what they've always done and not connect critical control systems to public networks.... it's the best way to protect a system.
Hmm, "due care and attention"?
It strikes me that the business/security processes surrounding their website are, ahem, somewhat on the loose side of efficient. It's not exactly hard to predict when a cert expires, and there's no law against getting a new one early.
Having said that, HSBC engages in a few practices I would definitely warn customers about. It has started a "global logon" scheme where with one logon you get a consolidated view of all your accounts globally. It fails to mention that you can be compelled by UK tax authrities to give up your logon credentials, at which point you expose all your assets. Ditto if your details got hacked (all you need is a screen logged and that virtual keyboard is history, plus the session is prone to phishing/man-in-the-middle risks like virtually every other ebank setup).
I do not promote tax evasion (it's a dumb idea - move country instead), but there could be many reasons why a bit of segregation is an intelligent idea, but I notice a remarkable absence in the HSBC literature on the risks of this 'feature'.
Is this the price they agreed to pay for keeping Inland Revenue at bay? Customer entrapment?
Stupid, stupid banks.
"there were no security risks associated with the certificate expiring" - Apart from training their users that bad certificates are OK. Therefore there's really no point in having certificates at all.
This is the same line of thought that brings the "unexpected purchase on a credit card" call. If you make a purchase on a card that doesn't fit with the bank's idea of your profile, it's red-flagged. An automated call is made to your home telephone number, asking you to confirm the purchase.
That's all well and good, but there is *no* form of identification given by the bank. And the first thing in the call is to ask for address, postcode and mother's maiden name.
So, it's OK for the bank to train the users that giving out their personal information is a Good Idea, but when there is fraud caused by a revelation, It's The Customer's Fault.
"No functionality was effected"
I would not log on if the certificate warning appeared as it might be as phishing site. Therfore I would consider all functionality lost. I bet if it was the other way round and you gave your details to someone else as you ignored the warning the bank would blame you for any fraud.
A breakthrough in anti-phishing technology?
"despite the message that they could be logging into a website pretending to be something it was not, this was obviously not the case"
Smashing. Quite a few people have been waiting for this sort of breakthrough. Any sufficiently obvious algorithm can be automated, so in a month or so (*) the anti-phishing mechanisms in web browsers and email clients should be almost foolproof, thereby shutting off most of the financial backing for spam. The internet is saved!
(* That's a month or so from the time HSBC clarify how and why their certificate-less site was "obviously not" a fake.)
Got the same from Google last week
I got an expired cert from Google's ad server last week sometime. Anyone else see that one?
Re: Stupid Stupid Banks
I had one of calls when someone attempted to buy a TV with my card details. They didn't ask for any address/maiden name etc (and if they had I would have refused). The only sensitive question they asked was whether I had made any purchases today and if so where.
The real security problem with this is that the bank is giving out the message that if you get a security warning visiting them then its okay to ignore it because it really is them.
So ask them the obvious question...
... and let us know what they say. Don't let them get away with ambiguous waffle. (You *are* journalists aren't you?)
"Should customers use the site even when there isn't a valid certificate?"
"Customers who have their browsers configured in a certain way"
Jesus - who DOESN'T have their web browser configured to warn about invalid certitficates?
I must admit, I wouldn't have the first clue how to tell FF or IE to not warn, and I'm happy with that.
How many people used the site anyway, even with the invalid certificate?
Strikes me that people don't actually care about the identity on the certificate itself, just that the connection is secured with “military-grade encryption”: we'd all do well to dispense with CA-issued certificates and just work on the SSH model of “accept once, warn if signature changes” instead.
Still, I'm *sure* EV will change all of this. No, it will, really!
"despite the message that they could be logging into a website pretending to be something it was not, this was obviously not the case"
'Obviously' - I see. 'kin idiots!
Glad I don't bank with such a useless bunch of prats who attempt to waffle their way out of a serious security issue.
You can still see that it's a genuine certificate issued to the correct party, so the warning will tell you that the site is okay. It will also tell you that the problem is that the certificate has expired. If the certificate had been revoked then this would be a different story.
