Monday, April 24, 2006
How safe is your internet banking logon page?
Johannes Ullrich, chief research officer at the SANS Institute, believes many banks expose their customer's log-on data when they enter it. Many websites allow the bank customer to enter data to access internet banking. Two questions need to be asked. Is the data encrypted, and it this webpage secured? These questions may have different answers and the second one is often "no." The webpage is not secured (denoted with a URL prefix of "https" and with a golden padlock in the lower right of the screen for most browsers) and they do not use authentication technology to prove they are genuine. Without the secure page to begin with, the customer's actions are more susceptible to DNS spoofing. This is where the users web browser is fooled into going to the wrong website. There, confidential data may be entered, and stolen.
Banks should examine their log-on methods and look for not only convenience, but security. Yes, the secured pages may take longer to load, but the security is worth it. Perhaps the log-on should be on a separate, HTTPS page? Decide what works for your bank, and do it correctly with peace of mind for everyone.
Johannes Ullrich, chief research officer at the SANS Institute, believes many banks expose their customer's log-on data when they enter it. Many websites allow the bank customer to enter data to access internet banking. Two questions need to be asked. Is the data encrypted, and it this webpage secured? These questions may have different answers and the second one is often "no." The webpage is not secured (denoted with a URL prefix of "https" and with a golden padlock in the lower right of the screen for most browsers) and they do not use authentication technology to prove they are genuine. Without the secure page to begin with, the customer's actions are more susceptible to DNS spoofing. This is where the users web browser is fooled into going to the wrong website. There, confidential data may be entered, and stolen.
Banks should examine their log-on methods and look for not only convenience, but security. Yes, the secured pages may take longer to load, but the security is worth it. Perhaps the log-on should be on a separate, HTTPS page? Decide what works for your bank, and do it correctly with peace of mind for everyone.
