32

I was reading the security advice given by the Swedish Bankers' Association. They included these two pieces of advice (my translation), that I assume is to teach the user to check for SSL/TLS and protect from SSL-strip:

  • Check that it is the address of your bank in the address bar of your browser before you log on to your internet bank.
  • The web address on the log on page should start with https:// and a padlock symbol should be visible in the browser.

This is a fairly important topic, since some Swedish banks serve their main page (where the link to the internet bank is) over HTTP, and none of them have implemented HSTS. However, I see a number of problems with the advice given:

  1. How do I check that it is the adress of my bank? An ordinary user would probably go scanning the URL for the name of the bank, and be satisfied when they find it. So armed only with this advice you would easily fall for mybank.com.evil.com/mybank.com. (Unfortunately the URL for logon pages are often not very clean, so customers would expect a messy URL.)
  2. "So I remember there was something with an h and a couple of p or t or something I should look for. http://? Yeah, that was probably it. Must be safe."
  3. Look for the padlock in the browser? Seriously? You can just include it in the page, don't even need to use the old favicon trick to fool someone reading this advice.

Naturally I started to think about what some actual good advice would be to give on this subject, but I found it surprisingly hard. The advice should be (A) short, (B) easy to remember and understand even for a user with little technical knowledge, and (C) apply to all fairly modern browsers. Imagine you have 30 seconds to explain this to a not very-tech savvy relative.

Any suggestions?

Steve Dodier-Lazaro
  • 6,798
  • 29
  • 45
Anders
  • 64,406
  • 24
  • 178
  • 215
  • 4
    I'd recommend using a bookmark. That way you can only be tricked on the first access. – CodesInChaos Feb 01 '16 at 16:06
  • 8
    Tell them that the "s" in "https" stands for "secure." That might help with issue number 2. – Brian McCutchon Feb 01 '16 at 17:05
  • My advice would be take the advice of the two previous comments, and also tell the users that the server they are talking with is the one named between the two `/` characters. (Some browsers will highlight this part of the URL to make it easier to spot.) – kasperd Feb 01 '16 at 18:43

7 Answers7

40

Why security indicators fail vs. phishing

There is no action that can be taken that is economically viable. Put another way, it's too effortful to defend against phishing attacks. See 'So long and no thanks for the externalities' for an example on the US economy and information workers.

You are correct that checking for URL correctness is error-prone, and HTTPS passive security indicators are a big joke. They go unnoticed, they have for years been meaningless (what does it mean if the keypad is blue or green or grey!?), and were they to be more prominent / active, people would get habituated to see them and attacks could simply buy a certificate for a rogue URL so that the name checks out.

The solution to this issue must be architectural, rather than rely on wasting the time of humans and on said humans to not make mistakes. Why is it that Web browsers don't have a centralised, trusted repository from which to verify the URLs of banks and reputable payment/transfer websites, so that unique security indicators can be used for such sites?

Solution: make users rely on a secure interaction rather than make them deal with the limitations of indicators

I would tell people to go onto the website once, make sure the URL is correct once (you can help them), and save it in their favourites. And use exclusively the favourites button so they know they are on the right website. I would tell them (without details) that you never know where you'll land when clicking a link or searching for a website but the favourites button always takes you to the right place. How? Doesn't matter.

At this stage, users are guaranteed to land on the correct URL. If an active MITM attack is occurring, they will get the scary certificate warning, which they normally don't have for their banking website. Warning habituation is a very real thing, and figures are missing to determine whether users would pay attention to it in the context of a previously trusted banking website. Improving on this warning (e.g. making it scarier for bank sites) would also require knowledge of what is and isn't a bank's website.

