Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security The Internet

Hacked Bank of India Site Labeled Trustworthy 54

Posted by kdawson
from the punching-a-hole-in-the-web-of-trust dept.
SkiifGeek writes "When the team at Sunbelt Software picked up on a sneaky hack present on the Bank of India website, it became a unique opportunity to see how anti-phishing and website trust verification tools were handling a legitimate site that had been attacked. Unfortunately, not one of the sites or tools identified that the Bank of India website was compromised and serving malware to all visitors The refresh time on a trust-brokering site is too long to be useful when a surf-by attack on a trusted site can take place in a matter of seconds, with a lifetime of hours, and with a victim base of thousands or greater."
This discussion has been archived. No new comments can be posted.

Hacked Bank of India Site Labeled Trustworthy

Comments Filter:
  • by mordors9 (665662) on Saturday September 01, 2007 @12:39PM (#20434655)
    That's the problem, how many consumers are sophisticated enough to even ask the right questions. They simply trust that their financial organization or any major web retailer has a secured site. Obviously there should be strict standards but who is going to enforce it. What authority would the agency actually have. As I have said before, there is still a lot to be said to walking into your local bank and being helped by a clerk that you see every week that you can shoot the shit with as they handle your transaction.
    • by Ash Vince (602485) on Saturday September 01, 2007 @01:47PM (#20435001) Journal

      That's the problem, how many consumers are sophisticated enough to even ask the right questions.
      On a similar note I just went to the Site Advisor page for bank of india. (http://www.siteadvisor.com/sites/bankofindia.com)

      Especially amusing is the comment some moron has posted complaining about when Bank of India was getting a red rating. Basically he is saying how he used the site for three years and it must be a site advisor problem not a problem with the Bank of India website.

      How on earth do you come up with a technological solution that copes with people who even when they get a warning saying that the site they about to visit is dangerous carry on and visit the site anyway. I know that he should now have learnt his lesson (assuming he visited the site and got all that crap installed on his PC) but there must be alot more morons out there just like him.
      • by allanw (842185)
        Check the posting date of that comment:

        Posted at 12/23/2006-02:16:06 PM by Mehli B Mulla, Reviewer , View profile [ Reputation score: 1 / 9 ]
    • it is true that you can do your part to lessen the risk by going into your local branch to complete transactions, however once you have completed your transaction the bank stores that information electronically and it then becomes subject to attack.
  • by Gopal.V (532678) on Saturday September 01, 2007 @12:46PM (#20434693) Homepage Journal
    There are very few instances when I actually need to rdesktop in and use a Windows machine.

    One of those is when I've actually got to visit one of my online banking sites, which requires some obscure activex "security" extension to work. For someone who uses FF, noscript and occasional peeks at firebug, it really pisses me off when I have to disable all my own security checks to enable a site to "secure" itself.

    This is just another instance where I'd have been hit if I had been a user of the said bank (and had to use IE to browse it).
    • by Anonymous Coward on Saturday September 01, 2007 @01:10PM (#20434821)
      The main problem is that the Indian technical institutes rarely teach anything besides Microsoft products. So each year they produce many thousands of students who know of nothing but Windows, VB.NET, SQL Server, and ActiveX. When you only really know about one particular set of technologies, and virtually nothing about the alternatives, you'll usually make poor choices regarding which technologies to use. In the case of ActiveX, its use can easily lead to compromised systems and data.

      • Re: (Score:3, Interesting)

        by Shados (741919)
        Ironicaly, I went to a very Windows-heavy college (it did show unix, linux, intel assembly, and other non-MS centric stuff, but overall it was more than 50% windows), and they didn't show us ActiveX especially becuase of all its issues (and that was before .NET, too, back when ActiveX were sortoff relevent).

        So not only those institutes may be Windows-only, but they're behind the time and pretty bad too. At least from what I read, not -all- of em are like that...
      • by b1ufox (987621)
        You can't teach ability to choose a different solution. That said nobody taught me kernel programming, rather discouraged me but still i work as a kernel developer full time. That said teaching is not the problem, mindset is.
      • Re: (Score:1, Troll)

        by ScrewMaster (602015)
        The main problem is that the Indian technical institutes rarely teach anything besides Microsoft products.

        Good.
        • by Mathinker (909784)
          Sorry, didn't quite understand that reply, especially considering your other posts....

