Is accessing bank account on the internet really secure?

Question

Before I ask my question, I would like to make sure that I understand the settings correctly.

So, the given:

A client, using some web browser (firefox, for instance) - the Client
The bank server - the Server
The Client establishes HTTPS connection with the Server
An SSL certificate signed by a well known CA is used
The Client's bank account access password is good and well protected.

Now, I am asking myself what makes it invulnerable to the MITM attack? Imagine that:

Someone gets a legitimate SSL certficate signed by any well known CA and issued to a certain machine.
Next, we need to make the HTTP traffic go through this machine. It is possible if the machine is configured to be a router and is located somewhere close to the endpoints - the corporate network or the respective ISP are the ones that come to mind.
The machine acts as an MITM proxy. Now, the browser should still warn the Client, because the presented certificate is issued to a host different from that in the URL, but examining the certificate would reveal that it is absolutely valid and is issued by a trustworthy CA - it may fool the human into accepting it.

So, my question is this - is it true that the security of online accounting depends on:

The strictness of the process of signing SSL certificates by well known CAs.
The security of the corporate and ISP IT labs.

Which is in addition to the power of the math behind the encryption, of course.

Thanks.

The power of the math behind the encryption is not something the average user needs to worry about. In my opinion. Encryption-only and Decryption only keys are used in the certificate, and the key length is periodically getting longer (128bit, 256bit for primary certificates, CA certificates are making it to 1024bit), meaning that brute-force is very expensive. Most of the risk is from using the wrong certificate, like what is primarily being discussed with incorrect CAs, fraudulent certificates. Not from cracking the math. And of course many other ways to fool the user. — 700 Software, Dec 19 '11 at 17:53
Question, are there actually any online banking out there that haven't started using two-factor authorization with one-time-passwords yet? I imagined that would be one of the assumptions here. — efr4k, Dec 20 '11 at 10:02
@ephrack first of all you mean two-factor authentication (or possibly two-step authorization, but I doubt that, as it is rare). But to your question, simple answer is that *most* online banks do **not** require 2-factor authentication. Sadly. Although some think they do, even though they don't.... — AviD, Feb 21 '12 at 23:30
@AviD just a typo, I meant authentication of course. But in Norway where I'm from I have not heard of any bank that don't use two-factor authentication. I actually thought that was a requirement for PCI compliance, but of course it might just be an "extra service" our banks provide. — efr4k, Feb 22 '12 at 08:34
In the UK most banks now offer two-factor to all their customers, but it's only business, corporate and high-net-worth individuals who seem to be near the 100% uptake. — Rory Alsop, Feb 22 '12 at 09:28
@RoryAlsop but are all of those *actually* two-factor, or arent some of them the snake-oil pseudo-multi-factor (which is actually two seperate pieces of single-factor what-you-know)? — AviD, Feb 22 '12 at 10:43
Two factor - RSA tokens (yeah, I know), smart cards and readers, fingerprint scanners etc — Rory Alsop, Feb 22 '12 at 11:12

rook · Answer 1 · 2011-12-19T18:22:32.880

Security is relative, for instance is accessing a bank in real life very secure? You might get robbed at gun point. Your ATM could have a Skimmer to steal the data off your card.

enter image description here

Sure SSL has its problems, the PKI also has its problems, and people are working on it. The EFF is promoting "Sovereign Keys", which basically prevents countries like Iran from forging a valid certificate for Gmail. Moxie Marlinspike's proposed solution to rogue CAs is Convergence.

Very few people can full off an attack on SSL, but when it breaks its really bad. However, a MITM attack won't get you shot. So online banking is a lot more secure than any alternative we currently have.

score 8 · Answer 2 · answered Dec 19 '11 at 17:31

As you've found out, yes it depends on the SSL system being compromised (either a certificate issued to a party whom does not own the real site, or injection of a false CA cert into the client) and for the browser to attempt to connect via the MITM site (as a proxy, or via DNS poisoning, or routing injection).

Either on its own (AFAIK) will not allow the connection to be compromised in a way which is not detectable to the client. Note that this means that any organisation supplying both the routing and the initial CA list can compromise the service (ISPs used to bundle MSIE 4/ Netscape 4 along with an installation CD for dial-up services, often you still get software to install to access a USB or even network conencted ADSL router, presenting the opportunity to tinker with the CA list).

"Now, the browser should still warn the Client, because the presented certificate is issued to a host different from that in the URL" - but you said the issued was "legitimate"? If the certificate does not match the host name it is not, therefore legitimate.

But there's still lots of other ways to undermine the security of a website without going to these lengths.

I said legitimate, because the CA could not know that the machine would be used as an MITM proxy. It could be declared as a legitimate server machine. — mark, Dec 19 '11 at 19:30

score 5 · Answer 3 · answered Feb 22 '12 at 02:41

Your understanding is correct. An even bigger risk (in many situations) is malware on the client machine you are using to do online banking from. Malware can completely defeat all security defenses: SSL, anti-virus, you name it. We have already seen such malware used widely in the wild, typically to steal money from small businesses. So, online banking is pretty scary stuff.

That said, as an individual, I gladly use online banking all the time. You know why? Because my bank promises that, in the event of unauthorized access, they will make me whole. As long as I use reasonable practices (choose a good password, don't tell it to anyone, log out after I'm done banking), in the event of unauthorized charges on my account, the bank is responsible for any losses, not me. This means I'm safe and I don't have to worry about the risks.

For example, here is Bank of America's policy:

With our Online Banking service, you can be confident that your Bank of America accounts will be secure and protected. Our safe online banking service includes $0 liability protection for any fraudulent activity originating from Online Banking, including Bill Payment. [...]

Bank of America promises you will not be responsible for any fraudulent activity originating from your Online Banking relationship. We will credit you for funds transferred from your accounts up to the amount of your loss when you notify the bank within 60 days of the transaction first appearing on your statement.

See also their service agreement for more details. As far as I know, this is broadly representative of the kinds of protections that many banks offer to individual accounts, though not all banks offer such concrete, explicit, protective language in their agreements.

However, there is a significant catch. This protection is only offered to individuals. It is not available to business accounts. With business accounts, if there is any fraud or security breach, the bank disclaims all liability and leaves their customer on the hook. This makes online banking safe for individuals, but highly dangerous for businesses -- especially small businesses, who may not have the expertise to adequately defend against these threats. Unfortunately, many small businesses are unaware of the risks of online banking, and some of them have been hammered by online criminals. See Brian Krebs' blog for extensive documentation of the number of small businesses who have been devastated by this problem. For this reason, I would recommend small businesses considering online banking to tread very carefully.

+1: The most important factor in the security of online banking is a bank that is willing to accept the risks of security issues for you. — Cort Ammon, Nov 27 '15 at 19:40

Bill K · Answer 4 · 2012-02-21T23:08:46.427

I don't really worry much about the system between me and the bank, I figure that gets a lot of scrutiny and is fairly tough to attack.

I don't worry about the bank's security because there is nothing I can do about it and I'm fairly certain that they are mostly liable if people steal money from their databases directly.

I'm TERRIFIED to access a bank from a Windows PC. Keyloggers in rootkits are virtually impossible to detect, the virus detection software is generally a year or so behind the curve on rootkits (When they can detect them at all) and nothing you do can prevent them. You can be really careful but eventually something is likely to get in. Every so-often you will even find browser pages where just viewing them compromises your PC.

IF you reboot into a separate tool that scans the hard drive and IF your rootkit's signature or pattern is contained in that tool's database then you are pretty good, but I don't know enough about the industry to know how big those IFs actually are.

I feel slightly more safe on OSX/Linux/iOS not because it's impossible to hack them or anything but it is somewhat harder and also I know that paranoid as I am I HAVE eventually found rootkits on my windows PCs but I've yet to find one on the other platforms (I run 4 including Android, but that doesn't feel as safe as I'd like) so lots of it is just personal experience. Windows 7 may also be safer, not enough data to know for sure yet.

Colonel Panic · Answer 5 · 2015-11-27T13:15:24.743

1

It's concerning how slow banks are to update their SSL configuration when their sites are vulnerable to attacks such as Heartbleed and Poodle. In the SSL Labs server tests, banking sites score typically score worse than social networks (Twitter and Gmail take security very seriously).

I made this page tabling the SSL Labs scores of British banks http://www.bank-grade-security.uk/

edited Nov 27 '15 at 13:15

answered May 17 '15 at 21:47

Colonel Panic

2,134
2
22
24

score -2 · Answer 6 · answered Nov 27 '15 at 21:50

While-as SSL&TSL are designed to be secure it depends on the security of your computer and the network around you. If you computer is infected with malware then it could steal your login information. If your network is monitored then it's possible that someone could copy your traffic and access it that way (if they have full access to intercept it then they can intercept the SSL Keys and destroy your security). It depends on your computer and network security. Your bank is designed to be secure but the security relies on you.

Is accessing bank account on the internet really secure?

6 Answers6

Linked