Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Making Sense of Mismatched Certificates?

timothy posted more than 4 years ago | from the continue-anyway dept.

Security 322

Ropati writes "I bank with capitalone.com. Recently I went to log in to my credit card account, and my browser reported that the site certificate didn't match the web site I was on. [Expletive.] I'm wondering if I am getting a poisoned DNS URL. I have to log in and do my banking, so I accept the mismatched certificate. The banking site is complete, my transactions are listed but that doesn't mean there isn't a man in the middle attack here. I am still curious how much I have exposed my banking assets." Read on for more, and offer advice on how to interpret what sounds like a flaky response from the bank.

Ropati continues "On the Capital One login page, there is a Verisign link on the page to check that the website is suppose to match. So I click on the verification icon and I am rewarded with a link to Verisign. They report that this web site certificate is for onlinebanking.capitalone.com not the servicing.capitalone.com where I log in. Is this the mismatch my browser reported. I know nothing about certificates.

I call Capital One and ask them to fix the problem. If this was a browser issue on my part, then the Verisign link should match. The tech support supervisor, Joe — XRT413, said he couldn't do anything about it and he couldn't escalate the problem to someone who could.

So my questions are: Are the certificates a mismatch or is my browser bellyaching for nothing? Is the certificate mismatch a security hazard? If someone poisoned my local DNS routers would it be obvious in the URL? How would I prevent such a thing? If everything was working correctly, would the certificate alert me to DNS poisoning, or is this just cosmetic security?"

cancel ×

322 comments

Sorry! There are no comments related to the filter you selected.

Not nothing. (5, Informative)

mnslinky (1105103) | more than 4 years ago | (#27260633)

This is a misconfiguration on their end. EV certificates, the ones that turn your address bar green and coax turtles into doing happy dances, are really expensive. It's my guess that they've either reused a certificate on another system, or one of their developers made a mistake in how the site and server cluster is configured. It's certainly something to complain about.

If you're ever in doubt about the validity of the certificate or security of a transaction, however, DON'T DO IT!. This goes for standing at an ATM in a shady neighborhood or doing business online.

Re:Not nothing. (5, Funny)

Anonymous Coward | more than 4 years ago | (#27260697)

Dude, post your login details and I'll check it out for you.

Re:Not nothing. (3, Insightful)

Anonymous Coward | more than 4 years ago | (#27260805)

I don't know why anyone has their money in large banks anymore. Move it to a local credit union and let those large bank fuckers die out. "Too big to fail" my ass. They haven't been paying FDIC for the last 10 years since "it wasn't necessary".

Re:Not nothing. (0, Funny)

Anonymous Coward | more than 4 years ago | (#27260839)

Here they are:

IP: 127.0.0.1
User: Trollfag
Pass: ILikeBigDicksAndILikeEmHard

Re:Not nothing. (3, Funny)

s0abas (792033) | more than 4 years ago | (#27261237)

Wait, did you just call _yourself_ a Trollfag?

Re:Not nothing. (-1, Troll)

Anonymous Coward | more than 4 years ago | (#27261471)

login: babygotback
password: c0ck$uk3r

Please do the needful, really appreciate that.

Re:Not nothing. (4, Funny)

tkw954 (709413) | more than 4 years ago | (#27261481)

Dude, post your login details and I'll check it out for you.

My login details are username:tkw954 password:*********

Hey that's weird. Slashdot must automatically replace your pw with stars.

Re:Not nothing. (5, Funny)

Daimanta (1140543) | more than 4 years ago | (#27261525)

You can hunter2 my hunter2ing hunter2. You can't see hunter2!

Re:Not nothing. (5, Insightful)

badasscat (563442) | more than 4 years ago | (#27260721)

Well, but both certificates were for capitalone.com subdomains. In this case, I wouldn't worry too much about it. I'd complain, but it's more of an annoyance than a security risk.

I'd worry a lot more if one certificate was for capitalone.com and the other for capone.com or capitolone.com or capital1.com or something like that. Then you've got a problem.

Re:Not nothing. (4, Insightful)

Chyeld (713439) | more than 4 years ago | (#27260827)

Bitch, don't excuse. The whole point of this exercise was to allow the customer use the site without putting their info in danger and in a manner that doesn't require having a degree in "teh internets" to get through.

It should never be the customer's responsibilty to bring a maginfying glass to the certificate and manually verify that these were just subdomain mismatches and not some clever capitalone.com vs capitlone.com spelling that means to look correct to someone just scanning the screen. That is a security risk, whether or not it is currently exposing your info, it's training you to expect that sort of problem and to ignore it the same way people ignore the dialog boxes XP and VISTA pop up on errors.

Re:Not nothing. (5, Insightful)

SatanicPuppy (611928) | more than 4 years ago | (#27260835)

Yep yep. Buying a new cert for every subdomain is wildly expensive, so these sorts of errors happen reasonably often.

In a lot of cases the subdomain may be separated from the main domain only for possible load balancing issues, so it's doubly not worth getting a specific cert for a subdomain which may never take off.

In the end it's a problem because the consumer gets used to accepting bad certs as a matter of course, and that leads to people accepting "capitolone.com" instead of "capitalone.com". Basically the registrars need to be pimp slapped a bit: certificate registration shouldn't cost anywhere near what it does, certificates should be purchasable for whole domains, etc.

Re:Not nothing. (2, Funny)

alta (1263) | more than 4 years ago | (#27260901)

No no no, at godaddy they're only 29.95!!!! Only the highest quality stuff for the bank!

