Let’s say I know the correct address of my bank and I log in the
first time I use my account. Once logged in, I click on a random link
within the bank’s web site, and make sure that the next page is an
https page and the security lock is present. If I bookmark this page,
and use only the bookmark as my means of accessing the web site, is
there any possibility I can be phished?
“Any possibility” is kind of a strong statement, but in general the
approach you describe is sound and something I’d feel safe doing
myself. In fact, by virtue of using a password safe such as Roboform, it’s
pretty much exactly what I am doing.
There are still ways you can be compromised, though, so we need to
look at just what a phishing attack is, and how you can prevent
phishing, and more.
]]>
In the broad sense, phishing is just an attempt to get you to click on a link in email that claims to be one place, but is in fact something else. If you do click through a phishing link, the destination site may well look like what you expected, but if you look closely at the domain in the address bar you’ll typically see that it’s not what you intended at all. Enter, say, your user name and password, and you’ve just given it to a phisher.
The conventional advice is to never click on links in email for sensitive sites, but rather always type them in by hand.
Using a bookmark of some sort is an acceptable approach as well, because you’re going to a site/page/URL that you know is correct, because you saved it earlier from a known safe visit to that site. Use that, and it’s pretty much the same as having typed in by hand.
In either case, you’ll have sidestepped the phishing attempt simply by not clicking on a link in email or on some other site that was questionable, but somehow entering it yourself.
However, in theory, things could still be compromised in other ways.
As one example: a virus infecting your machine could alter your bookmarks. Use the bookmark you thought was for your bank, and you might get taken to a phishing site. For the record, I’ve not heard of any virus that actually does this, probably because once you’ve been infected there are simpler approaches to redirecting you to a phishing site.
That simpler approach is to modify your “hosts” file. This is actually a fairly common approach some viruses take. The hosts file can contain “overrides”, if you will, that allow the attacker to redirect the actual domains of banks, anti-virus vendors, and more to servers of their own choosing. When this happens, “paypal.com” may not actually take you to Paypal, but to a malicious web site posing as Paypal.
Using a bookmark in this case doesn’t save you, but then neither does typing in a URL by hand. If the malware has hijacked the very meaning of “paypal.com” on your machine, then there’s little you can do about it.
The good news is that because this is a common attack by malware most all good anti-malware software will protect you from it.
And it also illustrates once again why prevention, not just through anti-malware software, but by learning good internet safety habits is so important.
So absolutely, use the bookmark – I do. But remember that you must also continue to rely on the rest of your internet safety strategies as well.
The described procedure has a major weak point: for security reasom most banks log you out from your account when you leave their site; so, when you connect again to a page in which you previously entered after login, you would (at best) get bumped to a generic (non secure) page or – usually – you get an error.
The safest way is to type the site’s URL yourself, ideally in a Live-CD OS – no chance of infection so no chance of hyjacking. Otherwise bookmark the site before login.
I don’t understand the basis of the queestion for this tip. Any bank that allows you to bookmark ANYthing other than their ‘front page’ or login screen is NO bank I’d want to do business with. What gigi said is true. TRY to bookmark anything ‘inside’ the bank site. If you CAN bookmark that page…change your bank.
13-May-2009
I’m with all of you. Any bank that keeps you logged in to a secure site is NOT a bank I want to deal with. My bank has a 10 minute interval until you must sign in again. I like it.
13-May-2009
Back to the phishing problem… Another circumventing possibility? You can right-click on any link within an email, copy the shortcut and paste it to your browser address bar, see whether it is, indeed, the correct address before actually going to the site.
I should have mentioned in my initial question that when one finishes a banking session, one should always log out and then close the browser window/tab. But this is not always possible (if the browser crashes, for example, in which case I restart the browser, log in and log out again. I also use Sandboxie and have separate sandboxes dedicated to each bank I use, plus No-Script and various web analysis tools to alert me to bad web sites.
One of the reasons for using an https bookmark is that as I understand it, a request to visit a web site goes through a Domain Name Server (DNS). Some are secure and some are not. By using the https bookmark, the request to visit a web site goes to a secure DNS and is redirected to the log-in page. Typing in an IP number will go to a non-secure DNS, and if it has been compromised (called DNS poisoning) it will make no difference if you use the normal URL or the IP number. But when using a bookmarked https address, the site visit request will go through a secure DNS, and I have not heard of any of those being compromised to date. Leo, correct me if I am wrong on this.
Using bookmarks do not have any effect of the banking session length, and because using https bookmarks is more secure, why in the world would a bank want to prevent bookmarking them?
I am curious as to how typing the correct IP number makes any difference in security. The request still has to go to an unsecure DNS. If you type the name of the site correctly, the DNS translates it to an IP number anyway, so while there might be a tiny increase in speed, it is no more secure than typing in the CORREC name. And one can make a typo on an IP number just as one can mistype a word. Using a password manager is always a good idea, though, as long as you are sure you are on the genuine web site.
Thanks for the effort you took to expand upon this post so thoroughly. I look forward to future posts.
After opening my cable computer account I noticed in my address book , there was a Q=14454451545541445………………….., Bookmark My Account was also shown as the contact. I have asked a couple of IP guys that I know and they do not seem to know what this is? Leo please help!
15-Nov-2010