Hacked Bank of India Site Labeled Trustworthy 54
SkiifGeek writes "When the team at Sunbelt Software picked up on a sneaky hack present on the Bank of India website, it became a unique opportunity to see how anti-phishing and website trust verification tools were handling a legitimate site that had been attacked. Unfortunately, not one of the sites or tools identified that the Bank of India website was compromised and serving malware to all visitors The refresh time on a trust-brokering site is too long to be useful when a surf-by attack on a trusted site can take place in a matter of seconds, with a lifetime of hours, and with a victim base of thousands or greater."
Re:Banks: Please Stop Using ActiveX ! (Score:5, Interesting)
Anti-phishing tools shouldn't be used to determine (Score:5, Interesting)
These tools might have picked up thousands of shoddily done, fly by night phishing scams. It doesn't reflect badly on them if one well done, sophisticated cracked server can fool them. There is still going to be errors. These tools allow people to discount the most obvious hacks, and use their time on the 1% of most dangerous hacks.
Re:Banks: Please Stop Using ActiveX ! (Score:3, Interesting)
So not only those institutes may be Windows-only, but they're behind the time and pretty bad too. At least from what I read, not -all- of em are like that...
now if it were me... (Score:2, Interesting)
the login page also has BIG warnings: do not click on any links (relating to your banking or purporting to be) or give your banking details to anyone on the internet or in an e-mail since the bank or it's employees will never ask for it
then when you are on your profile page, before you can do any transaction at all, the site sends an SMS to your mobile with a one-time password only after entering this password are you allowed into your main account and can start banking i.e verifying your physical presence as well as being good security measure for online banking sessions
of course you need to set all this up with your bank beforehand, but with new financial regulations in south africa you go through a long process of verifying your identity and proof of address in person in a bank each year, so from the beginning this type of scheme has robust security
this has worked very well and i need to hear of an instance of it being circumvented other than criminals holding a gun to your head while you do your banking, which puts the whole thing in another category altogether
people who get scammed by clicking on links and falling for Nigerian type fund relocation schemes only has their own stupidity and greed to blame
only my 0.02
Re:Looks to me..... (Score:3, Interesting)