Skip to main content

Security Mis-step on Nationalcity Online Banking

Just noticed this today, although it's been like this for a while... Users of National City online banking - at least the personal banking users - might be interested to know that they've actually made their site less secure, while claiming to make it more secure...

It used to be a standard login over SSL security - you entered your username and password into a form, and logged in. But now they've broken that into two steps. First you enter your username, and hit enter. Then you enter your password into a specially customized form that I guess is supposed to protect against phishing attacks, because it has a unique background and phrase on it.

I guess the theory is that you'd notice if you were trying to login to a fake National City, because the personal background/phrase wouldn't be there, or would be wrong.

But here's the problem - an impostor trying to brute-force an account would actually receive feedback from the site if they guessed a correct username! Because if you enter a username that doesn't exist then you don't get a personalized password form - and if you guess one that does exist, you get their personal password form! So now an attacker would know that they have a valid password, and need only work on the password.

I don't remember, but I believe before this "security upgrade" if you entered a bad username/password combo, you merely got a a generic error message - and no feedback on which item (the password or username, or both) was incorrect.

Way to go National City.

Comments

Popular posts from this blog

Another VI tip - using macros, an example

God I love VI. Well, actually, vim but whatever. Here's another reason why. Suppose you need to perform some repetitive task over and over, such as updating the copyright date in the footer of a static website. (Yes, yes I know you could do a javascript thing or whatever, just bear with me.) Of course you could just search and replace in some text editor, changing "2007" to "2008" (if you're stupid) - and you'll end up with a bunch of incorrect dates being changed, most likely. What you need to do is only change that date at the bottom. And suppose that because of the formatting, you can't use the "Copy" part of the string in a search replace - perhaps some of the pages use "©", some spell out "Copyright" etc. This is where vi macros come in handy. A macro in vi is exactly what you expect, it records your actions and allows you to play them back. To start recording, press q followed by a character to use to "stor...

Using FIle FIlters in FileZilla

Here's a handy tip for situations when you want to download a large number of files - but only of a certain type. For example, perhaps you want to download all the PHP files from a largish website, scattered through many subdirectories. Perhaps you're making a backup and don't want any image files, etc. FileZilla (still the best FTP in my opinion) has a handy feature called filename filters - located under the Edit menu. Here you can set various filters that filter out files based on their filename. Took me a minute to figure that out - you're saying show only PHP files, rather you're saying filter out files that do not have ".php" as their suffix. For some reason, that seems a little backwards to me, but whatever. It works quite well. You can also check whether the filter applies only to files, only to directories - or both. In this example, you'd want to check only files, as otherwise you won't see any directories unless they happen to end in...

Great google article

Over on Maximum PC - there were a few things I didn't know you could do with the various Google apps. One is uploading files to google docs - any file. Which ties in well with my previous post about storing passwords - I uploaded a copy of my password safe file to google docs as a backup. Can't hurt, right? Also, I wasn't aware that you could set up forms in google docs that act as surveys, and then store the results in a google docs spreadsheet. This is a little alarming, as a decent amount of my work involves coding up custom surveys similar to this...