Steve Dodier-Lazaro
  • 6,798
  • 29
  • 45
  • The favorites solution is a really good one. That quickly teaching a human to check for this is near impossible is depressing, but possibly true. – Anders Feb 01 '16 at 10:34
  • 7
    `Why is it that Web browsers don't have a centralised, trusted repository from which to verify the URLs of banks and reputable payment/transfer websites, so that unique security indicators can be used for such sites?` I thought that system is called the EV certificate? – Lie Ryan Feb 01 '16 at 12:43
  • @LieRyan they're not proper to financial institutions. You also buy EV certificates to have your app put on app stores. They do improve on the quality of validations, and their added cost creates a deterrent for adversaries to go through the validation process, but (a) they don't change the inherent issue of passive indicators without proper design in each browser and (b) they don't address the question of how you navigate from potentially untrusted sites to your trusted bank's site without being redirected elsewhere instead (i.e. how you avoid phishing). – Steve Dodier-Lazaro Feb 01 '16 at 12:46
  • I'm not saying EV certs are bad by the way. They are an extremely good feature. What I'm saying is that we need further design and further evidence before assuming how much added security they provide to end users in a variety of contexts. – Steve Dodier-Lazaro Feb 01 '16 at 12:48
  • Even at OV level, you need to get your business registered in a qualified business database (government business registry and/or a qualified independent information sources) which must show the physical address in the certificate and the phone number. And EV CAs are required to visually compare the domain name against "known high risk" domain names, although I don't think there is any formal standard of what is considered "high risk". – Lie Ryan Feb 01 '16 at 13:30
  • EV CAs also have to checks that the business is active business in a good standing according to the business database (e.g. registered for more than three years, pays taxes). The CA do a face-to-face verification of the primary contact of the organization or that the qualified business database had done face-to-face verification when entering the information to their database. You can't just register a company last week then apply for EV certificate now. – Lie Ryan Feb 01 '16 at 13:32
  • 1
    RE: your specific point let's see in 5 years' time what Indian or Chinese issued EVs look like. But this is not quite what I wanted to discuss anyway. You might be able to perfectly identify a business, you still need to transform this feature into an interaction and interface design that stands out in helping users *know* effortlessly they're on their bank's site when they mean to. And you have to cover (a) indicating that the current site is the bank site and (b) ensuring that users, when they mean to go to their bank site, understand the indicator *and* notice its absence. – Steve Dodier-Lazaro Feb 01 '16 at 13:39
  • 2
    @SteveDL Don't you think "Always check that it says 'My Bank [GB]' in a green box in the address bar." would be good advice that would live up to the requirements in the question? – Anders Feb 01 '16 at 16:27
  • 1
    @Anders I've got mixed feelings on that. It's been demonstrated passive SSL padlocks are not very useful because people forget to check for them, and that they're economically detrimental. There's also the issue of simply satisficing presence rather than checking content, making attacks with fake EV certs not unlikely. Without an updated study on EV certs in banking contexts I *suspect* but cannot assert that they're mildly beneficial to check for. – Steve Dodier-Lazaro Feb 01 '16 at 17:05
  • @SteveDL I appreciate your answer, as well as your epistemic humility. – Anders Feb 01 '16 at 17:07
  • @Anders humility is the last word I'd use to describe me ;-) I'm actually very critical of how usability research is conducted on security UIs and interactions so I rely on general interaction design principles more than specific findings that advocate one thing or another. – Steve Dodier-Lazaro Feb 01 '16 at 17:10
  • @SteveDL: the true strength of EV certificate should be considered when you combine it with the other related technologies. In particular, strong transport security and key pinning. EV certificate gives you strong identity validation, and when combined with strict transport security and key pinning means you only need to fully check the certificate identity the first time you load a site. – Lie Ryan Feb 02 '16 at 00:47
  • @LieRyan I get that. EV certificates are really really cool. But this isn't a question of whether a piece of tech is nice or not. It's a question of whether an interaction can be made to be systematically secure, regardless of threats. When you have something like EVs you shouldn't discuss what goes well when they're here, but what fails to go wrong when they're not. And without data I won't speculate on the topic :-) – Steve Dodier-Lazaro Feb 02 '16 at 01:00
  • @SteveDL: EV and OV ties a domain name with a real life business identity. For most people, telling them to look for their banks name in the EV bar should be sufficient to assure them that they're really connecting to who they think they're connecting to, for better assurance, users can also check the physical address and company registration number matches what they expect and check for usage of HSTS and HPKP. Beyond that, yes, they should bookmark the site and access them only through the bookmark. – Lie Ryan Feb 02 '16 at 01:25
  • One thing I've not seen mentioned in any answer is that relying on a bookmark is NOT 100% foolproof -- it still relies on the HOSTS file not having been compromised. – Rayanth Feb 02 '16 at 07:41
  • 1
    @R.Daughtry Correct me if I'm wrong, but if the hosts file has been compromised then my computer has been compromised, and then it's game over anyway? – Anders Feb 02 '16 at 08:14
  • OK, I'll give you that. I think I was focused on finding flaws in other answers as a method of providing a better one, and lost site of the situation. – Rayanth Feb 02 '16 at 08:43
  • The bookmarks solution covers ensuring that the right URL is being used for the desired site ("bank"), which is the responsibility of the user. If an attack occurs on that (DNS spoofing), there will be a certificate warning being displayed. One could assume that people will pay attention to such errors for banking / payment sites (I've read/heard that somewhere but can't find a link to a paper where it's been observed. – Steve Dodier-Lazaro Feb 02 '16 at 09:38
28

