Hacked Bank of India Site Labeled Trustworthy

SkiifGeek writes "When the team at Sunbelt Software picked up on a sneaky hack present on the Bank of India website, it became a unique opportunity to see how anti-phishing and website trust verification tools were handling a legitimate site that had been attacked. Unfortunately, not one of the sites or tools identified that the Bank of India website was compromised and serving malware to all visitors The refresh time on a trust-brokering site is too long to be useful when a surf-by attack on a trusted site can take place in a matter of seconds, with a lifetime of hours, and with a victim base of thousands or greater."

How common a problem?

[mordors9]

That's the problem, how many consumers are sophisticated enough to even ask the right questions. They simply trust that their financial organization or any major web retailer has a secured site. Obviously there should be strict standards but who is going to enforce it. What authority would the agency actually have. As I have said before, there is still a lot to be said to walking into your local bank and being helped by a clerk that you see every week that you can shoot the shit with as they handle your transaction.

Banks: Please Stop Using ActiveX !

[Gopal.V]

There are very few instances when I actually need to rdesktop in and use a Windows machine.

One of those is when I've actually got to visit one of my online banking sites, which requires some obscure activex "security" extension to work. For someone who uses FF, noscript and occasional peeks at firebug, it really pisses me off when I have to disable all my own security checks to enable a site to "secure" itself.

This is just another instance where I'd have been hit if I had been a user of the said bank (and had to use IE to browse it).

Re:Whoopdeedoo

[garcia]

As stated, when someone like Doubleclick, Akamai or some other cache serving company gets compromised, then I will worry about things more.

For some unknown reason, I hoped that financial institutions would have more online security than Doubleclick or Akamai.

Re:Banks: Please Stop Using ActiveX !

[ScrewMaster]

For someone who uses FF, noscript and occasional peeks at firebug,

Don't forget Privoxy.

But yeah, the only thing I deliberately use Internet Exploiter for is Windowsupdate. Requiring an ActiveX control (ActiveX!) on a financial site is unacceptable, as is forcing visitors to use Explorer. Personally, I have the same setup you do, and the occasional site that requires Explorer doesn't get visited again. I also have several sites that I use for financial purposes, and they all support Firefox. If they didn't, I'd either switch institutions, or not use their site.

One of those is when I've actually got to visit one of my online banking sites, which requires some obscure activex "security" extension to work.

That's insane. I mean, the bank is assuming that their own security is perfect and will never be cracked, which is not realistic. When you get right down to it, you'd think that banks (of all organizations) would require the use of a more secure medium. Nothing would please me more than to navigate to my bank's Web site in Explorer and see a message "We're sorry, but due to ongoing security issues with Microsoft Internet Explorer, this site requires the use of a more capable browser" and see links to Firefox, Opera and others. When I first signed up at my current bank, it was the exact opposite, but fortunately I could just change the browser ID and it worked fine, no ActiveX crap.

Re:How common a problem?

[Ash Vince]

That's the problem, how many consumers are sophisticated enough to even ask the right questions.

On a similar note I just went to the Site Advisor page for bank of india. (http://www.siteadvisor.com/sites/bankofindia.com)

Especially amusing is the comment some moron has posted complaining about when Bank of India was getting a red rating. Basically he is saying how he used the site for three years and it must be a site advisor problem not a problem with the Bank of India website.

How on earth do you come up with a technological solution that copes with people who even when they get a warning saying that the site they about to visit is dangerous carry on and visit the site anyway. I know that he should now have learnt his lesson (assuming he visited the site and got all that crap installed on his PC) but there must be alot more morons out there just like him.