Banks are a Phisher's Best Friend

In my last entry, I said that some of the biggest names in banking were guilty of teaching their customers that it was not necessary to check for the lock icon in the browser before they typed in their account names and passwords. Let's look at some specifics.

As of this writing, Washington Mutual, Bank of America, Bank of the West, and Chase Bank all accept name/password login from their home page, a page which is not protected by SSL. (I just picked those at random; the problem is more pervasive: see http://www.cs.biu.ac.il/~herzbea/Shame.html for more information) So does AOL. Yahoo always uses SSL, but only when you click on the submit button. MSN sends passwords in the clear unless you click on the link titled "Sign in using enhanced security". And when I did that, I got certificate errors because they botched the SSL configuration.

Beyond the bad security practices, Washington Mutual's help page says

Non-secure Web pages. Clever thieves can build a fake Web site that looks nearly identical to an authentic one. They can even alter the URL (the Web address) that appears in your browser window. Watch out for non-secure Web pages that ask for sensitive information (secure sites will typically display a lock in the status bar at the bottom of your browser window).

And yet their site does exactly the reverse. It asks for customer names and passwords without a lock! This is a great example of a real web site acting like a phishing site.

Speaking of locks, many of these financial institutions work hard to break the user's mental model of security. They actually put an icon of a padlock in the HTML next to the login fields! But since anyone can put a lock icon into HTML, it adds nothing but the illusion of security.

I'm not the first to notice that banks have undone the user education that we promoted so heavily. From http://www.antiphishing.org/Phishing-dhs-report.pdf

Financial institutions have widely deviated from the guidelines they have disseminated for distinguishing phishing messages from legitimate communications, undermining the educational messages they have distributed. In particular, many financial institutions use unexpected domain names similar to the names a phisher would use, do not use SSL in a user-verifiable way on a login page, include clickable links in email communications, and so on.

Not all of the major sites do it wrong. Wells Fargo does it better than any other site I could find. Their entire site is protected by SSL. That's exactly the right approach to reduce the chances that people are fooled by phishing scams. There are no edge cases. Even their pages which offer generic information, like the ATM locator pages, are protected with SSL. The rule is simple: if you don't see the lock icon on every page, you are not on the Wells Fargo web site. Bravo!

Other sites that include SSL on the login page include the Gap and Ebay. So there are sites that understand the issue, but I'm starting to conclude that they are in the minority.

Next time: Poor excuses for not using SSL.