|
List Info
Thread: "Free WiFi" man-in-the-middle scam seen in the wild.
|
|
| "Free WiFi" man-in-the-middle
scam seen in the wild. |
|
2007-01-23 08:24:30 |
|
For years, I've complained about banks, such as Chase, which let
people type in the password to their bank account into a page that has
been downloaded via http: instead of https:.
The banks always say "oh, that's no problem, because the password is
posted via https:", and I say "but that's only if the page comes from
*you*, and it might come from a bad guy."
"How would someone possibly send the user a faked up web page?" they
then ask. I reply like this "the two obvious ways are DNS cache
contamination and doing a man-in-the-middle in the network, and the
latter is really easy now that people trusting WiFi base stations in
strange places that they've never used before. You could just put a
tiny box near a cafe or airport lounge and siphon off passwords day
and night."
The bank people then tell me that I'm crazy. (They're usually more
polite than that, but that's the import of what they say.) I have a
great letter from a manager at Chase informing me that they've been
assured by fabulous security people that their system is safe.
Adding insult to injury, the banks put a little padlock GIF on their
insecure form, probably to reduce the number of phone calls they get
about it.
Well, guess what. It turns out that people are now deploying
man-in-the-middle WiFi devices in places like airports and siphoning
passwords for bank accounts.
Who would have thought of such a nefarious thing? Certainly this is a
new problem and one no would have thought of it before now...:
January 19, 2007 (Computerworld) -- The next time you're at an airport
looking for a wireless hot spot, and you see one called "Free Wi-Fi"
or a similar name, beware -- you may end up being victimized by the
latest hot-spot scam hitting airports across the country.
You could end up being the target of a "man in the middle" attack, in
which a hacker is able to steal the information you send over the
Internet, including usernames and passwords. And you could also have
your files and identity stolen,[...]
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9008399&source=NLT_NET&nlid=27
(Incidently, the article gets a few things wrong. It somewhat implies
that you are safe if you pick a WiFi network you have a previous
relationship with, which isn't true.)
Just to pick on my favorite exemplar of how not to do things for a
moment, go over to:
http://www.chase.com/
and ponder how it could be that a giant multinational financial
institution could set its customers up this way.
If you go over to, say, www.fidelity.com, you will find that you can't
even get to the http: version of the page any more -- you are always
redirected to the https: version. For the record, Fidelity has gotten
this right for as long as I've been watching them.
Now you might wonder, why do I keep picking on Chase?
A certain other security person and I had an extended argument with
the folks at another company I won't name other than to say that it was
American Express. At the time, they more or less said, "yah, this is a
problem, but fixing it is going to be a pain." However, I'll note that
now, as with Fidelity, you pretty much can't go onto their web site
without using https: -- kudos to Amex.
Indeed, though this was all a major problem a couple of years ago with
many banks, many have now fixed it. However, for a select few, like,
say, Chase, the message simply isn't getting through even though these
organizations have been repeatedly informed that they are leaving
their customers vulnerable. One wonders what level of trouble they're
going to have to get into before they actually do the right thing.
Perry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo metzdowd.com
|
| Re: "Free WiFi"
man-in-the-middle scam seen in the wild. |
|
2007-01-23 08:44:27 |
|
| Quoting "Perry E. Metzger" piermont.com>:
> Now you might wonder, why do I keep picking on Chase?
>
> A certain other security person and I had an extended argument with
> the folks at another company I won't name other than to say that it was
> American Express. At the time, they more or less said, "yah, this is a
> problem, but fixing it is going to be a pain." However, I'll note that
> now, as with Fidelity, you pretty much can't go onto their web site
> without using https: -- kudos to Amex.
>
> Indeed, though this was all a major problem a couple of years ago with
> many banks, many have now fixed it. However, for a select few, like,
> say, Chase, the message simply isn't getting through even though these
> organizations have been repeatedly informed that they are leaving
> their customers vulnerable. One wonders what level of trouble they're
> going to have to get into before they actually do the right thing.