Subdomain certs (2, Insightful)

ravenspear (756059) | more than 4 years ago | (#27261187)

certificates should be purchasable for whole domains

They are. You don't have to buy a new cert for every subdomain. If you have a lot of subdomains to secure the best solution is to get a wildcard certificate.

Re:Subdomain certs (4, Informative)

kyouteki (835576) | more than 4 years ago | (#27261375)

Due to security concerns (just like the OP is expressing,) you can't get a Wildcard EV certificate.

Re:Subdomain certs (1)

ravenspear (756059) | more than 4 years ago | (#27261605)

Ah, ok. wasn't aware of that.

Re:Subdomain certs (1)

mhall119 (1035984) | more than 4 years ago | (#27261645)

Better to get a signing certificate, so you can create and sign your own subdomain certificates. Those are expensive, but Capital One should be able to afford one.

Better yet, screw VeriSign, they should self-sign and give the user a print out of the certificate fingerprint when they open an account, and have the website walk them through downloading, verifying, and installing their certificate when they register for online banking.

Re:Subdomain certs (1)

canuck08 (1421409) | more than 4 years ago | (#27261395)

But they are wildly expensive for no discernable reason.

Re:Not nothing. (1)

Razalhague (1497249) | more than 4 years ago | (#27261247)

Buying a new cert for every subdomain is wildly expensive, so these sorts of errors happen reasonably often.

I think that should be "unreasonably often".

Re:Not nothing. (1)

JediTrainer (314273) | more than 4 years ago | (#27261541)

Basically the registrars need to be pimp slapped a bit: certificate registration shouldn't cost anywhere near what it does, certificates should be purchasable for whole domains, etc.

Wildcard certificates do exist [digicert.com] and aren't that expensive. We use them and they seem to work fine for most things (with 1 or two non-HTTP-server exceptions)

Re:Not nothing. (0)

Anonymous Coward | more than 4 years ago | (#27261667)

Not for a bank.

An EV cert from Verisign is, what, $1,500?

How many subdomains does CapitalOne have that need to be secured at the EV level? 500 at a ridiculously absolute maximum? That's less than $650,000/yr with Verisign's volume discounts. If you can't justify spending $650k on certificates per year on $13 billion in revenue when you do a significant amount of your business online then you need new management.

Note: I don't work for CapitalOne and have no idea how many subdomains they need to secure at the EV level, but my guess is it's significantly less than 500. I'd also be willing to bet heavily that if you go to Verisign and agree to purchase in excess of 50 EV certificates they'd be willing to give you a much more significant discount than what they publish online.

Re:Not nothing. (1)

nivina (955352) | more than 4 years ago | (#27260849)

I've had this happen with capital one myself, along with toyota financial services. I am a web developer and it's amusing when this stuff happens. I also ignore it and continue with my business. security is a state of mind.

Re:Not nothing. (1, Insightful)

Anonymous Coward | more than 4 years ago | (#27260937)

security is a state of mind.

And ignorance is bliss

Re:Not nothing. (5, Insightful)

postbigbang (761081) | more than 4 years ago | (#27261221)

You find it amusing. I find it reason to sack your sorry ass.

Security is a chain of referential components designed (and hacked at constantly) in the attempt to ensure safety. Civilians don't know a bad certificate from a live hand grenade, and both can blow up in their face. Security is a state of mind-- if you have one. Lotsa people don't and rely on cogent web developers for their safety.

Re:Not nothing. (5, Informative)

Anonymous Coward | more than 4 years ago | (#27260865)

Well, it's good to worry any time there is a mismatch. It can be easy to fake legitimate looking URL's using UNICODE characters and such.

Consider something that looks like like:
https://onlinebanking.capitalone.com/login/.tsdk.cn?login

The whole first part could be the host name: "onlinebanking.capitalone.com/login/" and the domain is actually "tsdk.cn". This would be using the UNICODE symbol for mathematical division that looks like a forward slash. It looks like a capitalone.com domain even though you're going through some scammer site. Marlinspike talked about this exact attack at Blackhat 09.

Re:Not nothing. (5, Interesting)

Anonymous Coward | more than 4 years ago | (#27261477)

Also, lets not forget that a while back some children hacked into Comcast's DNS registrar with nothing more than an unsophisticated Social Engineering ploy.

If the capitalone domain registration ever became compromised, 'hijackeddomain.capitalone.com' would have the same 'root' domain as capitalone.com, but could be pointed at a hackers server in timbuktu.

Just because the domain is 'capitalone.com' does not necessarily mean that everything set up with a vanity off of it is hosted, owned, or operated by capitalone (or more importantly; that they're not owned and operated by someone who possesses malicious intent, be it a disgruntled capitalone employee or otherwise).

Last, the aforementioned domain registration social engineering end-around could theoretically be pulled to obtain a legitimate SSL Certificate. Maybe not specifically by targeting Verisign (at least, not as easily as other companies, I'd venture a guess), but any number of the other more generic and less valuable companies like GeoTrust are all plausible to target with this sort of ploy.

Re:Not nothing. (2, Interesting)

Erioll (229536) | more than 4 years ago | (#27260883)

This will become a greater issue as unicode domain names come into prominence. I believe that right now while Firefox "decodes" any unicode so that the characters look like the underlying hex (or something) so that a non-english character can NOT be confused for a real one.

