Phishing in Smooth Waters: The State of Banking Certificates in the US

16 Pages Posted: 10 Feb 2017  

Zheng Dong

Indiana University

Kevin Kane

Microsoft Corporation - Microsoft Research - Redmond

L. Jean Camp

Indiana University Bloomington - School of Informatics and Computing

Date Written: March 12, 2014

Abstract

A critical component of the solution to online masquerade attacks, in which criminals create false web pages to obtain financial information, is the hierarchy of public key certificates. Masquerade attacks include phishing, pharming, and man-in-the-middle attacks. Public key certificates ideally authenticate the website to the person, before the person authenticates to the website. Public key certificates are typically issued by certificate authorities (CAs).

Banks are the most common target of phishing attacks, so we implemented an empirical study of certificates for depository institutions insured by the Federal Depository Insurance Corporation (FDIC) and compared them to general purpose, non-banking certificates. Our study of websites of FDIC-insured banks found that the current configuration fails to support website authentication. The most common failure is an absence of certificates, meaning that a false certificate would be the only valid-named certificate for that institution. Certificates with incorrect names, incorrectly structured certificates, and shared certificates all plague online banking. The vast majority of banks, especially smaller banks, apparently lack the expertise, support, or incentive to implement certificates correctly.

We document the current state of bank certificates. We compare these with general-purpose certificates (e.g., the top one million websites). We survey the various proposals for the certificate market writ large, including pinning and notaries. We identify how those fit and fail to fit the unique problem of banking certificates. We close with policy and technical recommendations to alter the use of certificates so that these can be a valid basis for consumer trust.

Keywords: security, policy, consumer protection

JEL Classification: D81, L86, C88

Suggested Citation

Dong, Zheng and Kane, Kevin and Camp, L. Jean, Phishing in Smooth Waters: The State of Banking Certificates in the US (March 12, 2014). 2014 TPRC Conference Paper. Available at SSRN: https://ssrn.com/abstract=2407968

Zheng Dong

Indiana University ( email )

150 S Woodlawn Ave
Bloomington, IN 47405
United States

HOME PAGE: http://www.zhdong.net

Kevin Kane

Microsoft Corporation - Microsoft Research - Redmond ( email )

Building 99
Redmond, WA
United States

L. Jean Camp (Contact Author)

Indiana University Bloomington - School of Informatics and Computing ( email )

901 E 10th St
Bloomington, IN 47401
United States

Paper statistics

Downloads
91
Rank
232,778
Abstract Views
801