
Banks Sites Remain Woefully Vulnerable  - markbao
http://securitywatch.eweek.com/vulnerability_research/banks_sites_remain_woefully_vulnerable.html
======
underscore
The actual report is here:
<http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf>

I wonder what sort of attack they had in mind to exploit the fact that contact
information and security advice was on an insecure page? A man in the middle
attack is what came to my mind, but it is early, and I may be missing
something obvious. I skimmed the paper, but didn't see any specifics.

I'd think BofA were a lot cooler if they gave me the option to upload a PGP
key, and then used it to encrypt any emails that they send my way. It'd solve
the snooping email server admin problem, and, assuming that they signed their
messages and kept their private key safe, would make it a lot easier to spot
phishing. I guess there's not enough demand for that, though.