For instance in certain fonts lowercase "L" (l) looks EXACTLY like an uppercase "i" (I). In others it doesn't. Now in your example that can't happen, but what about www.travelocity.com or www.traveIocity.com? (I used a capital "i" in the second) You can see how this can be an issue. It gets worse with other character sets that ARE different characters, but again look identical, thus bypassing any automatic "lowercase" that a browser probably does.

If you see a mismatch, unless the banking needs to be done in less time than it takes you to get to an actual local branch, do NOT do it.

Complaining is kind of pointless. (3, Insightful)

klubar (591384) | more than 4 years ago | (#27261027)

You're end up in some call center and the agent will have no clue what you're talking about -- they will recommend clearing cookies, restarting the browser (and maybe switch to IE). The message will never get up the food chain. The only real way to get the message is to close your account and switch to a bank that takes sucurity seriously.

Re:Complaining is kind of pointless. (5, Interesting)

irotsoma (899537) | more than 4 years ago | (#27261593)

WARNING: RANT...

I hate to say it, but I agree that you'll never get anything fixed by a call center. I've worked in call centers and the people who work there generally have no way to speak to anyone who can fix a problem, even in a "tech support" call center. Also, since they either get paid per call, or at least get docked pay if they aren't actively answering incoming calls, then they have no incentive to fix anything. In fact, they have a big disincentive against fixing anything since it will take away from their pay check and they likely hate the company too much to do it on their own time.

Also, I've been on the other side doing development and it's a similar problem there. It's very easy to make a simple typo or other mistake and never know the difference. No one in the call center ever tells you that the customer is having a problem, so you don't know that something needs to be fixed. So even though it might be a 1 minute fix for you, you'll never know that it needs to be done. There was a bug in this one software that had been there for 3 years, and the workarounds were even in the documentation to train new call center employees. Once a developer finally got it, it took seconds to fix. The customers suffered for 3 years for a few seconds of someone's time. Now I realize you can't fix every bug, all the time, but if the right people don't know about it, then it will never get fixed.

The real problem, IMHO, is that large companies treat their support/customer service departments like they are a drain on the company rather than a way to increase your reputation, thus outsourcing, low pay, strict rules, etc.

Because of this I prefer to do business with smaller companies or, even better, in person. If you're a "real person" standing in line at a bank, the teller is more likely to fix a problem than if you're just a number on a screen and a squeaky voice on a phone. But in-person is so inconvenient in this world of constant multitasking.

Re:Not nothing. (0)

Anonymous Coward | more than 4 years ago | (#27261335)

Ok, so if I go to McDonalds and order a sausage biscuit and get a sausage mcgriddle, I'm supposed to deal with the 'inconvenience' of getting an improper result from my attempt to purchase a sausage biscuit?

Sorry, I don't buy it. Just the same way that we use the word "Secure" when we mean "Secure" -- as opposed just saying "Oh someone in California says they were paid money to say this site is secur.." oh I see what I did there.

Re:Not nothing. (1)

91degrees (207121) | more than 4 years ago | (#27261483)

But a secure certificate isn't the service he's after. He just wants to transfer some money or check his balance or something. This would be closer to getting the sausage biscuit you wanted but in a sausage McGriddle wrapper.

Re:Not nothing. (0)

Anonymous Coward | more than 4 years ago | (#27261741)

wildcard certificates work fine if the bank took the effort and the $200/yr for a wildcard cert.

Re:Not nothing. (1, Informative)

Anonymous Coward | more than 4 years ago | (#27260767)

I find that I often type domain.com in instead of www.domain.com. SSL certs are often registered to https://www.domain.com and I'm at https://domain.com which gives a mis-match. Going to https://www.domain.com fixes it.

Re:Not nothing. (2, Insightful)

Firehed (942385) | more than 4 years ago | (#27261045)

That also takes about six seconds of the company's time to fix by adding two lines to an .htaccess file. A problem that simple should never require the customer to wonder if their financial data is in harm's way.

Re:Not nothing. (2)

bobmorning (316459) | more than 4 years ago | (#27261299)

Amen. DISA is famous for not setting up their apache files correctly. And this is the organization which is supposed to show and deliver best practices to the military services. The overall lack of knowledge is appalling and anyone who knows anything works for a contractor. Disclaimer: I used to work for DISA, remember you can't spell DISAster without DISA, same goes for DISAppointment!!

Re:Not nothing. (1)

Cramer (69040) | more than 4 years ago | (#27261609)

... fix by adding two lines to an .htaccess file.

No. It. Isn't. If you use "domain.com" instead of "www.domain.com", the certificate will be checked against "domain.com" before any requests are sent/processed and an error will fly up. There is no way to send a redirect without completing the SSL handshake, which requires a proper certificate::url domain match.

Re:Not nothing. (0)

girlintraining (1395911) | more than 4 years ago | (#27260823)

It's certainly something to complain about.

And in the interim, I'd add that as a CONVENIENCE feature only, if there's any doubt complain to them and then wait for the fix. I'm certain CapitalOne has a 1-800 number or similar to conduct the same inquiries with a human being, and the telephone system doesn't have a multitude of hackers in it; Just a bunch of government spooks. I'm not allowed to say which government though. :)

Re:Not nothing. (4, Insightful)

argiedot (1035754) | more than 4 years ago | (#27260831)

If you're ever in doubt about the validity of the certificate or security of a transaction, however, DON'T DO IT!

Can't agree more. See this example of a MITM attack. [mozilla.org]

Re:Not nothing. (5, Insightful)

Lord Ender (156273) | more than 4 years ago | (#27260847)

Exactly. When you proceed despite an SSL error, you most likely are falling victim to a screw-up on the bank's end, but you are possible falling victim to a MITM attack. There is no way for you to know conclusively.