          You're just happy that the use of ActiveX isn't dogma of major Indian religions?
          You're glad you won't have to compete in the job market against outsourcing to Indian Linux/BSD gurus?
          • I perceive Indian tech workers as competing in the same job market that I do, and if they deliberately choose to use second-rate development tools that's fine by me. Not picking on Indians per se: it's just that I'm always happy to see my competition make potentially poor decisions.
    • by ScrewMaster (602015) on Saturday September 01, 2007 @01:42PM (#20434981)
      For someone who uses FF, noscript and occasional peeks at firebug,

      Don't forget Privoxy.

      But yeah, the only thing I deliberately use Internet Exploiter for is Windowsupdate. Requiring an ActiveX control (ActiveX!) on a financial site is unacceptable, as is forcing visitors to use Explorer. Personally, I have the same setup you do, and the occasional site that requires Explorer doesn't get visited again. I also have several sites that I use for financial purposes, and they all support Firefox. If they didn't, I'd either switch institutions, or not use their site.

      One of those is when I've actually got to visit one of my online banking sites, which requires some obscure activex "security" extension to work.

      That's insane. I mean, the bank is assuming that their own security is perfect and will never be cracked, which is not realistic. When you get right down to it, you'd think that banks (of all organizations) would require the use of a more secure medium. Nothing would please me more than to navigate to my bank's Web site in Explorer and see a message "We're sorry, but due to ongoing security issues with Microsoft Internet Explorer, this site requires the use of a more capable browser" and see links to Firefox, Opera and others. When I first signed up at my current bank, it was the exact opposite, but fortunately I could just change the browser ID and it worked fine, no ActiveX crap.
      • I also have several sites that I use for financial purposes, and they all support Firefox. If they didn't, I'd either switch institutions, or not use their site

        I can personally vouch that the following financial institutions support Firefox, and I did not have to chew anyone's ears or fiddle with agent strings. Vanguard, Schwab, Dollar Bank, Citizens Bank, Smith Barney, Fidelity, MFS, Ameritrade, NDB (might be defunct now). And if an Financial institution does not support FireFox, it does not get my busi

      • Here in Korea (I'm no longer in_philly), most of the financial sites and numerous government sites such as Korea Post [koreapost.co.kr], use "obscure 'security' extension" ActiveX controls. But in Korea it has to do with Korea's adoption of the SEED cipher back in the 90s [kanai.net], and the inability to get 128-bit encryption from the Americans until 1999. Needless to say, it is a significant concern for me (an expat) as well as for regular Koreans. For my own part, I try to avoid such sites and do as much banking as possible in the U
        • Yes, I remember reading a couple of articles about that here on Slashdot. I hadn't realized that Koreans are sufficiently upset about it that they're taking on their own government. Hopefully that will result in some positive changes.
  • ... seem to be nothing but trouble. Does anyone know of a legitimate use for them (especially cross-server) that could not be done with a bit of easy server-side including? On a related note, does anyone know of a firefox addon that can warn you if any page you visit contains an iframe tag?
    • Re:iframes... (Score:4, Informative)

      by ubernostrum (219442) on Saturday September 01, 2007 @01:30PM (#20434911) Homepage

      They're useful for doing in-place file uploads without refreshing the page (e.g., in a web app like Gmail where you'd want to add an attachment to a message), because that's the only way to do that.

    • by vux984 (928602)
      Does anyone know of a legitimate use for them (especially cross-server) that could not be done with a bit of easy server-side including?

      They are efficent; they let you change the content of part of your page without reloading the whole thing. I use them frequently with venture capital company websites to display slightly delayed stock charts and share price information for example. They can update themselves every couple minutes without reloading the whole page.

      Additionally, because the chart and share info
    • by Ant P. (974313)
      You could try sticking something in the user CSS to make iframes stand out. Not too hard to force them all to have a big red border.
      • Would it then require some hack to make sure that the inline style doesn't override any stylesheets you've created? The iframe used on bankofindia.com had "style='visibility:hidden;'". Unless I'm mistaken, even if you had custom stylesheets applied to every page you visit the inline CSS would still rule... right?
  • by Anonymous Coward
    hacked site labels YOU trustworthy.
  • by Glowing Fish (155236) on Saturday September 01, 2007 @01:38PM (#20434957) Homepage
    Anti-phishing tools shouldn't be used to determine which sites are good, they should be used to determine which sites are bad.
    These tools might have picked up thousands of shoddily done, fly by night phishing scams. It doesn't reflect badly on them if one well done, sophisticated cracked server can fool them. There is still going to be errors. These tools allow people to discount the most obvious hacks, and use their time on the 1% of most dangerous hacks.
  • ..like it only affects Windows users.
    • Re: (Score:3, Interesting)