Update 09/2018:

While I previously stated that this might be a good option, the world has changed, and the use of EV is no longer a particularly reliable indicator, even given the drawbacks mentioned below. There are articles such as this one from Troy Hunt which explain the full issue, but, in short, browsers are no longer treating EV certificates as something particularly special, and are hiding or reducing the indicators of EV status.

Taking the first of the sites shown previously, for instance, gives the following display in, respectively, Chrome 69, Edge, Firefox 62 and Internet Explorer 10. Safari on mobile shows a green padlock and "Barclays PLC", Chrome on mobile shows a green padlock, "https" in green, then the rest of the URL in black.

EV display in current browsers (09/2018)

In other words, even if the site does use an EV certificate, there isn't a single indicator that can be easily communicated to a non-technical person anymore. It was always at the mercy of browsers, and it's no longer treated as anything special.

So, what's the alternative? Nothing springs to mind: the URLs below are from a range of subdomains of the bank sites, which makes looking for the bank name harder, and it doesn't work on some mobile devices, which don't show the full URL. The padlock symbol is easy to work around, given the availability of free SSL certificates for domains you control. Browsers mostly currently show "https://", but not "http://" now, but relying on that remaining the case has most of the same issues as relying on the green address bar.

That leaves typing the bank address into the address bar each time, and being absolutely sure it's not got typos in, which is not a reliable method either. Searching isn't reliable: most search providers are pretty good at weeding out fake links in adverts on terms like "online banking login", but it only takes one missed link. Following links from the main bank site just moves the verification issue up one level.

I suppose it's down to just being careful: use a single device to access the banking site, using a bookmark which has been checked carefully on creation, and don't allow anyone else to access that device, so they can't be modified. It probably makes sense for some people, but I could see that being a too high burden on the average user, where devices are shared with family members or could be accessed by co-workers.

Original 02/2016:

I was going to suggest that ensuring that the login screen for the online banking system showed the name of the bank in green, in the address bar might work. But then I started wondering if any of the local banks I know about did that properly.

URL bars of UK banks

It's less encouraging than I'd hoped. For these nine fairly large banks, 6 provide the name of the bank in the EV cert bar. 2 provide the name of the parent group (which might not always be obvious), and one doesn't even have an EV certificate.

The EV certificate is designed to make this easy, if it's used properly - you can't fake it easily, and it's outside the page area, so can't be inserted by a malicious actor. However, it seems that banks aren't doing so well at using it..

Matthew
  • 27,233
  • 7
  • 87
  • 101
  • 4
    Very good point. Though, what if someone registered "HSBC Holbings plc" or "HSBC Holdings ltd"? They'd get me fooled for sure :-) I agree with you that those new security indicators make it easier to read/process the URL but they inherently have the same issue as URLs, just on a lesser scale. – Steve Dodier-Lazaro Feb 01 '16 at 10:48
  • This is true - in theory, the hoops to jump through should make getting the green EV bar harder than just registering a new domain and going to a low end SSL vendor though. However, it would require all legitimate banking and payment providers to consistently use them properly, which seems a bit optimistic. – Matthew Feb 01 '16 at 11:15
  • I see the cost of an attack as more important since EV certificates are expensive. Though, I would expect that attackers already run campaigns in short, concentrated time frames as phishing sites on large client bases would be reported and shut down quickly. Better than nothing still :-) – Steve Dodier-Lazaro Feb 01 '16 at 11:17
  • 4
    I guess checking that the certificate is from the right jurisdiction is also important (the `[GB]` part). I have a feeling that phishers will prefer to get their certificates from somewhere where law enforcement is a bit more lax. – Anders Feb 01 '16 at 11:56
  • 2
    @Anders That might be why Santander doesn't have one, actually - Spanish banking group, running British banks. Not sure which country code should be there. – Matthew Feb 01 '16 at 11:57
  • 8
    It's worth noting that asking for an SSL cert with the words "Bank", "Banking", "Holdings" etc, will trigger a secondary verification process by the SSL vendor, which will prevent any certificate forgery like that. Even on more lax sites like GoDaddy. – Ohnana Feb 01 '16 at 16:29
  • 6
    @SteveDL ... Not sure it entirely works in practice, but in order to obtain an EV cert, you still need to have a corporation properly registered in that name, which means you had to provide a real person's identity to the government where that corporation was registered... so it should be easier to prosecute you for fraud or sue you for trademark infringement, even before you apply for a certificate or domain. – david Feb 01 '16 at 17:49
  • @Ohnana Then just use something more generic. "HSBC Group plc" still sounds legitimate. Plus, "Holbings" wouldn't trigger any automated check for the word "Holdings". – user253751 Feb 01 '16 at 21:20
  • 1
    @immibis very true. As part of a sanctioned phishing exercise, we just registered a domain without the word "bank", but used the company name with great success! However, it's just another thing to look for. – Ohnana Feb 01 '16 at 21:45
3

"I am asking how to explain to an ordinary user how to check that the browser is using HTTPS and that you are on the right site..."

I agree with what others have said here about looking for the lock as well as the "s" in https and verifying that the url after the // is correct. That is what I remind my clients to do. All financial institutions will have these things as a minimum

Other approaches like the "green name" in EV certs are helpful but not all banks use them because they are much more expensive and take more paperwork to implement (to prove who you are) than a standard SSL cert.

Two things I'd add to the discussion are to maybe focus on how people get to the banking site.

If they're getting there via a bookmark (ok as long as you always use the same computer and browser), or via the bank's mobile app, or by typing in the (hopefully short and spelled correctly) url of their bank each time, then they're much less likely to encounter phishing or MITM attacks.

However if they're responding to a link in an email claiming to be from the bank (always dubious), or off a search engine's results, then they should be extra cautious or avoid these avenues altogether.

The other thing I do with my clients is to warn them of the consequences if they get careless... like discovering transactions they didn't make and/or money gone from their account, transferred to countries where recovery might well be impossible (such as Russia or China). Basically, a little fear/paranoia can go a long way toward keeping folks vigilant and their accounts safe. Hope this helps!

  • Thanks for the answer! I think focusing on how you reach the site is a good idea. To you advice of typing the address yourself, I would like to add that you should type the address *including the `https://`*. – Anders Feb 01 '16 at 20:24
  • About the URL. I think it needs to be from the `//` to the `/`. And here it starts being a bit complicated if the URL looks messy... – Anders Feb 01 '16 at 20:27
2

Essentially your question is one of authentication. In this case, it's users authenticating the bank website is actually the bank.

I think you're right, and the user is going to have difficulty in authenticating the bank through the URL (many banks have multiple URLs for instance). You're also correct that users aren't terribly sophisticated about URLs, and don't (and can't be trained) to understand it properly.

One approach I've seen at some banks is the bank always displaying a shared secret before the user authenticates. It works something like this:

The user does a pre-authentication by entering in a username, and an answer to a security question.

The website displays an image, word, or both that the user has selected. This provides assurance that the bank is actually the bank, since only the bank knows the image or phrase that the user has chosen.

