Should I use internet banking or SSL weaknesses

My family and friends are pushing me to get a online banking account.

Like most "security expert wannabes" I decided to go read about the security features in place. Like most banks it uses 128 bit encryption SSL.

I've read up on SSL and I see the concept is similar to PGP or a mixture of public and private key encryption (except that there is no client authethication beyond a password), so it should be quite secure. Still I have some querries.

The server side (bank) sends a public certificate (and key) to
certify it's public key. But how does the user / browser know if this is the correct public key?

I have seen users log on, and the process is compeltely transparent so am I right to guess, that IE itself has a list of trusted CAs (certifying authorthy) which are set by default under "content-->certificates" and it is those authorithies that allow us to trust the public certificates sent by the bank?

But I wonder isn't this a weakness? But what if an attacker or someone with access to my computer changed the settings to allow a bogus CA to certify bogus cerificates.

This way the attacker could carry out man in the middle attacks, and as a plus side sent public certificates that would not trigger warnings because the bogus CA installed on your computer would trust the fake certificates.

Is there someway to check if the default CAs installed on your browser, are those that are supposed to be there?I see a long list and I have no idea if they are supposed to be there. Is there a verified list (or three) somewhere? Or someway to lock it so no one else can change it?

Last year a hacker broken into several accounts of the bank in question and left the country with hundreds of thosundands of dollars. Unfortunately no details were released except that bank security was not breeched, which implied the fault was on the user side.

It could be something as simple as a keylogger. The sad thing is unlike many banks where the password varies depending on some unknown algothrim, here the password is static, so once the attacker managed to log your password, he could reuse it as often as needed.

Of course, confidence was hit after this attack, the banks solution? Hook up with some antivirus and made a discounted offer for it's customers to sell those antivirus (with firewalls attached) .

Bah. You really think that helps? What we need is more information and education, not quick fixes like antiviruses and firewalls.Based on Ancedotal experience , I know most users have duitifully bought the antivirus/firewall package (it's a bargain) , but after a short while decided that it was too much a hassle to use the firewall, figuring the antivirus was sufficent.

Sigh...

 

Yes, that's exactly right.

If someone else has access to your computer at all, you have already lost. Never mind CAs - keyloggers and local connection-sniffers would be just as much of a threat.

Any executable code you run locally can completely compromise anything you do. When you run any program, you are implicitly trusting it not to steal your money. If you can't trust it not to do that, don't run it.

Only by going to a known-good setup, making a list of all CAs and their certificate fingerprints, and then comparing that with your current set.

I don't know of a site which lists this information. There should be one really.

No, I don't. An AV tool can only catch malicious code its makers have seen before. Against a custom trojan they would be no help at all.

The only proper solution would be an operating system that by default ran programs in a sandbox with no rights at all. To read or write to a file, make a network connection, or hook into other programs, the software would have to ask for permission. A bit like the way a personal firewall works, but protecting all parts of the OS, not just the network.

I doubt this'll ever happen in a mainstream OS though.

Still... people complain about Internet security, but the fact of the matter is that non-Internet security is hopeless too. The credit card-based, phone-based and signature-based payment systems we all rely on are fundamentally insecure by design. The Internet does not change that.

--
Andrew Clover
mailto:and@doxdesk.com
http://www.doxdesk.com/

 

How about a mainstream firewall?


I've played around with such things (tiny trojan trap is one) , it's kind of like a firewall but multipy the confusion x10, as this time instead of just deciding which applications to connect to the net, you got to decide which processes are even allowed to run and if so what type of rights they have...

Very scary...Beyond me In the end I ended up putting everything in the unrestricted category. By comparison firewalls are easy..(well not really but you know what I mean)

Thanks for your thoughts.

- Removed an extra closing "quote" tag, which was causing format errors below - LWM

 

Something else you should be aware of when using online banking is that at least Bank of America uses web bugs from doubleclick on it's online banking pages. On pages when you are logged into your account with all of your personal info being displayed. Other banks may use bugs as well.

Read more here .

 

I hardly pay my bills offline. Trust no 1. Be secure.

^Ari^

 

While I agree there are dangers. No more so than banking with a teller, using the US Postal Service - maybe less.

Last I heard not one targeted bank account....not one single account has ever been compromised through hacking.

Interception of data that includes credit card numbers, that kind of thing happens. But, again, that happens at WalMart too.

As for the trust issue raised, if you have a bank account at all Krusty, you have placed your trust in a LOT of people. Making transactions online with SSL does not take any more trust than traditional banking methods. Not with the current record, which is as good as it can get.

Also, remember, even if you DON'T bank online -- if you have a bank account -- you're no less secure from a hacker getting into bank accounts if that were to ever happen. The fact you bank online would be of no consequence.

Just a thought.

John
Luv2BSecure