Jump to content

Banking and payment protection discussion


Recommended Posts

On the subject of B&PP mode enhancements, I would also like to see the ability to enter web site certificate SHA-1 thumbprint in Protected web site entries. This is the only way to ensure you haven't been subjected to a man-in-the-middle attack. Gibson Research has an excellent article on this here: https://www.grc.com/fingerprints.htm .

Of note is browser fingerprinting is not without its issues that one should be aware of. The main issue issue is bank's regularly change their certificates which in turn causes a new thumbprint to be created. Worse, major banks often use a unique certificate on each web site sub-section entered. As such, each thumbprint entered should only apply to the bank's public home URL and entry to the web site is always done to the home web page.

Also the biggest offender when it comes to man-in-the-middle activity is Eset itself via SSL/TLS protocol scanning. As such, it should be disabled on any URL where a thumbprint has been entered. Most bank web sites use EV issued certificates which usually disables SSL/TLS protocol scanning but not always.

-EDIT- I guess I should add that Gibson Research fingerprinting method won't prevent in-transit network man-in-the-middle activities. The only tool that did so was the now defunct and non-supported Microsoft EMET tool that was the predecessor of the exploit protection built-in to Win 10/11. Also, the tool only supported Internet Explorer. What EMET provided for was the entry and validation of the thumbprint of the web site's issuing root CA certificate; i.e. the cert. at the top of the certificate chain.

Edited by itman
Link to comment
Share on other sites

Hi All, I just realized when entering my bank website that I don't get a separate browser pop up for me. Also what bothers me is I don't see a green border around the firefox browser indicating a safe browser webpage. I am worried about this so I went into the Banking & Payment protection section and noticed the "Protect websites" was greyed out. I then unchecked "Secure all browsers" and I was able to put my back url in the list. After restarting all it still does not put a green border around my firefox browser when I click on the bank url. Reading most of the posts in this thread I see people are not liking the change ESET made. I would like help as to how I am sure I have a secure  bank website. How do I get the green border?

 

Link to comment
Share on other sites

Forget my post please. After attempting to open the bank web site several times and closing it just finally opened in a secure browser. I will watch this closely and if the separate browser decides not to open in future I will return to try for help here.

Thanks

Link to comment
Share on other sites

Continuing my certificate thumbprint validation discussion, here's how Eset can implement this in secured browser B&PP mode.

Prior to Eset opening a new secured browser instance in B&PP mode; i.e. no extensions allowed, a connection to Eset servers is made and the bank web site accessed. The web site certificate chain is accessed with web site cert. and it's associated issuing root cert. thumbprints stored for further reference. 

Next, the secured browser instance in B&PP mode is initiated and bank web site access is made. The web site certificate chain is accessed to obtain web site cert. and it's associated issuing root cert. thumbprints. The browser accessed thumbprints are compared to the prior stored Eset server accessed ones. If the thumbprint set values don't match, Eset issues a man-in-the-middle detection alert and terminates the secured browser instance in B&PP mode.

Now we have indeed a secure B&PP app that no other security vendor has.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...