[Wylug-discuss] A Business Bank that works because Alliance and Leicester doesn't.

[Louis Brook]

Chris,

On 11/10/2007, Chris Davies <chris at roaima.co.uk> wrote:
> Anne Wilson wrote:
> > :-)  They'll need a bit more info than that to get anywhere :-)  Actually, one
> > of the things I like about A & L is that phishing is harder than on many
> > other banking sites.  During the login you are presented with a screen that
> > contains a picture chosen by them and a phrase chosen by you.  It would be
> > impossible for phishers to guess those.  Of course, if idiots ignore safety
> > procedures there's not much you can do to safeguard them.
>
>
> That doesn't stop machine-in-the middle attacks, though, does it. (I always
> figured that was the way to go, and was quite surprised to see that it took
> until last year for Citibank accounts to be broken that way.)
>
> How many people /really/ check for the "padlock" on their banking website AND
> that they haven't mistyped the URL (hsbc vs hbsc for example)? Especially as
> some of these banks force users to access their accounts via a separate window
> that hides the address bar (and hence one can't see the httpS prefix). Hello
> HSBC if you're listening.

It is my understanding that the popup/frames combination was
originally implemented to prevent would-be 'phishers' from having
(easy) access to the HTML code for mimicry purposes. Sure, anyone with
an ounce of browser knowledge could bypass this, but it was mild
prevention nonetheless and as a result HSBC had very few forgeries.

Since then, the Personal Internet Banking service has seemingly
improved a great deal (aesthetically at least) and I wouldn't be
surprised if the popup goes now that they've integrated the login
system with the rest of the site.

>
> Chris
>
> _______________________________________________
> Wylug-discuss mailing list
> Wylug-discuss at wylug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/wylug-discuss
>

I'm keen to know what moral issues you have with HSBC though?

Louis