No subject


Fri Jan 31 06:23:24 EST 2014 

>From suter  Mon Sep 24 12:57:03 2001
Return-Path: <owner-general at lists.humbug.org.au>
Received: from diadora.client.uq.net.au (IDENT:root at diadora-2 [10.0.1.2])
	by zwitterion.humbug.org.au (8.12.0/8.12.0/Debian -4) with ESMTP id f8O2v20h027434
	for <suter at zwitterion.humbug.org.au>; Mon, 24 Sep 2001 12:57:03 +1000
Received: from caliburn.humbug.org.au (caliburn.humbug.org.au [203.15.51.6])
        by diadora.client.uq.net.au (8.12.0.Beta19/8.12.0.Beta19/Debian 8.12.0.Beta19) with ESMTP id f8O2v2r9003780
        for <suter at zwitterion.humbug.org.au>; Mon, 24 Sep 2001 12:57:02 +1000
Received: from mdlishum by caliburn.humbug.org.au with local (Exim 3.03 #1)
	id 15lLSi-000NHu-00
	for general-outgoing at lists.humbug.org.au; Mon, 24 Sep 2001 12:27:12 +1000
Received: from [159.157.251.43] (helo=Mel-Inet01.westsig.com.au)
	by caliburn.humbug.org.au with esmtp (Exim 3.03 #1)
	id 15lLSe-000NHp-00
	for general at lists.humbug.org.au; Mon, 24 Sep 2001 12:27:08 +1000
To: general at lists.humbug.org.au
Subject: Re: [H-GEN] Internet Banking - hidden url's > potential security breaches.
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 5.0.8  June 18, 2001
Message-ID: <OFCA4896A1.FFEAC611-ON4A256AD1.000C2D0B at westsig.com.au>
From: ben.carlyle at invensys.com
Date: Mon, 24 Sep 2001 12:21:37 +1000
X-MIMETrack: Serialize by Router on Mel-Inet01/SRV/WSA/Rail(Release 5.0.6a |January 17, 2001) at
 09/24/2001 12:22:22 PM,
	Serialize complete at 09/24/2001 12:22:22 PM
Content-Type: text/plain; charset="us-ascii"
Sender: owner-general at lists.humbug.org.au
Precedence: bulk
Reply-To: general at lists.humbug.org.au
X-Loop: general at lists.humbug.org.au
List-Help: <mailto:majordomo at lists.humbug.org.au?subject=help>
List-Post: <mailto:general at lists.humbug.org.au>
List-Subscribe: <mailto: general-request at lists.humbug.org.au?subject=subscribe>
List-Id: semi-serious discussions about Humbug and Unix-related topics <general at lists.humbug.org.au>
List-Unsubscribe: <mailto: general-request at lists.humbug.org.au?subject=unsubscribe>
List-Archive: <http://archive.humbug.org.au/humbug-general/>
Status: RO
Content-Length: 3777
Lines: 85

[ Humbug *General* list - semi-serious discussions about Humbug and  ]
[ Unix-related topics.  Please observe the list's charter.           ]
[ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]

Howdy,

In answer to why javascript is often used to explicitly control which 
window the banking session is used, I noticed on the mymail.com.au site a 
warning that failure to close the window after reading mail may allow 
other users to use the "back" button to read your confidential messages. 
It's likely that the banks are making an effort to prevent unwanted 
disclosure of your financial details to the "next" user of the system.

I don't think the hiding of the URL is a particularly nasty security risk, 
in that control of a DNS server that provides the bank's IP address should 
be enough to fake the displayed URL for the entire session. It's likely 
that both the lookup and reverse lookups would be tampered with should 
this kind of fraud be attempted. Your suspicions about hiding information 
as to whether or not a session is encrypted might be a nastier risk, 
particuarly if you think you're dealing with someone who has an 
appropriate certificate but in reality does not, however I suspect that 
the general user population would make the assumptions of security without 
checking the usual display indicators even when they aren't hidden. 
They're dealing with a bank after all, and the bank would make sure that 
no such thing could happen, wouldn't they? ;)

Benjamin.





"bmatthewtaylor at yahoo.co.uk" <bmatthewtaylor
Sent by: owner-general at lists.humbug.org.au
23/09/01 12:01
Please respond to general

 
        To:     general at lists.humbug.org.au
        cc: 
        Subject:        [H-GEN] Internet Banking - hidden url's > potential security breaches.
extending this topic, my Suncorp netbanking has shown a disturbing trend 
that I have noticed with other internet sites > hiding url's by using 
javascript popup windows ie:

javascript:OpenWindowFullScreen('page_name.ext','label');

I suspect they do this to maximize the screen area, but it hides the url 
and unless users have set their browser preferences appropriately most 
users will not be able to confirm they are on https or http.
I have noticed a number of other banks doing similar things, tho anz, 
stGeorge and Colonial first State stick with displaying the url and 
padlock 
icons.

So what I'm wondering is, would this result in a potential security for 
exploitation?

ie: say a small ISP, internet Cafe etc.. has a 'modified' dns table, 
redirecting calls to www.mybank.com  to their own server, running a clone 
of the real banks homepage.
User goes to the logon screen (which is a 
javascript:OpenWindowFullScreen(blah), thus hiding the url) and is taken to 
some fake site made up by the hackers. (say www.mypiratebank.com), this 
could even have an authenticated https certificate that does not flag any 
warnings in the clients browser. Pirate site then collects user names / 
passwords, maybe even does some screen stripping on www.mybank.com to 
verify the password, and then redirects the client to the real banking 
site. (or just give the user a message 'service temporarily unavailable, 
please call 1800-fake-number' )

I dont know enough about dns servers if this type of breach could be 
achieved via the weakness pointed out for www.anz.com on this list last 
week.

hrm... I'm pretty sure I'm not being paranoid [1], but also pretty sure my 

bank will put the spin doctors onto denying any security risk before they 
actually address the technical issue.


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.

More information about the General mailing list