It would look suspicious that a major bank had let it's certificate expire, but you would easily be able to confirm that the site itself was genuine.
I don't know where the technical people were when they reviewed this article, but "... they could be logging into a website pretending to be something it was not, this was obviously not the case". Is not true.
A phising sire could easily have it's own certificate or no certificate at all and the user would probably not notice. Having a certificate that is expired would be stupid for a phishing site as it attracts too much attention.
Re: Not Really
We are all looking at this from a tech savvy, technical point of view.
Your average Manager or whatever wouldn't know what a certificate was or how to check it.
They simply see the warning and freak (most people don't read messages, if they did it would make my life a lot easier because I could get straight to fixing a problem rather than having to decipher the error their software has been producing when they just say I got an error message)
"there were no security risks associated with the certificate expiring" ... yet precisely that made us do a fast-track SSL cert renewal 'coz the cert would expire in 48 hours, *and the bank would've had to shut down the service until the cert was renewed*. Looks like not all banks take these precautions...
Anyway, it is true that you can check the "three validations" for plausibility. It would pass the "trusted signer", "FQDN match" tests but fail the "cert valid" one. Though this is a human-accessed site, and I know of some SSL apps that will automatically REFUSE connection if the certs don't match!
"this was obviously not the case"
Yes, obviously, because the use of English was good, and the site looked authentic, obviously it must be HSBC and not some geezer in his bedroom who's hijacked your bits & pieces.
Security is arcane enough to the end user without supposedly trustworthy institutions sending out mixed messages like this. You can bet that if a customer was defrauded after ignoring a browser warning like that, the bank would take a very dim view.
Domino's (pizza) - www.dominos.co.uk either definetly HAD or does have issues (although can't find the issue anymore)
so let's be fair, loads of sites fail to use their brains.
It is still encrypted
I must admit this is one of my pet peeves about SSL certs, the coms are still encrypted they don't suddenly become breakable.
It is a collusion of browser makers and certificate organizations, in fact it makes for security or usability a bit less at the point of renewal.
Still they are a large organisation and they could/should have this under control.
Really the browsers should make a discrete warning that the cert is out of date, not a great big warning dialog. That warning dialog should be used for compromised certs and those where the domain does not match, not for a few days out, those should be a little toolbar warning.
pctechxp is right
I'm a geek, but not in the web/security area and I sure would not know how to checkan expired certificate or how to fix it. Joe Sixpack has even less chance.
It is also not reasonable to expect everyone to learn all this mumbo-jumbo. The technology should just work. After n years we should expect that the technolgy can actually do the job without having to do a pre-log-in checklist and being licenced by Civil Internet to use a browser.
Look at cars. How many people know how the advance/retard timing works? How many people can check their carb settings? The correct answer is of course that the average person should not have to know how this works.
There is absolutely no reason why computer technology can't reach this level of simplicity.
"That's a month or so from the time HSBC clarify how and why their certificate-less site was "obviously not" a fake.)"
"The security certificate is from a trusted certifying authority
The security certificate has expired or is not yet valid
The security certificate has a valid name matching the name of the page you are trying to view.
Do you want to proceed?"
with green check marks against the first and 3rd point, and a yellow warning symbol on the 3rd.
Firefox 2 says
"<server name>" is a site that uses a security certificate to encrypt data during transmission, but its certificate expired on <date time>.
You should check to make sure that your computer's time is correct.
Would you like to continue anyway?"
Both browsers make it fairly clear to anyone who bothers reading the error message that the site is "obviously not a fake". The Firefox message even hints that you can generate the message your self for any site you want to, just by changing your own system clock to be a date outside the purely arbitrary "expiration" date for for the certificate.
Stupid is as stupid does.........
To anyone that clicked through the error and used the site:
I have a Nigerian friend that would like to speak with you..............
I'm glad I don't bank with HSBC
And I'm going to tell everyone I know not to use their internet banking. I particularly love their subtle implication that it was only certain silly people who had configured their browser "in a certain way" who got the message. Just set your browser to "Trust Everyone (TM Microsoft)" and everything is fine and dandy.
