Banks don’t help fight phishing

March 10th, 2006 at 20:23 UTC by Saar Drimer

I recently got an email from Bank of America offering me a pretty good credit card deal. Usually, I chuck those offers away as spam (both electronic and physical) but this time I decided to bite.

The “apply now” button pointed to http://links.em.bankofamerica.com:8083/…, fair enough. I click. But wait… IE6 says…

Certificate warning IE

Firefox provides more info without layers of abstraction…

Certificate warning FF

I clicked “OK” and got to… https://www.mynewcard.com/! (you’ll notice that going there directly redirects to https://mynewcard.bankofamerica.com/, so only when you click “apply” do you get to see mynewcard.com.)

I consequently emailed BofA with my concerns and got this (surprisingly expedient) reply:

“We recognize that any unsolicited e-mail, legitimate or otherwise, is reason for concern. I can assure you that www.mynewcard.com is a legitimate website of Bank of America.”

Well, not much assurance there since I replied to the original email (cardservices@replies.em.bankofamerica.com), but a whois query confirms that mynewcard.com indeed belongs to BofA. What percentage of the population would go beyond clicking that “OK” on the IE warning as just another annoyance? You know the answer.

So, BofA got three things wrong. Firstly, they had links in the body of the email; the argument has been beaten to the ground… don’t educate people to click them. If the bank has great offers, they should have them available when people log into their accounts. Secondly, they messed up on the certificate… it’s for mynewcard.bankofamerica.com, not what appears in the address bar, mynewcard.com. And finally, they used an unfamiliar domain to process the application. Why? I think the answer lies somewhere in the marketing department where they decided that mynewcard.com is cooler sounding than sound security measures and long term good customer training.

Update: Richard mentioned that the rapid response meant that BofA have heard this concern once before. I found this thread [dansanderson.com] discussing mynewcard.com in August 2003! Which adds a fourth thing BofA did wrong: they didn’t fix it!

Entry filed under: Banking security, Privacy technology

6 comments Add your own

  • 1. Markus Kuhn  |  March 10th, 2006 at 23:12 UTC

    Surely all due to some marketing-obsessed boss deciding in the last minute that the new web page absolutely must have a level-two DNS entry of its own, rather than using the existing, well-established, well-known namespace of the organization …

  • 2. Richard Clayton  |  March 11th, 2006 at 23:40 UTC

    Regrettably, this isn’t at all new.

    As Kuchinskas pointed out back in 2003, it is not uncommon for organisations to use “cutesy” domain names for marketing reasons. The example she cites is particularly interesting. She found that online marketing for Citibank’s credit cards directed you to citicards.com. This, she says, displays a page from the http://www.citibank.com website.

    However, it is STILL (in 2006), even more complex than she portrays. citicards still sends you to citibank. But, because Citibank is regularly subjected to phishing attacks if you go to the main page for Citibank and follow the link to “contact us” then click on the link about “suspicious emails” you get a pop-up page from http://www.citi.com that recommends sending email to emailspoof@citigroup.com!

    In fact CitiBank provide a list of the 18 domain names they are currently operating for banking services… it doesn’t include citigroup.com because of course that’s just corporate.

    Anyway, I’m sure providing the list will fix their problem :(

  • 3. Nick Towner  |  March 13th, 2006 at 13:43 UTC

    Wildcards in certificates will probably soon become popular (if the price is right, of course). It will be interesting to see if this helps or makes the problem worse.

    RFC2595 (IMAP/POP3/ACAP over TLS, proposed standard) allows only names beginning with “*.” while RFC2818 (HTTP over TLS, informational) allows more. This discrepancy and implementation differences will give their own problems.

    How long before someone manages to forge a certificate for http://www.*.com ?

  • 4. .$author.  |  March 30th, 2006 at 13:02 UTC

    [...] A second example is how the waters in which internet phishermen angle for account details regularly become muddied by the marketing departments of enterprising banks. Every once in a while, these chaps manage to send out genuine emails entreating the user to click on the link in the email, or to navigate to a site not clearly part of the bank’s site, then provide their personal details. [...]

  • 5. Francis  |  April 9th, 2006 at 09:40 UTC

    About a week ago (mar 30) I noted on my work blog another way that insecure banking sites help phishers.

    It seems that JP Morgan Chase makes absolutely no check for the referer field when serving up images via HTTPS. As a result a phishing sites can quite simply paste genuine JPM pages with genuine images and scripts on their own pages

  • 6. hater  |  December 8th, 2007 at 19:24 UTC

    All marketing people should be summarily executed. They are a waste of oxygen on the planet and contribute to global warming every time they open their mouths to speak. They contribute to the downfall of civilization through subterfuge, obfuscation and deceit. They dilute the human spirit by pouring trite, token-filled lies en masse into the ether. They are the molesters of childhood’s mind. The only lower form of life than marketing people are bankers and and the rats (lawyers) that support their rapacious ways. Dump them into the Horse Latitudes.

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed

Calendar

March 2006
M T W T F S S
« Feb   Apr »
 12345
6789101112
13141516171819
20212223242526
2728293031