Just noticed this today, although it's been like this for a while... Users of National City online banking - at least the personal banking users - might be interested to know that they've actually made their site less secure, while claiming to make it more secure...
It used to be a standard login over SSL security - you entered your username and password into a form, and logged in. But now they've broken that into two steps. First you enter your username, and hit enter. Then you enter your password into a specially customized form that I guess is supposed to protect against phishing attacks, because it has a unique background and phrase on it.
I guess the theory is that you'd notice if you were trying to login to a fake National City, because the personal background/phrase wouldn't be there, or would be wrong.
But here's the problem - an impostor trying to brute-force an account would actually receive feedback from the site if they guessed a correct username! Because if you enter a username that doesn't exist then you don't get a personalized password form - and if you guess one that does exist, you get their personal password form! So now an attacker would know that they have a valid password, and need only work on the password.
I don't remember, but I believe before this "security upgrade" if you entered a bad username/password combo, you merely got a a generic error message - and no feedback on which item (the password or username, or both) was incorrect.
Way to go National City.
It used to be a standard login over SSL security - you entered your username and password into a form, and logged in. But now they've broken that into two steps. First you enter your username, and hit enter. Then you enter your password into a specially customized form that I guess is supposed to protect against phishing attacks, because it has a unique background and phrase on it.
I guess the theory is that you'd notice if you were trying to login to a fake National City, because the personal background/phrase wouldn't be there, or would be wrong.
But here's the problem - an impostor trying to brute-force an account would actually receive feedback from the site if they guessed a correct username! Because if you enter a username that doesn't exist then you don't get a personalized password form - and if you guess one that does exist, you get their personal password form! So now an attacker would know that they have a valid password, and need only work on the password.
I don't remember, but I believe before this "security upgrade" if you entered a bad username/password combo, you merely got a a generic error message - and no feedback on which item (the password or username, or both) was incorrect.
Way to go National City.
Comments