• On ZDNet: Why I Will never buy a Mac
July 5, 2008 2:23 PM PDT

Verifying legitimate bank websites

by Michael Horowitz

Recently I wrote about Flagfox, a simple Firefox extension that puts a flag in the corner of the browser window indicating the country where the website being viewed resides. Hovering the mouse over the flag displays the IP address (explanation below) of the website and clicking the flag brings up more details, including the city where the site is located.

This can be important because there are many ways to be tricked into thinking you are at, for example, a bank website, when you are really viewing a well-crafted, scam copy designed to steal personal information. Flagfox can go a long way toward verifying that you are really looking at the website you expect. Anyone doing financial transactions online would be well served to use it.

When banks explain why their websites are safe and secure, they focus on the SSL encryption used to transmit data over the Internet. That's only part of the puzzle however. We can encrypt data and send it to the bad guys too. That's where Flagfox can help.

The problem is verifying the physical location of legitimate websites.

For example, on my computer, Flagfox reports that the login page for Capital One credit cards is in McLean, Virginia. Is this the real site, or, has my computer been compromised such that I'm looking at a phony copy?

The only way to verify the location is to ask the bank. So that's what I've been doing.

On July 3rd, I contacted eight banks asking where their websites were physically located. In some cases I emailed, in other cases I filled in a form on their website. In each case I pointed to my previous blog posting and asked for a comment. The banks I contacted were: Citibank, Chase, Washington Mutual, Bank of America, Wells Fargo, Wachovia, HSBC and Capital One.

About IP Addresses

Flagfox determines the country based on the IP address of the website. Every computer on the Internet is reachable by a unique number called an IP address (a single IP address often front-ends multiple computers, but that's another topic).

It is impossible for the computer(s) running a website to hide their IP address. Just as the Flagfox extension displays it, so too can any Internet-aware software that cares to do so. And, just like you can learn the IP address of a website, the website also knows your IP address. To see this in action, go to ipchicken.com.

Thus, one way to detect scam websites would be for financial companies to publicize the IP address(es) of their website. Customers could put a yellow sticky on their monitor with the IP address and verify it with Flagfox before logging in to the website.

The Bank of America did just that. They wrote back that their website uses these three IP addresses:
  171.161.161.173
  171.159.193.173
  171.159.65.173

But, IP addresses are for computers not for people. Humans are better off dealing with countries, states and cities. Capital One credit card customers would, I'm sure, prefer to remember McLean, Virginia rather than the IP address 208.80.48.53.

It has been two days since I contacted the eight banks (yes, it's a holiday in the U.S., but bank websites don't do holidays). Three haven't responded at all. Four responded with canned messages that failed to address the topic. Only Bank of America seems to have read the question.

If I learn anything from these companies, I'll pass it on. If you do financial transactions online, try asking your financial institution. Can't hurt.

Update July 7, 2008: Attacking the registrar for a domain is one way to redirect people to phony websites. See this July 7th ComputerWorld article for a recent example: ICANN blames June site hijack on registrar

See a summary of all my Defensive Computing postings.

Michael Horowitz is an independent computer consultant and the author of several classes on Defensive Computing. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure.
Topics:

Phishing

Tags:

Firefox,

Flagfox

Share:
Digg
Del.icio.us
Reddit
Recent posts from Defensive Computing
Fixing bugs in the Flash Player yet again
Getting more battery power for your computer
Get an MSI Wind Netbook for only $349
Not interested in a Netbook computer? Consider the Honda Fit
Beware emails linking to blogspot.com
When Word documents break
More about printer ink rip-offs
Some computers are too important to be networked
Related
Add a Comment (Log in or register) (3 Comments)
  • prev
  • 1
  • next
by blabtech July 5, 2008 8:36 PM PDT
It's always good to be careful these days.

Reply to this comment
by BassaBabe July 7, 2008 5:38 AM PDT
can a webpage spoof it's ip address like a user on a computer can?
Reply to this comment
by jshapiro July 17, 2008 6:29 PM PDT
Sadly, Man in the Middle (MITM) attacks can happen because you can not verify what you see online. Worse, any content delivered through the Internet can be manipulated by fraudsters as that is the very nature of the content distribution capability of the Internet. MITM attacks exploit this very vulnerability boldly because they believe they can.

The good news there are technologies that use digital certificates to bind content to specific URL?s which consumers can then verify with a simple reader/ mouse rollover. Importantly, this verification is NOT browser based but generated by your PC reading the digital certificate so no bad guys can manipulate the verification process.

There are banks and companies using this technology today as part of a mutual authentication solution. And beyond banks, end users can today verify the identity of many large corporate home logos with this free reader (its called VerificationEngine) that verifies content.

Key to staying safe online is about authentication ? of digital identities, of digital transactions, of digital content. This ?authentication layer? is being built by technology companies across the internet ecosystem.

It?s about time.

Judy Shapiro, Comodo.
Reply to this comment
(3 Comments)
  • prev
  • 1
  • next
advertisement
Click Here

Making sense of Windows 7 upgrades

faq The basics and the fine print on Microsoft's options for those eyeing the next operating system from Redmond.
• Full Windows 7 coverage

Road Trip 2009: Big Sky Country

CNET News reporter Daniel Terdiman takes his car full of gadgets to the Rockies and the Great Plains in search of tech, science, nature, and more.
• America's Fortress: Cheyenne Mountain

About Defensive Computing

Michael Horowitz is an independent computer consultant and the author of several classes on Defensive Computing. He views Defensive Computing as taking steps, when things are running well, to avoid or minimize the inevitable problems down the road. It's about educating yourself to the level where you can make your own intelligent decisions about keeping your computers and data happy and healthy. If you depend on computers, yet are on your own, without an IT department or nearby nerd, this blog's for you. His personal web site is michaelhorowitz.com.

He is a member of the CNET Blog Network and is not an employee of CNET.

Disclosure.

Add this feed to your online news reader

Defensive Computing topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET