Online banking security
Posted by bordalix Thu, 22 Jan 2009 14:47:00 GMT
Update 1 day later: First, just to let you know that the comments on this post are richer than the post itself. Second, that Mit has found a contact form.
You know something is wrong with your online banking security when you access cgd.pt (instead of www.cgd.pt) and you get an external page:
Note: before I post this article, I tried to find a contact form in CGD's homesite and warn them about this issue. Didn't find any. Even tried the website map.
Articles
Não estou a perceber. Não tás a aceder usando os nameservers do openDNS?
O cgd.pt não tem A record e como tal és direccionado pelo openDNS para essa página de pub.
Do you use openDNS name servers ? :)
Stop using OpenDNS ;)
O telepac.pt e sonae.pt também dá erro…
Existem aí uma muitos sites em que só “abrem” com o www antes do nome do domínio.
You know there is something wrong with your DNS resolvers security when they hijack your NXDOMAIN responses and send you to a “helpful page” with adsense ads.
Really, when internic pulled the same stunt some years ago, everybody bitched about it and it was received as an invasion of privacy and abuse of DNS protocol, but when OpenDNS does the same, then its your bank problem?
Sure, the bank should have the A record for cgd.pt, redirecting to www.cdg.pt, thats something that is helpful to their customers, but it is not a security failure of the bank.
Pedro, they hijack more than the NXDOMAIN response to their IP. In this case you don’t have a NXDOMAIN status response because there is a glue record for it. I guess they hacked the namserver’s daemon to hijack every query with answers equal to zero. OpenDNS doesn’t respect the RFC, this is an old issue not a CGD problem as said before.
Let me get the things straight: pretend i’m a regular customer, so i don’t know shit about what you are talking about. When i write cgd.pt i get a strange website. But when i write www.cgd.pt i get the right one. I feel insecure about my bank. And that’s a CGD problem.
Forget tech, think about people.
João Bordalo: It’s your problem, because you (or someone you know) configured the OpenDNS servers on your machine.
If I open ‘cgd.pt’ on my browser, I get the bank’s homepage because Firefox redirects me there.
If using a browser that doesn’t have this feature, I would get an error page.
It’s not a security problem. It’s a problem caused by something you did.
If you wish, you may go to the OpenDNS page (www.opendns.com) and disable this behavior. Or stop using OpenDNS and use your ISP DNS servers.
JSR
http://www.opendns.com/support/article/132
” João Bordalo said about 4 hours later: Let me get the things straight: pretend i’m a regular customer, so i don’t know shit about what you are talking about.”
If you are a regular customer, you don’t screw your computer by configuring it with a broken DNS server, correct?
“Bruno Rodrigues said about 8 hours later:
” João Bordalo said about 4 hours later: Let me get the things straight: pretend i’m a regular customer, so i don’t know shit about what you are talking about.”
If you are a regular customer, you don’t screw your computer by configuring it with a broken DNS server, correct?”
Exacto. Ninguem te manda usar openDNS. Antes de culpar alguem por erros proprios, é bom que se saiba do que se fala…
I get Joao’s point. Is it too much to ask for a bank to get cgd.pt redirected to www.cgd.pt? There are even companies that buy the domains that are close to theirs to avoid loosing traffic. I think the point was about customer care more than the dns situation. By the way, what do you all think about a bank website without a contact form? Is it João’s poor search ability or again a situation of poor customer care?
João,
“When i write cgd.pt i get a strange website. But when i write www.cgd.pt i get the right one”.
When I write cgd.pt I get the correct site.
Fix your OpenDNS server configuration, or stop using DNS resolvers that are trying to make a buck by “helping” the customer when no help was needed in the first name.
Could CGD solve the “problem” for OpenDNS users? Sure!
Are “real people” using OpenDNS servers? Thank god, no…
Best regards,
I found the form!
https://ws.cgd.pt/Espaco-Cliente/GestaoReclamacoes/Formulario.aspx
CGD’s face is now safe again. Be well.
João,
you’re putting a lot of faith and trust on a free service, when accessing a bank using those DNS servers.
If the “catchall” page on OpenDNS has a XSS vulnerability, and an attacker gets to access your cookies,is it also the legitimate site owner’s responsibility ?
Those catchall (like verisign’s a few years back) pages are just a disaster waiting to happen.
Just use your provider’s DNS servers. I don’t see any reason not to. “Real people” do :)
Since Bruno spoke about security issues relate to this situation, i also wrote a little about it some time ago here:
http://paradigma.pt/gngs/view.php?pid=756
(in portuguese, if you don’t understand just follow the links on it)
Or just use one of those browsers made by Sapo that redirect you to a different page…
Or use my DNS servers, I’ll be happy to serve you a CGD site lookalike on cgd.pt, with a self generated cert for which you can click ignore on the security warning of your browser…
Or… just bookmark https://www.cgd.pt/ (making sure you got it right) and never use anything else (if you’re typing cgd.pt to access your homebanking, you’re not free from typo-jacking (TM) and happily inputing your credentials somewhere…)
In a nutshell: get smart.