Phishing in Smooth Waters: The State of Banking Certificates in the US

Abstract

A critical component of the solution to online masquerade attacks, in which criminals create false web pages to obtain financial information, is the hierarchy of public key certificates. Masquerade attacks include phishing, pharming, and man-in-the-middle attacks. Public key certificates ideally authenticate the website to the person, before the person authenticates to the website. Public key certificates are typically issued by certificate authorities (CAs).Banks are the most common target of phishing attacks, so we implemented an empirical study of certificates for depository institutions insured by the Federal Depository Insurance Corporation (FDIC) and compared them to general purpose, non-banking certificates. Our study of websites of FDIC-insured banks found that the current configuration fails to support website authentication. The most common failure is an absence of certificates, meaning that a false certificate would be the only valid-named certificate for that institution. Certificates with incorrect names, incorrectly structured certificates, and shared certificates all plague online banking. The vast majority of banks, especially smaller banks, apparently lack the expertise, support, or incentive to implement certificates correctly.We document the current state of bank certificates. We compare these with general-purpose certificates (e.g., the top one million websites). We survey the various proposals for the certificate market writ large, including pinning and notaries. We identify how those fit and fail to fit the unique problem of banking certificates. We close with policy and technical recommendations to alter the use of certificates so that these can be a valid basis for consumer trust.