That's really the end of the discussion.

Re:Not nothing. (1)

Yvanhoe (564877) | more than 4 years ago | (#27261455)

Well, technically the discussion can continue but it must continue at the bank and usually involves torches and pitchforks

But it happens a lot (1)

RoverDaddy (869116) | more than 4 years ago | (#27260909)

A corporation will get the certificate issued for their shiny professional 'main' URL, like www.ReallyGreatBank.com, and then their online account management system ends up being a redirect to wherever the hell they felt like putting it. For example, while I don't know if they have certificate issues, Citibank's many 'main' sites for themselves and their acquisitions, take you to www.accountonline.com/yada-yada.

I guess if we all complained until we were blue in the face, businesses -might- make more of an effort to keep the certificates in line with the actual sites. However, the answer received in this case: 'Sorry I can't escalate that' shows that the corporations know we'll suck it up and deal.

Personally I consider a DNS poisoning sufficiently unlikely compared to simpler scams (like redirecting to a similarly named domain) that I don't sweat it too much.

Re:But it happens a lot (1)

Mr. Firewall (578517) | more than 4 years ago | (#27261271)

I guess if we all complained until we were blue in the face, businesses -might- make more of an effort to keep the certificates in line with the actual sites. However, the answer received in this case: 'Sorry I can't escalate that' shows that the corporations know we'll suck it up and deal.

Amen.

Which is why I refuse to do online banking: too many of them just don't "get it". I use the phone, even though Capital One charges me ten bucks for certain transactions done over the phone.

Bastards.

Browser issue (3, Interesting)

gr8_phk (621180) | more than 4 years ago | (#27261059)

Web browsers should not allow access to sites with messed up security. If all browsers errored out, sites like this would be unusable and would get fixed. Putting up a warning that the user learns to ignore is just crying wolf. People learn to ignore such things - so why implement them at all?

Re:Not nothing. (1)

JoshuaDFranklin (147726) | more than 4 years ago | (#27261351)

In the case of a large bank they really should have things configured properly. However, I've also see this in cases of a certs for things like www.some-small-online-business.com and I really wish Firefox would offer to redirect you to the proper domain for the cert.

Looks fine to me (1)

Taimat (944976) | more than 4 years ago | (#27260637)

The cert is for servicing.capitalone.com and not for onlinebanking.capitalone.com. The only thing that seems wrong is the verisign link.

Re:Looks fine to me (5, Informative)

canuck08 (1421409) | more than 4 years ago | (#27260773)

Seconded. The certificate is correct.
I don't know what that verisign link is all about but it is useless.
You certainly cannot trust information within a web page to verify the identity of the server.

Click on the the little 'lock' icon on the bottom right corner of your browser to inspect the certificate.

Re:Looks fine to me (4, Interesting)

JWSmythe (446288) | more than 4 years ago | (#27260783)

    Exactly. They were stupid. They gave a server an alias, and didn't realize that it will throw an error to the clients. It probably worked fine in their dev environment though, where they probably accepted the wrong cert and saved the exception because they got tired of clicking the link. :)

    Being that he ignored the error, didn't view the cert to see what it was really assigned for (and continued on to give his login information), it proves that most users don't really care, and will provide their security credentials regardless if they've been warned that there is a problem or not. The cert could have been for bad_haxor_inc.ru, but since he didn't look, he doesn't know.

    We have to assume that it's a mixup with the servicing.capitalone.com and onlinebanking.capitalone.com hosts, but we don't know.

    Why didn't they just buy a wildcard cert? They're so much easier to work with. :)

Simple solution (0)

Anonymous Coward | more than 4 years ago | (#27260651)

Don't bank online anymore.
Problem solved, that will be $10,000, Just send it in the mail :D

No (4, Funny)

Romancer (19668) | more than 4 years ago | (#27260653)

It's all a scam and we're all laughing at you. While spending your money. Thanks for the good times.

Doh! (1, Insightful)

Anonymous Coward | more than 4 years ago | (#27260683)

I am still curious how much I have exposed my banking assets

Seeing you logged in correctly, everything.

Multiple domains (0)

Anonymous Coward | more than 4 years ago | (#27260701)

Most institutions use Multiple domains. The URL's ofter refer or get deferred to them.

Answers (4, Informative)

girlintraining (1395911) | more than 4 years ago | (#27260731)

Hello, IT, have you tried turning it off and back on again?
Ah... another tech support call. Sure, what's the problem?

Are the certificates a mismatch or is my browser bellyaching for nothing?

Yes. And maybe yes too.

Is the certificate mismatch a security hazard?

Common sense would suggest it wouldn't be in a big popup dialog labeled "WARNING" if it wasn't.

If someone poisoned my local DNS routers would it be obvious in the URL?

No.

How would I prevent such a thing?

Stop clicking "Okay" or "Yes" to every security warning you don't understand.

If everything was working correctly, would the certificate alert me to DNS poisoning, or is this just cosmetic security?

If the certificate isn't properly signed, a warning like the one you were presented with should throw a dialog box in the web browser.

Re:Answers (1)

gr8_phk (621180) | more than 4 years ago | (#27261109)

Good answers except this one:

If the certificate isn't properly signed, a warning like the one you were presented with should throw a dialog box in the web browser.

