[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <87brk745ss.fsf@snark.piermont.com>
From: perry at piermont.com (Perry E. Metzger)
Subject: http://www.chase.com/ vulnerability
"James Patterson Wicks" <pwicks@...gen.com> writes:
> The Chase home page has been like this for over a year. I was a bit
> worried after the change, so I just bypassed it. If you feel more
> secure logging in on an SSL page, just do the following:
You can also just go to https://chaseonline.chase.com/ -- that's not
the point. The point is that at the very least, they're training their
users to follow a very dangerous behavior -- entering passwords into
forms downloaded via untrusted paths. They're even telling their users
this is absolutely riskless by putting a lock icon right on the front
page and having a FAQ that explains that your password is totally
protected so you have nothing to worry about -- which is, of course,
untrue since there is no guarantee that their front page has not been
tampered with.
> Since Chase changed this page over a year ago, I'm sure we would have
> heard something if the Chase site was being exploited.
First, I doubt we would have heard anything. Chase might not even
know, for one thing -- I doubt they investigate cases of password
theft very deeply. Second of all, even if it hasn't been exploited
yet, it is inviting trouble.
For years people scoffed when I'd say "the idea of .exe
archive/installer files is terrifying. Microsoft is training its users
to run programs sent in email, and some day they're going to reap the
whirlwind." Well, eventually, someone decided to exploit that
stupidity.
Some day, some gang is going to start ripping of customers of Chase,
American Express, Wells Fargo, and other companies that are
perpetuating this foolishness, and then everyone is going to be
absolutely shocked that it is happening. Of course, the trivial thing
to do would be to simply follow the example of other banks, like
Citibank, that force you to enter your password in only on an https:
protected page.
--
Perry E. Metzger perry@...rmont.com
Powered by blists - more mailing lists