The user then enters the password.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76
  • Thanks for the answer! That is an interesting system, but it is to little help for the person I am trying to advice if the bank hasn't implemented a system like that. Also, isn't it sensitive to MITM-attacks? The middle man takes the username and send to the bank, getting the image. It then presents the image to the user. So I still need to check that TLS is used to safeguard against MITM. – Anders Feb 01 '16 at 16:22
  • 1
    Oh it still relies on a TLS connection. That's still true of course. But it still forces the attacker to perform an active attack, contacting the bank to retrieve the image. You might stand a chance of actually detecting a mass attack like this through analyzing geo-locations of where users typically login from. Realistically, banks should be using 2-factor authentication. Only one of my banks does this. – Steve Sether Feb 01 '16 at 16:31
  • Would you say using an image like that would be enough to not also have to check that you are on the right site and using TLS? – Anders Feb 01 '16 at 16:58
  • @Anders Probably not. But that's not the real question. You're thinking for an individual user. I'm thinking of preventing massive spoofing attacks. Remember, security is also often about just not being the LEAST secure. Attackers necessarily pick the easiest target. It's like the old story about not having to run faster than the lion. You just have to run faster than the slowest person in your group :). – Steve Sether Feb 01 '16 at 17:02
  • @SteveSether I know the system you're referring to and even though its name has eluded me, I am ~80-90% confident there is a paper out there explaining how it has successfully been defeated. It turns out that when you tell people on the Internet that a server is under maintenance and images cannot be loaded, a fair share of them will believe you :-) – Steve Dodier-Lazaro Feb 02 '16 at 00:55
  • It's also entirely vulnerable to active phishing attacks, sadly. I've considered recycling the concept for offline app auth though. – Steve Dodier-Lazaro Feb 02 '16 at 00:57
  • @SteveDL That doesn't surprise me... I'm not sure if there's a better way to do it, but the concept of authenticating the bank website is more the important part. – Steve Sether Feb 02 '16 at 14:30
1

I like to rely on the auto-fill feature of my password manager for this check.

The rationale is that I will not be clever enough to match the site URL in the browser to the expected one, while a password manager will.

So when I see that it has filled in the entry for the site - the site is genuine, otherwise I should start to worry.

The password manager must of course be "good", but that is another problem.

WoJ
  • 8,957
  • 2
  • 32
  • 51
  • That it is indeed an elegant solution to see that you are on the right page. However I guess it does not help you check you are using HTTPS. Thanks for the answer! – Anders Feb 05 '16 at 16:39
  • 2
    @Anders: checking for HTTPS does not really matter in that case. You will be matched with the correct URL, which hopefully is HTTPS. You do not need to check anything beyond the fact whether your credentials are filled in or not. If they are then you are on the right page (HTTPS or not, though it will be HTTPS). If you have a site which has both HTTP (on the front page for instance) and HTTPS (on thelogin page) then your match will be against `https://the.bank.address/login` and `http://the.bank.address/login` or anything else will fail to match and credentials will not be filled in. – WoJ Feb 05 '16 at 16:45
  • Oh, right! Smart! – Anders Feb 05 '16 at 17:04
0

Steve DM's answer (checking and bookmarking the page) is better from an absolute security standpoint, but another viable (and possibly more user friendly) option is to tell them to Google the bank every time instead of clicking on a link.

This way, you rely on Google taking you to the right place rather than some shady link and your observational skills.

It's easy, and something your friend already does on a regular basis.

NOTE: This is still susceptible to MITM attacks, but it will prevent basic phishing attacks. I'd just tell a non-tech savvy person to always Google their bank (and other sensitive sites) and to not log on to sensitive websites at public places.

Dominic A.
  • 17
  • 2
  • Then they would have to check that their connection to Google is safe. – Benoit Esnard Feb 01 '16 at 16:59
  • But if google take me to `http://mybank.com` where there is a link to `https://secure.mybank.com` I would still be vulnerable to MITM with SSL-strip. – Anders Feb 01 '16 at 17:00
  • 3
    I'd never want to trust Google search results to bring up the right site. It's easy enough to manipulate Google searches that it's become a sport. http://www.screamingfrog.co.uk/google-bombs/ Just ask Rick Santorum what he thinks about the accuracy of typing in something into Google and getting what you're searching for. Even 13 years later this jackass is better known for the disgusting definition of his name rather than him. – Steve Sether Feb 01 '16 at 17:19
-3

Yes. Use an app that is definitely connecting to the site.

Or. Check the https. Verify the url. Make sure the url is short enough to visually see tampering. Also, maybe some examples of homographic attacks.

m2kin2
  • 89
  • 2
  • 10
    ...unless the app has been tampered with. – Trang Oul Feb 01 '16 at 13:39
  • And given apps can hide what kind on connection they are using, it may not even be secure in the first place. – Petah Feb 02 '16 at 01:00
  • Relying on a dedicated app these days is often less safe. Using a major browser it is much more likely that you'll be using something that has gotten needed security patches. Quite often dedicated software turns out to be vulnerable to man-in-the middle style attacks and the user is none the wiser. With all the scrutiny, browsers are more likely to be up on their game. – Caleb Nov 25 '16 at 17:34