Banks Shifting Logins to Non-SSL Pages. After years of training customers to trust only SSL-enabled sites, banks are shifting their online banking logins to the unencrypted home pages of their websites. [Netcraft]

This is an interesting article. I have done this! Noticed that the data is still encrypted. The main criticism is that this move opens the bank for a Man in the middle attack, but this is less than clear. First of all, Phishing attacks show that encrypting just isn't enough. By phishing you can fool the person to put his/her codes in a page where you control the encryption. Second, the man in the middle attack is just unreal. The attacker gets your encrypted info and then has to use some kind of brute-force attack to uncover it... Meanwhile, you are redirected to your bank's site and your intention all alone may have been to change the password, making that attack a waste of time. A person choosing this attack instead of phishing, either has something against you personally or is kind of dumb. Also, despite the noise they create, attacks of this type are unlikely. Most banks do have some protection against a massive attack on one account. The beauty of phishing is that you could get a small amount, say 50$, from 10.000 accounts (even then, your intention must be to flee the country and get protection from Cuba or some place like that). Deciphering the password of 10.000 accounts one by one is just not worth it. As usual, the Microsoft guy got it wrong on security.

Netcraft, on the other hand, has a point. For years we have told people to look for the lock before putting the password and pressing go. That information was presented that way because it was easier to explain, not because it was more secure. So the real topic here is between Real security and perceived security, I call the later Marketing security and banks should not overlook it. The reality of being secure is important, but it is also important to be perceived as secure by your client. Banks should decide on their own whether a move of the login/password to the main page will be frown upon by clients. In most cases I doubt it and the increase (marketing) benefit of having only one link should outweigh the, small, loss of real security.

I have similar feelings for another new "feature" of some banks. Providing an "On-Screen" keyboard to tap the password instead of using the computer keyboard. Is that more secure? Well, perhaps you could argue that you are scrambling the letters/numbers and sending a code instead of it (so even deciphering the SSL wouldn't get you the password without the code and the scrambled keyboard). But this attack is again unreal. The most common attack is looking over the shoulder, or better yet, filming a person introducing its password, both of this are made easier by the keyboard, since mouse movement is slow compared to finger typing. Still, since the attack on one person is not worth it, the perceived security of an "On-Screen" keyboard is probably worth the extra effort it involved, even though it decreases security and pisses me off!
3:59:34 PM  What do you think? ( Thoughts) Who linked? []