Comments: Threatwatch: MITB spotted: MITM over SSL from within the browser

Yes this is a hot topic in Holland now.

The bank claims that there were only 200 people who reacted to the email and only 10 victims (10K euro or more).

Posted by Teus at April 2, 2007 05:20 PM

My whole financial life I've maintained my accounts running at ABN-AMRO and I've never, never, never received any e-mail from them. To put it even stronger, I believe (?) no Dutch bank will communicate with its customer by e-mail. But I do receive a lot of information, advertising, invitations etc by (snail) mail.

Forever I've advised everybody in my family to never, ever open an e-mail coming from a Dutch bank, however serious it looks.

If you do internet banking with a Dutch bank, and for the ABN-AMRO I know this from my own experience, all electronic communication is done by a message "area" visible when you access your account on-line.

What puzzles me that I can't recall that any Dutch bank communicates that they will not use e-mail ...

Posted by TTTT at April 3, 2007 08:47 AM

I would add: as far as I have seen I did not see a message that the attack was a middle man attack and essentially the way the ABN-AMRO bank is using their security measurement (token and chip card usage) has a problem...

Thing is that the explanation of the problem is easy and understandable by most persons.

Posted by Teus at April 3, 2007 08:47 AM

I'm confused - is the browser being affected or some network element like the hosts file?

And is the SSL cert for the bank shown or is a valid ssl cert for a fake site?

I have looked at viruslist, etc, but can't find too many details.

Posted by Nick at April 3, 2007 05:24 PM

> Further, nobody has any hope that EV changes anything. Firstly, it is
> very confusing, too small, rare, and ultimately spoofable. So people
> are looking to Mozilla to see whether it will break away and start
> working on the far stronger user-bank relationship, directly, a.k.a
> Petnames and Zooko's Triangle and all that.
>
> Maybe. As Gervase does not tire of pointing out, users won't do that.

There has been at least one study showing that users won't use some kinds of
"anti-phishing toolbar".

http://www.emergentchaos.com/archives/2007/02/why_johnny_cant_bank_safe.html

I still hold out hope that they will use Ping Yee's and Tyler Close's inventions, since those are designed from the start to be easier to use than the current browser is.

Regards,

Zooko

Posted by Zooko at April 4, 2007 06:02 PM

Boarding Pass Hacker Targets Bank of America
http://it.slashdot.org/it/07/04/12/1444204.shtml

slight paranoia: A Deceit-Augmented Man In The Middle
Attack Against Bank of America's SiteKey Service
http://paranoia.dubfire.net/2007/04/deceit-augmented-man-in-middle-attack.html

from above:

Whereas a normal man-in-the-middle attack identically replicates the attacked site, a deceit-augmented man-in-the-middle attack may present the user with a slightly different user interface than the regular interface. Man in the middle (MiTM) attacks are not a new threat - they have been known about for a number of years, and phishers have already used them to target Citibank and other online banks.

... snip ...

and past reference:
http://www.garlic.com/~lynn/2007d.html#26 Securing financial transactions a high priority for 2007

Posted by Lynn Wheeler at April 12, 2007 12:17 PM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x55be2f260c50) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.