IMO the browser should just block access to the site. Then they have to fix it. Why implement security features that throw up warnings the user is expected to ignore? That's a rhetorical question, please don't try to justify this behaviour.

Re:Answers (1)

AK Marc (707885) | more than 4 years ago | (#27261389)

IMO the browser should just block access to the site.

The problem is that things that are self-signed get dumped into the same buckets as bad ones. So any gear I have that I want to get to with a self-signed certificate, I have to click through all sorts of warnings to get to an HTTPS session, and in your scheme, they'd just lock me out of my networking gear. And you think that makes sense?

Re:Answers (2, Insightful)

owlstead (636356) | more than 4 years ago | (#27261127)

"If the certificate isn't properly signed, a warning like the one you were presented with should throw a dialog box in the web browser."

*Nothing* from a web site should throw a dialog in a web browser. Dialogs are annoying things that block your entire application. They make it all to easy to create denial of service attacks (just keep throwing dialog boxes). They are also easy to click away by mistake (just hitting enter in an entirely different application seems to do it).

I love the way FF3 shows you that something is wrong with the certificate. The page is very clear and the user only gets a dialog box after clicking on a button himself. The same with remembering passwords, the bar on the top is much better than a dialog.

It would be great if FF3 became entirely dialog free. I don't think it is already the case, but they are definitely working on it. The one for extensions is still there, but at least you cannot just click it away since it waits 3 seconds for the Install button to become available.

IMHO, dialog boxes (especially "modal" ones, the ones you /have/ to click away) are a useful tool, but they are used in way too many occasions.

Re:Answers (1)

91degrees (207121) | more than 4 years ago | (#27261283)

Common sense would suggest it wouldn't be in a big popup dialog labeled "WARNING" if it wasn't.

But we've been trained out of this thought process. "WARNING! Could not connect to server", "WARNING! deleting files will delete files", "WARNING, incomprehensible error that goes away when you click 'Ignore'".

Warning dialogs are so overused that they've become an irritation, and rarely seem to be a problem. Really, certificate failures should probably make the warning a lot more scary.

Eh ? (1)

THEbwana (42694) | more than 4 years ago | (#27260733)

My browser has no problem with their cert. And Im using a particularly picky browser (firefox 3.07).
A non-story?

Re:Eh ? (1)

owlstead (636356) | more than 4 years ago | (#27260961)

It seems to have been fixed already.

I would not worry about the problem when 1) onlinebanking.capitalone.com is working as it should be and 2) when the certificates of onlinebanking.capitalone.com and the misconfigured servicing.capitalone.com match.

Also, the top level domain is the same, you it seems far fetched that the DNS is configured incorrectly. That is, IF you are using internet from a relatively safe location, otherwise your routing and DNS may be attacked quite easily.

It's fixed, but that does not make it a non-story. And although this seems to have been fixed quite quickly, the response of the person at the bank makes me wonder if everything is all right down there.

Anyway, US banks are trying to do things way too cheaply: they should use 2 factor authentication (for transactions as well), as lot of EU banks do. Much, much safer than having only username + password. That kind of authentication would probably be considered criminal neglect over here in the Netherlands.

Re:Eh ? (0)

Anonymous Coward | more than 4 years ago | (#27261117)

Anyway, US banks are trying to do things way too cheaply: they should use 2 factor authentication (for transactions as well), as lot of EU banks do. Much, much safer than having only username + password. That kind of authentication would probably be considered criminal neglect over here in the Netherlands.

Yeah, but you're money's actually worth something. :D

It's not like they're the only bank, you know (4, Insightful)

RobertB-DC (622190) | more than 4 years ago | (#27260755)

Seriously, there's a bank on every corner. Unless you have some compelling reason to stay with Capital One, open an account elsewhere. You don't even have to close your Capital One account -- save it as a backup.

That's what I did when Bank of Texas (aka Bank of Oklahoma) added so-called "security questions". The first time I failed at answering "What was your first pet's favorite food?" (or something similarly stupid), I changed my direct deposit to put $1 a paycheck there, and move the rest to an account at a financial institution with a better understanding of Internet security.

Speaking of financial institutions, why are you still banking at a for-profit (ha!) institution, anyway? I've got one credit union that doesn't charge an overlimit fee on my credit card, and another that's paying over 4% interest on my checking account. Why can they do that? Because they didn't take stupid risks 10 years ago. I should know -- they wouldn't give me a home loan. The bank that did was first in line for a taxpayer bailout [cbsnews.com] .

Re:It's not like they're the only bank, you know (1)

mnslinky (1105103) | more than 4 years ago | (#27260807)

Why can they do that? Because they didn't take stupid risks 10 years ago. I should know -- they wouldn't give me a home loan. The bank that did was first in line for a taxpayer bailout.

It's nice seeing blatant honesty! Very funny. I see you've not had a problem paying your internet and slashdot subscription fees. ;)

Re:It's not like they're the only bank, you know (1)

RobertB-DC (622190) | more than 4 years ago | (#27261549)

It's nice seeing blatant honesty! Very funny. I see you've not had a problem paying your internet and slashdot subscription fees. ;)

Like I tell the kids... the big rocks [appleseeds.org] go in the bucket first.

Re:It's not like they're the only bank, you know (1)

Hatta (162192) | more than 4 years ago | (#27261227)

That's what I did when Bank of Texas (aka Bank of Oklahoma) added so-called "security questions". The first time I failed at answering "What was your first pet's favorite food?" (or something similarly stupid), I changed my direct deposit to put $1 a paycheck there, and move the rest to an account at a financial institution with a better understanding of Internet security.

