Hacked Bank of India Site Labeled Trustworthy

SkiifGeek writes "When the team at Sunbelt Software picked up on a sneaky hack present on the Bank of India website, it became a unique opportunity to see how anti-phishing and website trust verification tools were handling a legitimate site that had been attacked. Unfortunately, not one of the sites or tools identified that the Bank of India website was compromised and serving malware to all visitors The refresh time on a trust-brokering site is too long to be useful when a surf-by attack on a trusted site can take place in a matter of seconds, with a lifetime of hours, and with a victim base of thousands or greater."

Re:Banks: Please Stop Using ActiveX !

[Anonymous Coward]

The main problem is that the Indian technical institutes rarely teach anything besides Microsoft products. So each year they produce many thousands of students who know of nothing but Windows, VB.NET, SQL Server, and ActiveX. When you only really know about one particular set of technologies, and virtually nothing about the alternatives, you'll usually make poor choices regarding which technologies to use. In the case of ActiveX, its use can easily lead to compromised systems and data.

Anti-phishing tools shouldn't be used to determine

[Glowing Fish]

Anti-phishing tools shouldn't be used to determine which sites are good, they should be used to determine which sites are bad.
These tools might have picked up thousands of shoddily done, fly by night phishing scams. It doesn't reflect badly on them if one well done, sophisticated cracked server can fool them. There is still going to be errors. These tools allow people to discount the most obvious hacks, and use their time on the 1% of most dangerous hacks.

Re:Banks: Please Stop Using ActiveX !

[Shados]

Ironicaly, I went to a very Windows-heavy college (it did show unix, linux, intel assembly, and other non-MS centric stuff, but overall it was more than 50% windows), and they didn't show us ActiveX especially becuase of all its issues (and that was before .NET, too, back when ActiveX were sortoff relevent).

So not only those institutes may be Windows-only, but they're behind the time and pretty bad too. At least from what I read, not -all- of em are like that...

now if it were me...

[oblonski]

... I would implement the one-time password sent to mobile phone which is the method my internet banking site uses: you log in with card number, customer selcted pin and password

the login page also has BIG warnings: do not click on any links (relating to your banking or purporting to be) or give your banking details to anyone on the internet or in an e-mail since the bank or it's employees will never ask for it

then when you are on your profile page, before you can do any transaction at all, the site sends an SMS to your mobile with a one-time password only after entering this password are you allowed into your main account and can start banking i.e verifying your physical presence as well as being good security measure for online banking sessions

of course you need to set all this up with your bank beforehand, but with new financial regulations in south africa you go through a long process of verifying your identity and proof of address in person in a bank each year, so from the beginning this type of scheme has robust security

this has worked very well and i need to hear of an instance of it being circumvented other than criminals holding a gun to your head while you do your banking, which puts the whole thing in another category altogether

people who get scammed by clicking on links and falling for Nigerian type fund relocation schemes only has their own stupidity and greed to blame

only my 0.02

Re:Looks to me.....

[jimicus]

Maybe the malware it dishes out only affects Windows users. But if that part of the site has been compromised, what's to say there isn't also some surreptitious logging of user credentials going on?