Faked NatWest, Halifax bank sites score REAL security certs UK Banks Halifax and NatWest are among organisations targeted by fake sites that have won SSL certificates from certification authorities (CAs). Netcraft says certifiers who should know better – such as Symantec, Comodo, CloudFlare's certification partner GlobalSign and GoDaddy – have handed out certs to sites like …
You're relying on a very out-of-date version of the "look for the padlock" advice.
No padlock means it's definitely dodgy.
A padlock just means that "the site you're visiting is really the URL you see in the URL bar, and it hasn't been tampered with" and "your data is being encrypted". It does not mean "they are the company they claim to be" or "they are not scammers" or "they can't be hacked".
A green address bar with a company name shown in it provides assurance that "they are the company they claim to be". (That's an EV certificate). However, they may still be a scammy company that's going to run off with your money / go bankrupt / get hacked and expose all your personal information etc.
The internet has a major security problem with pervasive government surveillance and insecure Wi-Fi hotspots. The best way to solve that is to move all traffic to HTTPS. To do that, normal HTTPS certificates have to be easy and cheap to obtain. So CAs can't do slow, complex and expensive validation of every request for a normal HTTPS certificate; they only do that for EV certificates.
The problem is people are expecting SSL certs to do too much - EV or otherwise. All of these scams are obvious if people are paying any attention at all and THAT is where the education needs to be.
And yes on the other HTTPS thing - it's simply not possible for the issuers to go through every single request and decide if the domain is a scam, for one because of the number of languages on the planet and the number of banks somebody doing such a thing would have never heard of.
They don't even apply tests like that to EV certs - you can set up a company which is remarkably easy in many countries including the UK, get an EV cert and scam away and nobody will know the difference. Only now we get OH IT'S GREEN SO IT'S SAFE.
>>> A green address bar with a company name shown in it provides assurance that "they are the company they claim to be". (That's an EV certificate). However, they may still be a scammy company that's going to run off with your money / go bankrupt / get hacked and expose all your personal information etc.
Of course, it could also just be a scammy CA—one who has got tired of all the losses incurred in the verification process and, spurred by the same perverse economic incentives as the original CA contract, fails to do their due diligence in issuing those EV certs correctly. Then the industry needs another, even more outrageous excuse to make large sums of money by doing absolutely nothing they should not already be doing, which they will pretend is providing truly legitimate security this time, honest guv, and it will be called “Extended Extended Validation” (E2V). The great thing about this scheme is that, any time the plebs rise up and demand security for lower cost, they can just increment the digit in the acronym again, and maintain the same prices. Awesome.
The CA model is past its prime. Let us move to DNSSEC already. Meanwhile, CAs cannot legitimately be accused of providing “Domain Validation”; it is what the people want. These same people will simply have to learn what that padlock really means: security for the site indicated in the address bar.
How is DNSSEC going to help if the CA model is past its prime?
> How is DNSSEC going to help if the CA model is past its prime?
One theory is that we'll all move to DNSSEC, so browsers will check that the DNS response is signed with DNSSEC. At that point, you could put a self-signed TLS certificate in a special entry in DNS. Since the certificate comes from DNS and is protected by DNSSEC, you know that it's from the domain owner, so you don't need to have a CA sign it.
This system is called DANE.
DANE would kill the "normal" TLS certificate market and just leave CAs doing EV certificates.
But, here's a good article about the problems with DANE, from a Google security boffin: https://www.imperialviolet.org/2015/01/17/notdane.html
None of this helps with the actual issue. And DNSSEC can be compromised by (specific) state actors - it actually makes the problem it's supposed to fix more exploitable. That's why we have CAs - in theory for massive liabilities and somebody to pay the insurance premiums.
The whole system is set up so if (when) it goes wrong there's an underwriter to pay out for the damage.
But again none of this fixes any actual real world problems.
