Navy Federal Credit Union Web Site Operating with Security Issue
Online
banking users are hopefully aware of the need to login to their banks
web-based system using secure means, such as via a web site protected
using SSL encryption. (Editor's Note: "Yeah Right!" SSL encryption is flawed...as is the more supposedly advanced "EV SSL" encryption. (see my posts on the subject below)
Zusman and Sotirov have also demonstrated that the same flaw can be leveraged to launch browser cache poisoning attacks against EV SSL protected web sites. Both attacks can cause significant exposure and silently expose "encrypted" ...
They say it is, heck there was the https, then the SSL and after those were all breach they came up with EV SSL.
Well, what's next? How about just realizing that hackers will get past
any security you can come up with...unless it's done ...
Jul 08, 2009
Extended Validation (EV) SSL is considered by all to be more secure than SSL: Calls for widespread EV SSL implementation are on the rise as SSLExtended Validation Secure ... threats increase. Two years after its rollout, the "more secure"
Every legitimate bank offers such
protection, normally disallowing customers the ability to login via
unsecure means. But not every bank appears to be conscious of the
myriad of potential security risks associated with their site. Navy Federal Credit Union
is plagued by a huge security vulnerability on their web site and is
possibly the easiest bank on which to perform a phishing expedition
.
Updated – August 12, 2009: Added correspondence
from the RSA Anti Fraud Command Centre and SliceHost Support regarding
a take-down notice and trademark infringement claim. This little
article has apparently generated some interest and visibility by an
NFCU “security” contractor.
Updated – August 15, 2009: The saga
appears to have come to an end as the RSA AFCC responds to SliceHost
after TechMiso stipulates the content was not infringing. The attack
dogs are ostensibly caged for now.
Read the full story …