Abstract

https://ssrn.com/abstract=2407968
 


 



Phishing in Smooth Waters: The State of Banking Certificates in the US


Zheng Dong


Indiana University

Kevin Kane


Microsoft Corporation - Microsoft Research - Redmond

L. Jean Camp


Indiana University Bloomington - School of Informatics and Computing

March 12, 2014

2014 TPRC Conference Paper

Abstract:     
A critical component of the solution to online masquerade attacks, in which criminals create false web pages to obtain financial information, is the hierarchy of public key certificates. Masquerade attacks include phishing, pharming, and man-in-the-middle attacks. Public key certificates ideally authenticate the website to the person, before the person authenticates to the website. Public key certificates are typically issued by certificate authorities (CAs).

Banks are the most common target of phishing attacks, so we implemented an empirical study of certificates for depository institutions insured by the Federal Depository Insurance Corporation (FDIC) and compared them to general purpose, non-banking certificates. Our study of websites of FDIC-insured banks found that the current configuration fails to support website authentication. The most common failure is an absence of certificates, meaning that a false certificate would be the only valid-named certificate for that institution. Certificates with incorrect names, incorrectly structured certificates, and shared certificates all plague online banking. The vast majority of banks, especially smaller banks, apparently lack the expertise, support, or incentive to implement certificates correctly.

We document the current state of bank certificates. We compare these with general-purpose certificates (e.g., the top one million websites). We survey the various proposals for the certificate market writ large, including pinning and notaries. We identify how those fit and fail to fit the unique problem of banking certificates. We close with policy and technical recommendations to alter the use of certificates so that these can be a valid basis for consumer trust.

Number of Pages in PDF File: 16

Keywords: security, policy, consumer protection

JEL Classification: D81, L86, C88


Open PDF in Browser Download This Paper

Date posted: February 10, 2017  

Suggested Citation

Dong, Zheng and Kane, Kevin and Camp, L. Jean, Phishing in Smooth Waters: The State of Banking Certificates in the US (March 12, 2014). 2014 TPRC Conference Paper. Available at SSRN: https://ssrn.com/abstract=2407968

Contact Information

Zheng Dong
Indiana University ( email )
150 S Woodlawn Ave
Bloomington, IN 47405
United States
HOME PAGE: http://www.zhdong.net
Kevin Kane
Microsoft Corporation - Microsoft Research - Redmond ( email )
Building 99
Redmond, WA
United States
L. Jean Camp (Contact Author)
Indiana University Bloomington - School of Informatics and Computing ( email )
901 E 10th St
Bloomington, IN 47401
United States
Feedback to SSRN


Paper statistics
Abstract Views: 748
Downloads: 86
Download Rank: 234,122