Online Banking - Making Phishing Better or Worse
It’s Christmas. I know it’s Christmas as I have a shiny XBox 360 Elite waiting to be installed along with my Microsoft Home Server and other cool gadgets for the family me.
I also know this because I have to go outside and stack a pile of fire logs in the cold, so you’ll forgive me when I found a perfect excuse to write a blog post in the warm.
This morning kids decided they wanted to go see a Christmas movie this afternoon and chose Enchanted. I got my wifes credit card (yes I am scrooge) and went online to book the tickets. The card went off to be authorized and to my horror I was presented with a phishing attack; or was it?
The dialog asks for 3 characters of my nine character password or 1/3 of it in old money. It displays the bank logo and uses a URL of “secureSuite.co.uk”. Being somewhat Phishing aware (given my job you would obviously hope so any ways) I obviously stop and for no other reason than being interested view the certificate. It too is issued to “securesuite.co.uk”.
As far as I am concerned as an average user, “securesite.co.uk” has no relationship to the Royal Bank of Scotland whatsoever and this is another scam. If they get me three times (and it’s easy to cycle the 1/3rds) they have my full password.
I am shocked to learn this is the official scheme from the Royal Bank of Scotland (who incidentally are one of the worlds largest retail banks owning many foreign companies like Citizens).
This is madness! If it’s not already hard enough to educate the average user to be “click aware” a bank has now decided to intentionally make their users follow the same logic scam artists try to trick innocent members of the public into falling for. In an attempt to offer two factor authentication they have IMHO opened all their users up to more phishing hell. This is not hard to get right. Redirect them to a valid HTTPS RBS site, get them to login thus authenticating the user is valid and not just someone holding the card and give them back a token they can pass back to the retailer while logging them out. That said the potential for this type of scheme to be used with XSS attacks where the user has a valid session open to their bank etc makes me shiver.
Bah, humbug!
