Results 1 to 6 of 6

Thread: Is my bank login going out encrypted?

  1. #1
    Junior Member
    Join Date
    Dec 2007
    Posts
    3

    Is my bank login going out encrypted?

    Hi Folks,

    I'm responsible for Emergency Management in our organization. I used to be in the computer industry so am familiar with lots of "stuff" but in internet security I'm pretty new. Unfortunately, I know more about it than any of my co-workers and they're asking questions about traveling overseas, wireless access and security.

    I've begun reading all the newbies items here and can tell this is going to be a great resource but I have an immediate need I'm hoping someone will have a suggestion or two for.

    The immediate problem is some of our guys want to do online banking while they're traveling and use free wireless access points when they can. I went to the login page on our bank site (which is the splash page), looked in the address bar and noticed it said http: instead of https:. To me, this means the login name and password is going out unencrypted.

    I called the bank and the person I spoke to said that the login part of the page was encrypted though the rest of the page wasn't. Actually, she said the name wasn't but the password was encrypted. If what I read is correct, this is possible but I'm a little suspicious and would like to prove it to myself because a lot of guys are overseas using whatever access points for their banking with little or no knowledge of the dangers (cringe).

    So, my questions are:
    -Can I test this on my home computer by doing something like "sniffing" what goes to my wireless router when I hit enter on the login page? What software would I use for that?
    -Maybe I'm on the wrong track and should try to determine this a different way like looking at the source code on the page?

    Sorry for such newb questions, but I'm not to proud to ask those who have been there, done that and got the t-shirt. Thanks in advance for your wisdom. This just evolved into my lap and I've got folks in 28 countries and I'm all 'a sudden pretty worried.

    PapaDerf

  2. #2
    Better yet, could you link us to the login page in question?

    Before even looking into that, I'd be concerned with another area of security -- namely the laptops themselves. How confident are you in the laptop's level of security and the user's competence to not do something to negate the security? Your laptop might be a sitting duck on an unsecured network if it's not properly secured. And if your users have made any mistakes that have resulted in spyware (especially keyloggers) being installed, you're screwed regardless of any encryption a login page might have.

    So I'd say that'd be your first concern...If that's all checked off, then definitely look into the encryption question.

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    What about the simple things like loosing or getting it stolen?
    You don't want to end up on the next head line, "company looses a few thousand customers' details".

    -Can I test this on my home computer by doing something like "sniffing" what goes to my wireless router when I hit enter on the login page? What software would I use for that?
    Wired or wireless doesn't matter, if you want to see what your machine is sending/receiving check out wireshark.
    That's the best "sniffer" money can buy (it's free )

    -Maybe I'm on the wrong track and should try to determine this a different way like looking at the source code on the page?
    You could. The login/password are usually input using <form .. > tags. Look for input elements. Things like firebug are quite helpful too.
    In the form tag you'll usually find the url where it will get posted too.
    http://www.w3.org/TR/html4/interact/forms.html

    By doing both, sniffing and looking at the source, you'll probably be able to make out how and where this info gets send to.


    Edit: WTF? Damn forum software is replacing www(dot)get into ******** the url is www(dot)getfirebug.com
    Last edited by SirDice; December 18th, 2007 at 08:38 PM.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Junior Member
    Join Date
    Dec 2007
    Posts
    3
    AngelicKnight and SirDice, what you are both saying first off is very true, I don't think most of them are aware of the basic things they need to do to secure their computer. I'd be willing to bet half of them don't use firewalls or antivirus. In fact SirDice, one of our people just had a laptop stolen from beside his foot in South America. In the briefcase was his laptop, PDA, cell phone passport - everything in one place Etc... Needless to say, some basics need to be discussed with everyone pretty soon.

    AngelicKnight: yes some are sitting ducks. I'm already working up a workshop for securing and maintaining personal computers for the first of the year. I'm pretty comfortable with my knowledge to do this, but I'll read over the forums here to make sure i have my bases covered.

