DEV Community

Discussion on: A Bank Should Authenticate With You - And Vice Versa

Collapse
antjanus profile image
Antonin J. (they/them) Author

I thought I saw something about this! That's fascinating.

It looks like there aren't really any solutions to this problem then, are there?

Collapse
lawrencejohnson profile image
Lawrence • Edited on

Well, unless your computer has been hacked or your primary DNS has been hacked, all you really need to do is make sure the URL address matches the bank's URL. Let's look at a couple potential issues and how they are addressed in today's technology.

Click Jacking
This was the most common form of abuse for a number of years. Essentially, an email goes out with a link that looks like its from your bank, you click it and what you see is your bank's website. But, if you look at the URL, you'll notice it's different. This is an attack form where malicious users used to essentially iframe your bank's website within their page that had javascript that could monitor all of your keypresses. This doesn't really work anymore at least not with modern web browsers because banks (should) be using an HTTP Response Header called X-Frame-Options which explicitly tells the browser that the website is not allowed to be pulled into another website (with option DENY or SAMEORIGIN).

Host Entry or Domain Hijacking
If let's say your computer has been compromised, a malicious user can put an entry in your hosts file (\windows\system32\drivers\etc\hosts or /etc/hosts depending on your OS) that points the bank's domain to a different web server. In this case, you'd have no way of telling by the URL bar, but you'd likely see something that doesn't quite look like your bank because these hackers are usually either too lazy or too incompetent to make a decent replica). There's really not much you can do here if you don't take notice of the visual queues. Keeping your computer's defense up-to-date and making sure portable devices are not easily accessible would minimize this. I don't think it really happens anymore, but DoS attacks on DNS servers that would mimic this used to happen quite a bit 10 years ago or so.

Bank Website Compromised
There is always the possibility that the bank's website has also been compromised, but I'd say that the likelihood of this happening without the website going down is incredibly low. Maybe if you're using something like a small community bank that might not have the resources of the big banks, you might be at higher risk, but I'd still say it's pretty unlikely that a bank would forego the security needed to prevent this.

If there's one thing I would recommend, it's simply to never click links to your bank. If you get an email or text that asks for some action on your bank account, open your browser and manually enter the URL to get there.