Online bank customers may want to pay a little more attention to their browsers the next time they log in. Johannes Ullrich, chief research officer of the prestigious SANS institute said that many of the most popular banking sites may be needlessly placing their customers at risk.
At issue are the user login areas that can be found on banking sites such as Chase.com and Americanexpress.com, which ask users to submit their user ID and password information. Although these forms may be encrypted, they do not use authentication technology to prove they are genuine, according to Ullrich.
A more secure approach would be to force users to log in on a HTTPS web page. HTTPS pages use the SSL (Secure Sockets Layer) security protocol, which not only encrypts the information on the page but also provides digital certificates to give assurance that the website in question is genuine.
"If the login form is not HTTPS, you don't know if it's the real thing," Ullrich said.
Web pages that do not use this type of secure connection are vulnerable to a type of attack known as DNS spoofing, where attackers attempt to trick browsers into visiting bogus sites.
This type of attack is technically challenging, however, and hackers generally find it far easier to trick users into giving up their user names and passwords using phishing techniques, Ullrich said.
Still, there's no good reason for banks to allow users to log in on pages that do not use SSL, Ullrich said. The SANS researcher has compiled a list of banks that includes information on their use of SSL authentication.
Often banks include SSL login pages as an option, but they can be hard to find, Ullrich said. One trick for finding these pages, which will prompt browsers to display a yellow lock icon on the bottom of the screen, is to submit a bad password on the home page. Often bank sites will redirect users to the SSL login page after this happens, he said.
Though he admits to logging in to pages that do not use SSL encryption himself, security consultant Richard Smith agreed that it would be safer for banks to direct their users to an HTTPS page for account logins. "It's only one extra step," he said. "The banks could do it, but I guess they feel that one extra step is too hard for people."
One of the banks that does not use SSL sign-in on its front page defended its practices. "It is more convenient for our customers and it is secure," said Bank of America spokeswoman Betty Riess.
Though Bank of America allows customers to enter their online IDs on the home page, they cannot submit passwords. The bank sends them to an HTTPS page and uses a technology called SiteKey to confirm to customers that they are at the legitimate Bank of America site before they enter their passwords.
"We're committed to safeguarding customer information online and we wouldn't do anything to compromise that security," Riess said.