My Credit Union does this too. I just treat it like a second password. I actually sat down with the manager and talked to him about it. Told him that a security question is just like a password, but not as good since you have a pretty good chance of guessing an answer from the question. Of course, he was totally clueless and claimed they had to do it this way because of regulations. I asked him to send me a copy of the relevant regulations, of course he never did since they don't exist.

But these security questions don't harm security. They are just ineffective and slightly annoying. I answer all of mine with the same passphrase, so I never have to worry about how I answered which question. The financial services I get from this credit union are pretty good, so it's really not worth changing IMO.

Misconfiguration (0)

Anonymous Coward | more than 4 years ago | (#27260761)

My telco/ISP allows you to log in and check your bills online and I run into a similar problem. They've configured their website to work whether or not you type in www, but the certificate is actually only valid for the www site.

Probably not a problem, but... (1)

Carnildo (712617) | more than 4 years ago | (#27260771)

A mismatch at the third level of the domain name is probably a configuration screw-up on Capital One's part. It shouldn't be possible for a third party to get a certificate for a capitalone.com subdomain.

If, however, somebody did get a certificate for onlinebanking.capitalone.com, then Capital One's only defense is to change the subdomain they use and hope that people who've been hit by a DNS poisoning or other man-in-the-middle attack pay attention to the certificate mismatch.

A few things about SSL (5, Interesting)

einhverfr (238914) | more than 4 years ago | (#27260777)

The first thing to note is that SSL covers the host-to-host connection and is ignorant of higher-level protocols. There are a couple of things which can cause SSL mismatches:

1) SSL cert is set up to one hostname that the machine services, but site is on another. The SSL negotiation happens prior to the host headers being processed. This could be solved by browser controls (i.e. do a rDNS lookup on the cert's host and make sure it matches the IP you are connecting to), but this ends up causing other, more serious issues, because different sites on the same server could be controlled by different parties. Hence if you have a shopping cart, I could re-use your cert on my shared site on the same box, spoof your page, and steel credit card numbers. So the browser behavior is correct.

2) The SSL cert could have been accidently re-used (unlikely).

My general rule is that if the hostname's TLD matches with the cert (capitalone.com), but the most host-specific portion does not (servicing vs online banking), this is reasonably (though not completely) safe to ignore. Revoked certs should ALWAYS be treated with suspicion because you don't know why it was revoked. Expired certs.... Well, it depends. There are other things that can cause certs to be improperly shown as expired so that demands more careful consideration.

Re:A few things about SSL (2, Informative)

BigBuckHunter (722855) | more than 4 years ago | (#27261103)

SSL cert is set up to one hostname

The parent is for all intensive purposes is correct. Class 3 SSL certificates are assigned to a common name (foo.com). Unless the certificate contains a wild-card, it ill not work for bar.foo.com. It will however work for foo.com/bar.

It sounds like the bank in question has a Class 3 for CN=bank.com and their webapp is located at online.bank.com. The browser caught the mismatch and throws a warning.

Please alert the webmaster of the institution with a full description of the error.It's easy to resolve on their end (they have to gen a new csr and order a new certificate).

BBH

Re:A few things about SSL (1, Informative)

Anonymous Coward | more than 4 years ago | (#27261325)

The parent is for all intensive purposes is correct.

The phrase is intents and purposes. What the hell would an "intensive purpose" be?

Re:A few things about SSL (0)

Anonymous Coward | more than 4 years ago | (#27261403)

Intents and purposes.

Re:A few things about SSL (1)

Skapare (16644) | more than 4 years ago | (#27261177)

The cert I got was good. Maybe they repurposed some servers around in the pool of servers behind load balancers, and one or more didn't get their certs updated for the new purpose (e.g. changed from "onlinebanking" to "servicing"). Or maybe the OP really did have a MitM attack.

Pure genius! Say the quiet part loud! (5, Funny)

synthesizerpatel (1210598) | more than 4 years ago | (#27260795)

This reminds me of an story. A friend and I were moving a heavy couch and at an inopportune time he got flustered and said 'Hold on, we need to put this down and take a break'. We did, finished moving it later and that was that.

About 6 months later out of the blue he explained to me that he had to put the couch down because the apparently strained a bit too hard and pooped his pants.

I have no idea why he told me, much less told me 6 months later. He was kind of a weird guy.

The moral of this story is:

If you do something embarassing or stupid and privately get away with it, don't tell anyone.

Re:Pure genius! Say the quiet part loud! (0)

Anonymous Coward | more than 4 years ago | (#27260851)

And just what does this have to do with the price of frog hair in china?

my company's secure login for employees (1)

circletimessquare (444983) | more than 4 years ago | (#27260803)

has a mismatched certificate. something like www.ourdomain.com not matching subdomain.ourdomain.com

i don't know enough about SSL and certs to tell you that subdomain, as opposed to domain, mismatches are exploitable. but i know in my particular instance, its just laziness on my company's part, and it smells like someone just dropped the ball on a configuration at capitalone

i know in my company's case i complain about it, but nothing ever gets done about it (until we get exploited i bet)

Capital One fucked up (1)

headqtrs (467875) | more than 4 years ago | (#27260815)

That's the most probable reason. The other reason is a man-in-the-middle attack. There is no way to discern the difference from your side.

Anyway, it's time to change your bank. This is a grave error and it's probably not the only one. Clearly, Capital One is a disaster waiting to happen. Don't be a victim in that case!

significant spaces (3, Funny)

poot_rootbeer (188613) | more than 4 years ago | (#27260837)

What is "Cap It Alone"?

Doesn't sound like a website I'd entrust my financial information to...

What's in your wallet? (0)

Anonymous Coward | more than 4 years ago | (#27261083)

They look like bullet fragments.

Banks never go public about security breaches (0)

PolygamousRanchKid (1290638) | more than 4 years ago | (#27260843)

Would you take your business to bank that announced that they had recently caught an embezzler? That's why banks rarely press charges against embezzlers.

Same deal with Internet security. If someone catches them with their pants down, they are not likely to wave and scream, "Hey, everyone! Look over here at me!"

Re:Banks never go public about security breaches (0)

Anonymous Coward | more than 4 years ago | (#27260977)

there are actually laws in many states that require them to if customer info is disclosed.

Just a thought......... (1)

unimatrixzer0 (1111335) | more than 4 years ago | (#27260893)

but I have worked on several computers where the users PC date/time somehow was changed to the year 2006 (and yet another that the year was changed to 2013). Because the date of the computer was out of the range of the dates on the certificate etc. it would come up with an error and prevent logon capabilities. Very rare instance that this would happen as the certificate was valid but due to dates being wrong it wouldn't display the page nor allow the user to log into the banking website. But there is the possibility that Capital One in all their infinite knowledge and awesomesauce screwed something up. Just my 2 cents.

Incompital One.... (0)

Anonymous Coward | more than 4 years ago | (#27260915)

What's in your wal...er...browser?

Now you know... (1)

jskline (301574) | more than 4 years ago | (#27260949)

Now you know why I no longer bank with Capital One. They not only are really not concerned at all with their security, but they really could care less about you; their customer. I had nothing but issues with them and just closed everything up and moved on.

Doesn't surprise me... (5, Informative)

Jason Levine (196982) | more than 4 years ago | (#27261009)

An ID Thief opened a Capital One account in my name. They had my name, address, SSN, and DOB, but got my mother's maiden name wrong. Capital One approved the card anyway. Then, when the thief immediately changed the address (from mine to another address), before even activating the card, it didn't raise any red flags in their systems. Then, when the thief tried to get a $5,000 cash advance on the card (still not activated), it didn't raise any red flags in their systems (though they denied the advance). Then, when I called them, they refused to give me any information on the theory that I could "go and shoot the guy and they would be liable." Instead, I had to have a police officer call a special "cops number." The police officer called that number and got a recording which apparently no one ever returned phone calls from. At every step of the way, Capital One seemed to be going out of its way to protect itself *from* me and my ID Theft investigation instead of caring about the fact that it was an accessory to ID theft. Needless to say, I won't ever do business with Capital One again.

Re:Doesn't surprise me... (1)

icydog (923695) | more than 4 years ago | (#27261243)

They had my name, address, SSN, and DOB, but got my mother's maiden name wrong. Capital One approved the card anyway.

What did you expect Capital One to do? Reject the seemingly valid app because they got your mother's maiden name wrong? That question is there for verifications purposes after the account's already open and you call customer service. How would Capital One know your mother's maiden name to verify that for account opening purposes?

I do agree that trying to change the address before card activation and getting a cash advance so early should raise red flags, however.

Re:Doesn't surprise me... (1)

SydShamino (547793) | more than 4 years ago | (#27261355)

Needless to say, I won't ever do business with Capital One again.

Maybe, but someone with your name, address, SSN, and DOB will likely be banking with them again in the near future.

Knowing personal data != identification (0)

Anonymous Coward | more than 4 years ago | (#27261665)

Exactly. That is what's wrong here. The bank opened the credit card without verifying the customer's identity. All those "personal" pieces of information are available in various public records, so knowing them does not mean anything.

Re:Doesn't surprise me... (1)

Jah-Wren Ryel (80510) | more than 4 years ago | (#27261407)

At every step of the way, Capital One seemed to be going out of its way to protect itself *from* me and my ID Theft investigation instead of caring about the fact that it was an accessory to ID theft.

That's really no surprise - the entire reason the term "identity theft" was created was to redirect responsibility from the banks for being accessories to fraud. Nobody steals an identity, they steal money from the bank by exploiting weaknesses in the bank's system. But call it identity theft and the fact that it was the bank's failure to protect itself adequately against fraud is not so immediately obvious and that since your identity was involved it is at least partially your fault.

Re:Doesn't surprise me... (4, Informative)

RobertB-DC (622190) | more than 4 years ago | (#27261465)

I was going to reply with my own tales of Capital One woe, the $500 credit line with the $50 overlimit fees, the annual fee they charged after I cancelled, the continuing flood of "offers" (with worse and worse fine print). But I can't, because I'm laughing too hard at the banner ad at the top of the page.

Capital One® Credit Cards
Competitive Rates. More Rewards. Apply Now for No Hassle Cards.
www.CapitalOne.com

I've run-not-walked from Capital One ever since my one and only experience with them, and if this situation (and their bannermania) is any indication, everyone else should too.

All your dollars are belong to us! (0)

Anonymous Coward | more than 4 years ago | (#27261029)

All your dollars are belong to us! Sincerely, Capita10ne

No SSL mismatch... (0)

Anonymous Coward | more than 4 years ago | (#27261043)

Works fine on IE6, IE7, and firefox.

Maybe if you reported more thoroughly what the mismatch was...

It worked for me (1)

Skapare (16644) | more than 4 years ago | (#27261087)

It worked for me. The server certificate I got was valid (issued 2008-10-02, expires 2009-10-15, for "servicing.capitalone.com"). There could be many problems causing this.

http://skapare.ipal.org/servicing.capitalone.com.cert.general.png [ipal.org]

One is that the actual server (of many servers they are running through load balancing port redirectors) you connected to doesn't have the right certificate (e.g. they didn't install the new one on all servers ... maybe new servers coming online and the update of renewed certificate crossed paths).

Another is that you really are subjected to a man-in-the-middle attack that passed everything through, actually updating your real account. In the mean time your username, password, and financial information, are all recorded (if you have a big enough balance now, you might not have it next week).

Re:It worked for me (2, Informative)

icydog (923695) | more than 4 years ago | (#27261387)

It also works for me. I bank with Capital One, and in fact the link in the summary is the exact link I have stored in my bookmarks. I have never had certificate trouble with that link. I'd watch that account closely if I were you, and perhaps change your passwords if you use the same password elsewhere.

Re:It worked for me (0)

Anonymous Coward | more than 4 years ago | (#27261457)

Click the "Verisign Secured" link at the bottom of https://servicing.capitalone.com/c1/login.aspx

You'll see there is a mismatch THERE, not via the browser.

Banks? Seriously? (5, Interesting)

NineNine (235196) | more than 4 years ago | (#27261111)

I don't really understand why any individual with regular "banking" needs would use a bank today. Credit unions are non-profit, and generally, because of their structure, are run much better than banks are. My credit union has been impacted 0% by this banking mess stuff. I'm earning 4% on my PERSONAL CHECKING account, and not paying any fees. I also have all of my business accounts, and my mortgage with my local credit union.

Credit Unions: Like banks, but cheaper, non-profit, less corrupt, no over-paid executives, and not out to screw you over.

Ropati writes "I bank with capitalone.com... (1)

circletimessquare (444983) | more than 4 years ago | (#27261217)

well, there's your problem right there

was it the retro arcade game commercial that suckered you in?

admittedly, they nailed the music on that one perfectly

The obvious solution... (2, Insightful)

pak9rabid (1011935) | more than 4 years ago | (#27261245)

DO NOT continue banking online, and call them to let them know of the problem. Continue banking over the phone or in person (I know..it's a pain in the ass compared to doing it online, but it's nothing compared to having to deal with identity theft).

Right conclusion, wrong procedure (2, Informative)

Slipped_Disk (532132) | more than 4 years ago | (#27261249)

OK, your bank screwed the pooch and you should complain - LOUDLY - until it's fixed. You should also look for a bank that understands basic internet/web concepts like "SSL cert's CN must match DNS hostname" -- I fear for the rest of their infrastructure.

That said, you were logging into your bank, which presumably holds a large percentage of your cash assets, you received a SSL error and you continued the transaction?
You deserve to have your account cleaned out for reckless disregard for the security of your financial information. Go to a brick-and-mortar bank, or call them on the telephone (*gasp*) if your banking is so urgent.

Verisign ? (1)

smoker2 (750216) | more than 4 years ago | (#27261333)

Didn't we have a story recently where it was possible to sign new certs in an existing domain without authorisation ? That would make the "don't worry too much, it's a sub-domain" answers a bit weak.

Out of interest, is this all that insecure? (1)

91degrees (207121) | more than 4 years ago | (#27261361)

Certainly, if this was a multi-billion dollar organisation, it would be worth setting up all sorts of hacks, but this can only be used against people with standard credit card limits. How would you exploit a flaw such as this? You'd presumably need some sort of automation because you'd be stealing small amounts from thousands of people but my knowledge of certificates and the nature of the security they provide is sparse.

Easy way to make call centre droid take notice! (0)

Anonymous Coward | more than 4 years ago | (#27261563)

I had the same scenario with eTrade Australia once - they had a bad SSL cert (mismatched domain) on some doubleclick adverts embedded in the login page, causing the browser warning to popup. This went on for days.

As I'm in IT security, I quickly found the cause, but I was worried about it training other users to 'just click OK' on the security warning, so I called the helpdesk.

I got fobbed off with 'someone is working on it', and (expected, but still alarmingly) 'just click OK and log in'. They didn't want my explanation of the cause or want to escalate it.

As the call was being recorded (they all are), I then asked if that meant they were going on the official record as accepting liability for any fraudulent trades made on my account, in the event that the website I was connected to was a fake and my details got stolen, either now or any time I saw the popup in future.

The guy was suddenly rather less sure I should 'click OK', and called the supervisor, who called their supervisor, who called the technical department.

I explained the domain mismatch on the doubleclick ads, warned them not to tell users to just 'click OK' any more, and the issue was fixed about an hour later....

The real problem is with the customer service (1)

zermous (1196831) | more than 4 years ago | (#27261647)

The real problem here, I think, is the customer service. A company is too big for its britches when it is no longer possible to get ahold of someone there to take action on a technical issue. I realize that they have to ignore people without hotlines to their technical department or else spend enormous time filtering out feedback from morons.. but when they do this, they lose the asset of feedback from experts like us.

I wish there was a way to get certified as a Smart Guy so that you got a secret login to a hotline website where subscriber companies could get in contact with you in order to receive your feedback about their systems.

MOre proof (1)

geekoid (135745) | more than 4 years ago | (#27261735)

that real massive online and electronic banking will fail.

There are more and more way to compromise systems technically and socially due to the nature of computers.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>