      by jimicus (737525)
      Maybe the malware it dishes out only affects Windows users. But if that part of the site has been compromised, what's to say there isn't also some surreptitious logging of user credentials going on?
  • now if it were me... (Score:2, Interesting)

    by oblonski (1077335)
    ... I would implement the one-time password sent to mobile phone which is the method my internet banking site uses: you log in with card number, customer selcted pin and password

    the login page also has BIG warnings: do not click on any links (relating to your banking or purporting to be) or give your banking details to anyone on the internet or in an e-mail since the bank or it's employees will never ask for it

    then when you are on your profile page, before you can do any transaction at all, the s
    • by mlts (1038732) * on Saturday September 01, 2007 @02:26PM (#20435183)
      Banks, especially in the US, need a system like above for authentication, where its not just a single username and password protecting someone's accounts from total destruction. Some banks now use a system where you type in your username, it asks one of several personal questions, then your password, but that doesn't protect much against a keylogger, as an attacker can keep trying the questions until he/she finds the one that gets presented with an answer in the keysniffer's output.

      PayPal, eBay, and Verisign offer a rebranded Vasco keyfob that one can use. Enter in username, tab to the password field, enter in your password, then append the six digit number from the Digipass Go 3 (the OEM name), and you are in. Though this is not as well engineered as a SecurID system, it still forces a would-be thief to have physical custody of the keyfob and the password to the account.

      Some European banks use a system similar to the age-old one time password system found in BSD (S/Key or OPIE). You obtain a list of one time passwords on a piece of paper that you scratch off in the mail, and every time you log in, you scratch off the next one on the list. This can be attacked (there are some targeted phishing attacks to try to get users to type in multiple lines off the OTP paper), but it keeps a compromised user PC from becoming an entry point for an attacker.

      Lastly, there are always Aladdin eTokens that store a private client certificate. This is one of the more secure ways, because there are zero passwords used. The server asks the client (any web browser pretty much) for a certificate similar to how a SSL enabled web browser asks the web server for its cert, the web browser passes the signing request to the eToken, the eToken signs it on the physical card (the private key never leaves the eToken), and the server checks the validated cert against the user list and lets the user in. For academic places (universities), this is one of the absolute best ways to do things.

      All and all, probably the best solution would likely be a hybrid system, similar to an eToken NG-OTP keyfob, that allows a user to plug the token in and use it online with client certificates, or offline, typing the six digit number off the LCD screen.

      Disclaimer: I don't work for Aladdin, RSA, or Vasco, but like their products.
      • Interstingly enough, when I created an HSBC direct savings account a couple months ago, it asked for two passwords. One I would type in after my user name. The other I had to click in using my mouse on a virtual keyboard on their website.

        I have to do this every single time I want to access my account online. The second password sounds like it should be resistant to the average keylogger.
        • by mlts (1038732) *
          I thought a virtual keyboard would be the thing too, until I read on the anti-malware lists that almost all modern keyloggers also take compressed screenshots of when and where you click your mouse. Maybe a virtual keyboard that would work with mouseovers (hover the mouse for a couple seconds above each key) would be the ticket, as that would require FRAPS-like video monitoring by spyware (which would be a noticable bandwidth hit), and did not generate keypresses, but sent the mouseovers directly to the se
  • How aggressive should systems be about downgrading ratings for web sites? We've been struggling with this for SiteTruth. [sitetruth.com] In addition to SiteTruth's main function, checking business identity, we have some basic phishing checks. We download the PhishTank database every few hours. PhishTank has lists of bad URLs, but now that the smarter phishing sites change URL and even subdomain in each spam e-mail, blocking by URL is no longer effective. So we now flag the entire base domain.

    This can have broad effe

  • Siteadvisor says the site has been fixed and it is giving a green tag for it now.
  • Could someone please tell me about this bank? I had not heard of it until now. Is it really a bank? What would be the estimated customer base?

There must be more to life than having everything. -- Maurice Sendak

Working...