    The Bank site in question is www.wachovia.com . You'll see the login on the top left and the address will begin with http: For comparison, check out www.capitalone.com . At the top right there is a link to take you to a login page. When you get there you'll notice the address starts with https: unlike Wachovia.

    SirDice: thanks for the advice on the software. I'll try these out and see what happens. I'll post the results when I'm done for whoever reads this later. I never thought of this before, but when I have to go somewhere and do a risk assessment I should really hit all the computers hard and see what the practices are. If nothing else, I have a feeling that something like wireshark should impress folks enough on how vulnerable they are to get them to change a few things.

    Many Thanks,
    PapaDerf

  5. #5
    Senior Member
    Join Date
    Dec 2007
    Posts
    132
    Being that you know a lot of "stuff" then im sure we can jump past the whole making sure laptops are locked down with AV, a firewall, and disk encryption where applicable.

    The person at the bank was probably right. The login page is just a form on an unencrypted page but the form action is likely set to an address over HTTPS, so once you hit that submit button your computer is talking to the bank site over SSL which will encrypt your traffic. So, even if someone is keeping an eagle eye on the traffic being passed over the open access point, you've got strong end-to-end encryption from your browser all the way to the bank.

    You can be pretty confident that your people will be OK doing online banking over open wifi. One thing you'd have to worry about is making sure it's free PUBLIC wifi, as accessing someone's personal connection is a tad bit illegal. Also, as AK mentioned, you're biggest security threat comes from malware silently installed through the swiss cheese IE browser (among others). There are many different types, most of which intentionally bog down or altogether break your computer's functionality until you purchase their "virus/malware/spyware cleaner" products, but a good number also harvest login information for websites and send 'em back to be logged somewhere. Another threat to worry about is phishing. As a network security officer I drilled phishing awareness into the heads of my entire network and mass-mailed e-mail phishing examples constantly. Most banks even have a visible link on their main page to the latest phishing and email scams that are plaguing their specific organization.

    Hopefully the above puts you somewhat at ease and gives you some extra things to think about in regards to your users overseas.

  6. #6
    Junior Member
    Join Date
    Dec 2007
    Posts
    3
    Thanks for your reply X. I was actually able to verify what you suggested using a plugin for Firefox called Web Developer. Someone suggested it to me to help diagnose a CSS (new to that too) problem on a Joomla extranet I'm working on.

    It has a lot of tools and I tried to use its form tools to look and see that in fact the login part of the form is going to an https: site. If anyone is interested in trying it, the bank site is www.wachovia.com as mentioned above.

    Another item we're trying is a third party VPN product from Jwire.com called Hotspot Helper . A coworker has subscribed to it and at 24.00/yr seems very reasonable. He's suppose to let me know if it pops a Vista gasket or anything - but so far, so good. If it works well it could make up for some sloppy housekeeping on an individual's box. The reality is that a few of us are tech challenged and will probably never get the whole picture.

    http://www.jiwire.com/hotspot-helper.htm

    What all of you have mentioned however is probably the biggest issue by far and that is whether or not each individual knows how to lock down his computer (physically and electronically) and is doing it. I'm finding out they don't, and don't know how. No doubt we've been lucky.

    Thanks again everyone for all of the advice and tool suggestions. This forum is certainly a "cut above".

    PapaDerf

Similar Threads

  1. encrypted file system
    By 212121 in forum Newbie Security Questions
    Replies: 9
    Last Post: August 28th, 2005, 05:34 PM
  2. China executes four accused of bank fraud
    By OverdueSpy in forum Cosmos
    Replies: 4
    Last Post: September 16th, 2004, 09:41 PM
  3. Bank of America next SCO Target
    By SDK in forum AntiOnline's General Chit Chat
    Replies: 1
    Last Post: March 4th, 2004, 11:31 PM
  4. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 08:01 AM
  5. Chapter 6 - Newbie Questions Answered
    By uraloony in forum The Security Tutorials Forum
    Replies: 2
    Last Post: January 2nd, 2002, 03:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •