Banks don’t help fight phishing

I recently got an email from Bank of America offering me a pretty good credit card deal. Usually, I chuck those offers away as spam (both electronic and physical) but this time I decided to bite.

The “apply now” button pointed to http://links.em.bankofamerica.com:8083/…, fair enough. I click. But wait… IE6 says…

Certificate warning IE

Firefox provides more info without layers of abstraction…

Certificate warning FF

I clicked “OK” and got to… https://www.mynewcard.com/! (you’ll notice that going there directly redirects to https://mynewcard.bankofamerica.com/, so only when you click “apply” do you get to see mynewcard.com.)

I consequently emailed BofA with my concerns and got this (surprisingly expedient) reply:

“We recognize that any unsolicited e-mail, legitimate or otherwise, is reason for concern. I can assure you that www.mynewcard.com is a legitimate website of Bank of America.”

Well, not much assurance there since I replied to the original email (cardservices@replies.em.bankofamerica.com), but a whois query confirms that mynewcard.com indeed belongs to BofA. What percentage of the population would go beyond clicking that “OK” on the IE warning as just another annoyance? You know the answer.

So, BofA got three things wrong. Firstly, they had links in the body of the email; the argument has been beaten to the ground… don’t educate people to click them. If the bank has great offers, they should have them available when people log into their accounts. Secondly, they messed up on the certificate… it’s for mynewcard.bankofamerica.com, not what appears in the address bar, mynewcard.com. And finally, they used an unfamiliar domain to process the application. Why? I think the answer lies somewhere in the marketing department where they decided that mynewcard.com is cooler sounding than sound security measures and long term good customer training.

Update: Richard mentioned that the rapid response meant that BofA have heard this concern once before. I found this thread [dansanderson.com] discussing mynewcard.com in August 2003! Which adds a fourth thing BofA did wrong: they didn’t fix it!

6 thoughts on “Banks don’t help fight phishing

  1. Surely all due to some marketing-obsessed boss deciding in the last minute that the new web page absolutely must have a level-two DNS entry of its own, rather than using the existing, well-established, well-known namespace of the organization …

  2. Regrettably, this isn’t at all new.

    As Kuchinskas pointed out back in 2003, it is not uncommon for organisations to use “cutesy” domain names for marketing reasons. The example she cites is particularly interesting. She found that online marketing for Citibank’s credit cards directed you to citicards.com. This, she says, displays a page from the http://www.citibank.com website.

    However, it is STILL (in 2006), even more complex than she portrays. citicards still sends you to citibank. But, because Citibank is regularly subjected to phishing attacks if you go to the main page for Citibank and follow the link to “contact us” then click on the link about “suspicious emails” you get a pop-up page from http://www.citi.com that recommends sending email to emailspoof@citigroup.com!

    In fact CitiBank provide a list of the 18 domain names they are currently operating for banking services… it doesn’t include citigroup.com because of course that’s just corporate.

    Anyway, I’m sure providing the list will fix their problem 🙁

  3. Wildcards in certificates will probably soon become popular (if the price is right, of course). It will be interesting to see if this helps or makes the problem worse.

    RFC2595 (IMAP/POP3/ACAP over TLS, proposed standard) allows only names beginning with “*.” while RFC2818 (HTTP over TLS, informational) allows more. This discrepancy and implementation differences will give their own problems.

    How long before someone manages to forge a certificate for www.*.com ?

  4. About a week ago (mar 30) I noted on my work blog another way that insecure banking sites help phishers.

    It seems that JP Morgan Chase makes absolutely no check for the referer field when serving up images via HTTPS. As a result a phishing sites can quite simply paste genuine JPM pages with genuine images and scripts on their own pages

  5. All marketing people should be summarily executed. They are a waste of oxygen on the planet and contribute to global warming every time they open their mouths to speak. They contribute to the downfall of civilization through subterfuge, obfuscation and deceit. They dilute the human spirit by pouring trite, token-filled lies en masse into the ether. They are the molesters of childhood’s mind. The only lower form of life than marketing people are bankers and and the rats (lawyers) that support their rapacious ways. Dump them into the Horse Latitudes.

Leave a Reply

Your email address will not be published. Required fields are marked *