(MSPAlliance) – Tuesday, April 25, 2006 – Many popular online banking sites are not securing user log-in areas and needlessly exposing customers to threats. The SANS Institute reports that sites including Chase.com and Americanexpress.com allow users to enter user ID and password information on unsecured screens.
An easy fix would be to force users to log in on a HTTPS (HTTP Secure) page, governed by SSL protocols that encrypt information and provide digital certificates to ensure site authenticity. Non-HTTPS log-in areas are susceptible to DNS spoofing, where attackers trick Web browsers into visiting fake Web sites that convert popular Web sites, such as BankofAmerica.com, to numerical IP addresses. This kind of attack is technically challenging, however, and hackers are more likely to resort to traditional phishing attacks than DNS spoofing.
Banks that do require SSL authentication include Capital One Bank, Citigroup, Inc., and Wells Fargo & Co. Bank of America allows users to enter an online ID on an unsecured page, but then redirects users to an HTTPS page before entering a password. Banks should take steps to ensure HTTPS log-in, while users should be wary of security concerns when transmitting user ID and password information even to trusted Web sites.