I'll just point out that you CAN go to:
https://chaseonline.chase.com/
And that works, and should be secure. No, it's not the same as
typing "chase" into your browser and having the right thing happen,
but honestly this is what browser caches are for. (When I type "chase"
into my browser bar it autocompletes to the above URL).
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlordMIT.EDU PGP key available
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomometzdowd.com
|
| Re: "Free WiFi"
man-in-the-middle scam seen in the wild. |
|
2007-01-23 09:06:12 |
|
| On Tue, January 23, 2007 09:24, Perry E. Metzger wrote:
> (Incidently, the article gets a few things wrong. It somewhat implies
> that you are safe if you pick a WiFi network you have a previous
> relationship with, which isn't true.)
It also is only warning against ad-hoc connections with misleading names.
While I see a bunch of these around (not necessarily in airports,
either... several show up from my cube at work), it doesn't take much to
put up a perfectly normal-looking access point. See
http://www.ethicalhacker.net/content/view/66/24/ for examples.
--
Roy M. Silvernail is royrant-central.com, and you're not
"Antelope Freeway, one sixty-fourth of a mile." - TFT
http://www.rant-central.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomometzdowd.com
|
| Re: "Free WiFi"
man-in-the-middle scam seen in the wild. |
|
2007-01-23 09:34:57 |
|
Derek Atkins MIT.EDU> writes:
> I'll just point out that you CAN go to:
>
> https://chaseonline.chase.com/
>
> And that works, and should be secure.
And for the six people that know to do that, it works great. 
It used to be that Verizon (my local phone company, sadly) had this
general problem but you could click on "log in" and it would direct
you to a secure page with a little error message and you could then
enter your username and password. They've since "fixed" that so it is
no longer possible to log in safely to their web site at all.
Perry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomometzdowd.com
|
| Re: "Free WiFi"
man-in-the-middle scam seen in the wild. |
|
2007-01-23 09:00:11 |
Hi,
Perry E. Metzger wrote:
> For years, I've complained about banks, such as Chase,
which let
> people type in the password to their bank account into
a page that has
> been downloaded via http: instead of https:.
>
> The banks always say "oh, that's no problem,
because the password is
> posted via https:", and I say "but that's
only if the page comes from
> *you*, and it might come from a bad guy."
A German bank had the same problem. After some discussions
without
positive results I wrote an article about SSL problems for a
large
German IT magazine and described their situation. A short
time after
they changed the login page to https.
Matthias
--
Matthias Bruestle, Managing Director
Phone +49 (0) 91 19 55 14 91, Fax +49 (0) 91 19 55 14 97
MaskTech GmbH, Nordostpark 16, 90411 Nuernberg, Germany
------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com
|
|
| Re: "Free WiFi"
man-in-the-middle scam seen in the wild. |
|
2007-01-27 06:27:59 |
* Perry E. Metzger:
> If you go over to, say, www.fidelity.com, you will find
that you can't
> even get to the http: version of the page any more --
you are always
> redirected to the https: version.
Of course, this only helps if users visit the site using
bookmarks
that were created after the switch. If they enter
"fidelity.com" (or
even just "fidelity") into their browsers to
access it, switch to
HTTPS won't help at all. Perhaps this explains why someone
might
think that serving the login page over HTTPS is just
security theater.
In the same "we use use HTTPS and are still vulnerable
to MITM
attacks" department, there's the really old issue of
authenticating
cookies which are not restricted to HTTPS, but will be
happily sent
over HTTP as well. *sigh*
Apart from that, the article you linked to does not even
mention
actual attacks with an identity theft motive. What's worse,
the
suggested countermeasures don't protect you at all. Ad-hoc
networks
are insecure, and those with an access point are secure?
Yeah, right.
------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com
|
|
[1-6]
|
|