It would be nice if the banks didn't use different URLs for their OLB sites thus making phishing sites sound that more plausible. Having SSL on by default would also help!
For example, the main Halifax website is the rather predictable (note, not secure by default):
http://www.halifax.co.uk/
Their Online banking site uses this innocent sounding URL (thankfully it does use SSL):
https://www.halifax-online.co.uk/
Nationwide used to be just as bad using this URL for their OLB until earlier this year:
https://olb2.nationet.com/
I'm sure there are plenty of other examples since the article notes Natwest uses www.nwolb.com
And also when you pay for a transaction that uses 3d secure you are often taken to a website (or an iframe pops up) from a company whose URL has nothing to do with the website you are on, Visa/Mastercard etc, you bank or any other bank.
However you are expected to type your super secret stuff into it...
When I get the 3D Secure box it used to show a short passphrase I entered when setting up 3D Secure for that card e.g. "Yes, you div, type your stuff" so I would know the frame was definitely connected to my card issuer. It could have been obtained (either by the payment processing site or a third party) using screen scraping stuff in the browser but I don't know how possible that would be.
I don't know if they still do that since I haven't been asked for 3D secure credentials for what feels like years now - the box appears but the card issuer bounces back approval without asking any questions. I would optimistically put that down to my Bank realising the purchase is likely legit from my transaction history, but there's also a chance they can't be arsed...
However you are expected to type your super secret stuff into it...
I've never seen the point of those annoying extra confirmation pages by the banks. I can never remember the damn password so I always end up going through the reset password procedure (probably also explains why I can never remember it). The reset procedure just asks me to type in details that are on the card. How is this supposed to stop fraud? If someone has stolen my card details this extra step provides no extra protection whatsoever. It does however cause a great deal of frustration as I have to enable a whole bunch of extra scripts in NoScript and disable some of the XSS protection.
> The banks can help here
SSL Labs caps the Halifax URL at a C grade as it's been vulnerable to the poodle attack for almost exactly a year. Lloyds has the same problem.
Note that Ebay gets an A grade; an online car-boot sale has better encryption than many major UK financial institutions...
> Ebay gets an A grade; an online car-boot sale has better encryption
Sure, because if Ebay gets haxxorzed, they lose major bucks.
If your bank gets hacked, they whine to the gov't for their money back, and don't give two shits about your money.
It's like here in the US, all the companies getting their credit card info lifted have found business insurance to be incredibly costly, so they're ONLY NOW going "GASP! we must be secure!" instead of giving a big sigh and going "cheap credit checks for everybody"
http://www.reuters.com/article/2015/10/12/us-cybersecurity-insurance-insight-idUSKCN0S609M20151012
Last I checked, my bank and their OLB both had low-grade non-EV certs... how nice.
Not surprised that the registrars will sell domains and certs to anyone with the money. DNS/SSL is a shit system anyway. Banks should find a more reliable way for customers to authenticate their OLB servers.
Much as I'd like to agree with that, the Carlin Observation keeps getting in the way:
Think about how stupid the average customer is. Now remember, half of them are stupider than that.
Set aside for the moment the question of whether or not the NSA has a root for an RSA fob and just run with the concept for a moment. It meets the something you have and something you know test in a way that fingerprints and retinal scans really don't. It's fairly cheap and relatively simple. Now think about the amount of hassles your local servicedesk has training users to use them. In no time at all your customers are clamoring for a username and 24 character password. Sadly that's a problem without a good solution.
Before I trust someone to validate something on my behalf, I try to make sure that I've got comeback against them if they do a bad job.
What's the comeback on Comodo et al for issuing a fake bank certificate? e.g. How many strikes before Google decides to blacklist a CA certificate in Chrome?
Actually there is quite a bit of accountability. Technically Halifax or other financial systems could take legal action against Comodo. It is also a reason for the certificate insurance.
I was informed that the insurance is not for site breaches but that the CA has done the needed checks and insured that the certificate being made out is for the organisation it is meant for.
It is just a case of even if the banks can hold them accountable, would they. All well and good being able to sue someone but would they actually do it or just pass the blame.
- SA
The problem is made worse by third party payment sites. You're shopping with https:xyz.com, and you're sure that's the right place. Your credit card comes from Visa. You go to checkout and in the middle of that some 3rd-party credit-card processing site pops up, and you've never heard of the company name, let alone can verify the URL. And all this is "to improve your security" by keeping your credit card details out of the shop.
And once you get to the checkout, you also find that you have to enable a number of suspicious-looking scripts just to enable the dodgy-looking card verification service to run. And if you don't you have no idea whether or how far the payment process has progressed.
Even paypal worries me - how often do you get a paypal pop-up in the middle of a site? You (the average user) can't easily tell whether it's the real paypal or not... though even so, I'd generally rather risk my limited paypal account than a live bank account,
When I buy stuff from small online retailers, I use a pre-paid card, because I have no idea who will actually be handling the credit card payment processing, and I don't want to give my real credit card details to a third-party payment site. Pre-paid cards are easy to get hold of, and many of them are free to use after a modest one-off account setup fee.
I worked for an ecommerce provider once who offered a payment method where the end customer entered their card details and they were simply stored in the database and visible to the store owner.
The PCI DSS lot busted them following a few complaints about dodgy shops, yet they continued to hold all of their customer details (including CVV) for monthly billing runs in an internal database so they could process them as "card holder present" transactions, much cheaper that way.
This is a symptom of a far deeper problem. The trouble is that the word "halifax" does not belong only to the bank (and quite rightly so)
A person who registers the domain halifaxonline-uk.com is able to use it to host a website. They are also able to get a certificate for it. This is perfectly correct, since all they have to do is to prove they own the domain.
The problem is consumer confusion between domain halifaxonline-uk.com and the well-known bank, and this is much more intractable.
Suppose I set up a company called "Halifax Industrial Grommets Ltd". It's reasonable that I should buy the domain "halifaxonline-uk.com". I could use this legitimately to sell grommets, or nefariously to steal banking logins.
But I don't see how either the domain registrar *or* the certificate authority can decide whether I am going to be legitimate, since I will register the domain and get the certificate before putting up the content I want. Or if I am a miscreant, I might put up legitimate-looking material before getting my certificate, and then change it to the phishing page.
This problem will only get worse with letsencrypt, which will give a free certificate to anyone who owns a domain. The ownership of a certificate then gives *no* indication of legitimacy at all.
The implication is that we need an Internet police force which is constantly scanning all websites with "halifax" in their name, and deciding which are phishing sites. Then repeat this ad infinitum, replacing "halifax" with every large organisation out there. It ain't going to happen.
I can see a few possible solutions.
(1) User self-validation
The certificate should have encoded in it the full name and mailing address of the organisation (which clearly *should* be verified by the CA, and not be a PO box), and this is displayed *prominently* by the browser on connection.
In this case, at least the user will see:
"Halifax Industrial Grommets Ltd, 1 Disk Drive, Halifax HA5 5LE, UK"
and has a chance of deciding for themselves whether this is in fact the same organisation as their bank statements come from.
(2) The certificate authority validates the *type* of organisation. For example, only organisations which have a UK banking licence get the "bank" flag.
(1) and (2) are essentially what EV certificates were supposed to do, but they don't work in practice; and people are quite happy when a site is protected by a non-EV certificate.
It would require a big shift in habits to say "don't use any bank website unless it carries the special bank symbol in the browser bar". And in any case, if the website displayed the bank symbol within the page, most people would be happy with this. (Consider that some fake websites carry a lock symbol as their favicon.ico !)
(3) The owner of a trademark (e.g. "halifax") could subscribe to a service where they receive a feed of all new domain registrations containing their name (or indeed, a feed of all new domain registrations, period). They can then look at each one and determine if each site is legitimate or "passing off".
This is the approach which will cause a ton of litigation. It enables the domain/trademark owner to proactively protect their name, but will almost certainly be prohibitively expensive as it will require checking each new site by hand.
You already can subscribe to a service where you get a feed of domain names like your company's. If you're a big company with concerns about people spoofing your domains, you should be doing this already. If you aren't, start right the hell now.
For example, DomainTools brand monitor.
(I am not affiliated with DomainTools)
It's not really possible for the average company to reasonably cover the cost of registering all fake and proximity domains to their primary site. Even at the small cost of site renewal, there are too many variations to cover. And that was before the explosion of top level domain names.
I see a few people saying that these sorts of scams are easy to avoid if you pay attention but I would have to disagree. Getting a certificate even an EV isn't hard and that is going to make your site at first glance look valid. The problem is the user isn't necessarily going to know that their banks online presence it at mybank-online.com or mybank-olb.com or olb.mybank.com or etc, etc. The only way to tell would be to find some printed media from your bank and check. Yes, that's safe but it's also a step too far for the vast majority of people.
One solution might be for the government to register banks.gov.uk which contains links to all the registered banks and their online banking presence in the UK. I'm sure they would find some way to screw that up though!
More government hand holding because people are unable to protect themselves? What's the next step, force all banks to authenticate via the banks.gov.uk website (maintenance at the expense of the tax payer) to ensure those few LAZY people don't get defrauded?
The rules for this are simple and scams ARE easy to avoid. When you use internet banking you WILL know the correct address of the bank, you either have it written down or bookmarked in your browser. NEVER follow a link from an e-mail, there is simply no excuse, if the bank says there is a message for you, then proceed to your SAVED internet banking address and check the messages there. If it isn't an account you recognise or use enough to know the internet banking address, it's simply not important enough to worry about and is PROBABLY A SCAM. If you're not capable of following these simple instructions, then simply don't register for or use internet banking, go to the branch where you know it's really your bank!
They are, but most people don't pay attention. Now, pay attention:
NEVER follow a link about your bank account from an email*. Even following it from a trusted search engine is iffy. If it requires you immediate attention, pull the card out of your pocket and call the number listed on the card.
If you don't have your bank account details saved in your favorites from the first time you hand-typed the url into the browser from the brochure included with your shiny new piece of plastic, you are BEGGING for trouble.
*Just because your bank keeps trying to get you to switch to online statements doesn't mean its a good idea.
https://lorddoig.svbtle.com/heartbleed-should-bleed-x509-to-death
said better than I ever could. Yes much of the problem is implementation but their are plenty of design flaws as well.
"If we tasked ourselves to build web security from scratch today, hell would freeze over and the NSA would willingly disband and incarcerate themselves before we came up with X.509 and said “That’s it! Centralised authority nobody can practically trust and business conditions that will cause everyone to spend a tonne more money than they have to. Fsck me we’ve cracked it! Good job boys, let’s go to the pub."
This is such an old problem that it is a breach of Common Law. which is called passing off. It has to be enforced by the trademark owner who should be pursuing the owners of the fake domain *and* the organisation that aided them by granting it. Given the amount organisations are willing to spend on advertising their services, protecting patent and the like, I fail to understand why they generally do little or nothing to protect their name on the internet.
It should be easy to explain why the effort would be worthwhile, but I was incapable of getting our lawyers or PR people involved. I was however surprised at the success I had on a couple of occasions with a simple cease and desist email...
That's because you've never tried to do it. I have. We won. It was painful and took the better part of a year to accomplish. And we were fortunate. The miscreants hadn't set up a fly-by-night shop with the intention of running away at the first sign of trouble. They were actually foolish enough to stay in one place and be in the same country we were in. As was they were in another state.
First up, our legal counsel was general legal counsel, not IP legal counsel. So he had to recommend another (more expensive) lawyer who was an IP lawyer. At which point they drafted the first lawyerly letter to the defendant. Then the defendant had to hire a lawyer who responded back to our lawyer. It was a polite Fuck You! letter because they were in a different state and didn't think we'd think it was worth the hassle to file charges.
So we filed charges in our state because that's how the process starts. Then comes the request to move it to the state where the defendant resides. At which point your lawyers are no longer licensed, so they have to find yet another set of lawyers to handle the charges in that state. Until everything was said and done I think we'd spent north of $35K defending our name. We never spent more than $35K on advertising. Never.
Worldwide there were yet more instances. And in some instances because arse-backwards laws even though our mark was chronologically first, because we didn't beat them to filing in their country, we'd be the ones infringing on their mark. If it was in our hemisphere with reasonable reciprocity laws, we'd defend the mark. Otherwise it wasn't worth the money, the time, or the hassle.
>But I'm tempted to become a criminal.
Kidding or not it comes down to if you already have money and if you have powerful connections and where you live. If you don't and you get caught say in the US you might wind up in pound you in the butt prison where gang tattoos mean everything.
Places like financial web sites aught to have some form of mandatory security rating.
Something easy to understand for a regular (i.e. non techie) punter, i.e. something along the same lines as the food hygiene ratings you get in restaurants etc. Using a simple zero to 5 rating. That way it would be familiar to anyone who sees it.
The rules would require that this rating was shown nice and large on all registration and logon screen.
Clicking on it would take you to a break down, showing the details of the rating.
Something like that 'should' shame the banks into updating their security.
Add to that rules around dropping below a certain level depending on the services provided.
e.g.
Banks should always aim for a 5 rating.
If a Bank drops to 4, they have x amount of time to get back to 5. (i.e 1 month), before penalties apply.
If a Bank drops to 3, they are no longer allowed to take on new customers, until they are back to 4+, and any losses incurred due to the lax security, are automatically the Banks liability, and cannot be passed onto customers.
and so on.
bank wonders why I tell them to "go forth and multipy" whenever they want me to use their online banking sca... operation.
Last time they demanded it since I needed it to register a new credit card... gave them a string of numbers I cant remember as the passphrase, then promptly called their "uk" call center, and asked for a balance inquiry and gave the wrong passphrase... which means the account is locked out of online banking and phone banking and I need to goto the branch and prove who I am to release the lock.
And since my cards work fine... I'm not going to bother.
This is absolutely silly. Opera had a built-in password manager for years, and I've been using it for pretty much everything, including the banking site. I do remember my login and password, it's just that the password manager does not allow me to log in if the site details don't match what was provided initially -- field names must be the same, URL must be the same, certificate must be valid.
If I ever followed a phish link by accident, the password manager would not work. When my PC clock drifted and invalidated the certificate (I can't remember the details), the password manager refused to work with the site.
And yes, when the bank decided that password managers are banned, field names are dynamically altered, so the password manager fails to work.
This beggars belief. A password manager is a simple but extremely powerful tool, and does wonders for security, to the point where it's much safer for the average user -- hey, if the password manager doesn't work here, something is off, probably phishy.
Oh, and my mom's bank considers security to to be in the form of a 12-character password that cannot be changed, and to log in, you type in five randomly chosen characters. Considering that the password is a mix of lowercase and uppercase letters, digits and special characters, it's effectively impossible to memorize, but unbelievably easy to hack if somebody got their hands on the password list.
I don't know who does security at those banks, but it seems that they got all their knowledge from TV shows and week-long junkets with one 30-minute seminar on security.
Doesn't DANE more or less require DNSSEC to be useful?
Ever tried setting up DNSSEC? I have. Unless you run your own nameservers, you're at the mercy of what your DNS host supports, and I've found many do not offer the records needed for DNSSEC.
(Found this out the hard way, submitting keys for DNSSEC, then found I couldn't remove them or add the records needed. So I had to get bind up and running in a hurry.)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
