« Administrivia: Additional feeds
Security Hype 7.3-RSA 2007 Conference Roundup, Vendor Smackdown »
28 02 2007

Security Hype 7.2-How banks encourage fraud, ways to reduce getting phished, first S/MIME discussion

Posted by: bob in SSL, podcast
 
icon for podpress  Enhanced Podcast [39:42m]: Play Now | Play in Popup | Download (1973)

Many banks encourage phishing through their use of inconsistent user interfaces and the improper use of SSL, both putting their customers’ credentials at risk. Financial institutions invent their own email security schemes that are readily copied by hackers and provide no real security. Bill and Bob describe several examples of how bad web and email security practices confuse their customers and weaken the total online security experience. They also provide some suggestions based on solid security practices.

Think SSL is too expensive to deploy? That’s 20th century thinking! Bob’s team has lab test statistics to refute that old myth: http://boblord.livejournal.com/1538.html

Links referenced in this email:

  1. ETrade “Secure” Email which dilutes the security lock icon’s value ETrade Secure Email:Diluting the lock icon’s value.
  2. NetCraft Phishing Link
  3. NetCraft Surveys
  4. Yahoo! endangers, confuses uses instead of using SSL to begin with
  5. SSL security warnings don’t stop users from getting hacked
  6. Google’s SSL warnings don’t stop users either
  7. Fake Chase phishing email #1
  8. Fake Chase phishing email #2

Thank you for listening! Please send your comments, suggestions, and feedback to comments@SecurityHype.com.

This entry was posted on Wednesday, February 28th, 2007 at 12:11 am and is filed under SSL, podcast. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Security Hype 7.2-How banks encourage fraud, ways to reduce getting phished, first S/MIME discussion”

  1. Markus says:
    March 6th, 2007 at 4:32 pm

    Yep. I can fully identifiy with Bob here. I am a citi customer too. It’s totally confusing to the uninitiated. I’ve helped my wife create a bookmark to their login page when we signed up for the online banking account and I’ve told her to only use that when logging in. Otherwise the multiple domain names ( citi.com, citibank.com, citicards.com ), the different styles of login screens and the login screens on basically unencrypted pages make verification very difficult for not so technical people. Yes, there is a lock icon on the main page next to the login screen and it links to some security information, but there is absolutely nothing that I couldn’t replicate on my personal homepage. Moreover even the verisign domain verification logo isn’t on all their sites.

    This is just one example that was poking in my eye too ;)
    I wish companies would treasure their domain names more and treat them with more care. Maybe that’s the marketing departments having too much influence?

Leave a Reply

Bad Behavior has blocked 85 access attempts in the last 7 days.