Still, not as bad as the Royal Bank of Scotland, who said that you could only use Internet Exploder on their website "for security reasons"... yeah right.
Not just a foible
"Such slip-ups are generally best considered as minor foibles."
An expired or "untrusted" cert might very well preclude use of a web site. A browser or OS SSL stack can easily be configured to not accept such certificates. A Microsoft IE7 browser configured to US NIST FDCC settings is one example; a OLPC system is another.
"...it's only fair to expect them to provide positive confirmation of their identity online..."
It is not positive confirmation of identity; it is simply one's SSL stack not complaining about the certificate signatory.
What really happened?
Well I expect what really happened was that the technical guys thought that for a laugh they would let the certificate expire. May be no one would notice.
Unsurprisingly when I called their helpdesk I had trouble getting through and when I finally did the nice lady said yes there was a problem and they were working on it and all I had to do was click throught it. I bet the call centre staff weren't laughing at the little joke played by the technical guys.
For the benefit of the unenlightened, the alert occurred well after I had logged on and been presented with some specific business information so it couldn't possibily have been a phishing site because they wouldn't have that kind of information. It occurred just before I got my balances.
Also their service doesn't use a virtual keyboard to access (well I have never seen one) and you get a security device which generates a different number everytime you press the button so I guess its hard for phishers to get through.
So you read the error messages your browser gives you about these things? That puts you in a group of about 1% of internet users. Maybe 2% on a good day. *You* might think that those messages are very clear and simple, but the vast majority of users just see a big scary message, and are too afraid to even try and understand what they say.
For a bank to say "don't worry about the message, just go ahead and click OK" is irresponsible in the extreme. There is a whole bunch of users who will now click OK on *any* invalid certificate message, because HSBC has told them they don't need to worry about it.
@The big blue one
I'm actually designing the next generation of ebanking in a country that cares about banking security (so it's not Liechtenstein, cough).
Here's some news: that gadget you use for your logon password (a cheap sort-of SecuredID token) will protect your password, but you're still 100% open to Man-in-the-middle attacks (think a sort of bidirectional proxy which can alter your instructions on the fly, and the bank screen you see).
This means you authorise a transaction A of value B going to account C, and in reality your credentials have just authorised the whole contents of your account to go somewhere else. The only barrier to that is the bank checking against suspicious transactions (a dynamically changing list of conditions) - you wouldn't even notice it happened because with MITM I can make you see anything I want.
BTW, I have seen the virtual keyboard for HSBC offshore customers. It suffered for years from exceptionally bad randomisation (i.e. was predictable).
PH because she's quite exposed too..
you'd be surprised...
This is a lot more common than people think...
"Both browsers make it fairly clear to anyone who bothers reading the error message that the site is "obviously not a fake".
A fair point, if you are prepared to equate reading with understanding. There are just three problems.
Firstly, "security certificate", "trusted certifying authority" and "name" are jargon terms. Replace them with pitchfork, gardener and carrot. Now re-read the error messages and I think you'll find that it is no longer obvious that the expiry failure is less serious than the other two.
Secondly, whilst I have accepted certificates under these circumstances, my "advice to grandma" would always be "If there's a problem, don't accept it.". I *hope* that the vast majority of web users default to mis-trusting institutions who can't keep their paperwork in order. (I doubt it, but it is something to wish for.)
Thirdly, *I* wouldn't accept this certificate for online banking. If they can't even get this right, what else is wrong? This is my money we're talking about. I'll wait a couple of days. If they fix it, that's fine. If it is still broken several days later, I'm going to start looking for a new bank.
Why can't they...
use a keycode calculator where the bank issues a challenge based on the transaction(s) you have just done and want to authorize?
Then you type in that challenge into the calculator, get the response code which you punch into the browser window...
If the 'man in the middle' tries to change the transactions, the codes won't fit any more.
They don't even need a 'full' 0 - 9 keypad, just a few keys so that people doesn't mistype the code all the time...