• PadlockIconMisuse

This node was originally added in response to Action-9

GeorgeStaikos (KDE), BobLord (Red Hat), and AmirHerzberg have all written about the problem described here. The contents of this node are mostly just a collation of examples they've collected and/or already written about.

Problem Description

Content providers (typically bank sites) have login pages which lack SSL/TLS security and for which browsers do thus not display a padlock icon in the taskbar. Lacking that padlock indicator in the browser chrome, many of these same sites instead display a padlock icon somewhere in the actual login page content (near the login form). That represents a misappropriation of the convention of the padlock as a trust/security indicator -- a misuse designed to give the user a greater sense of security but that actually only gives users a false sense of security.

This problem devalues attempts of browser vendors and security experts to educate users to "check for the padlock". Users begin to trust any page that displays a padlock icon somewhere on the page -- even if the browser address bar displays no padlock (because that's that these bank sites are teaching them to do).

That in turn makes it much easier for fraudsters to construct phishing sites that have login pages with the same level of apparent trust value as the actual bank login pages (that is, pages for which no lock icon is displayed in the browser address bar but that have a lock icon on the phishing page in exactly the same place the real bank-site login page has its padlock).

Examples from Bob Lord

• http://www.smithbarney.com Not secured through SSL/TLS, but note the padlock on the login form. Click on that padlock to get a misleading "just trust us" explanation to users -- which any phishing site can mimic just as easily as they can the site's misuse of the lock icon.

• http://www.chase.com/ No SSL/TLS, padlock icon right next to words "Log On".

Bob's comment

"Even pros cannot tell the difference between real sites and phishing sites as long as the real sites behave like phishing sites."

Example from George Staikos

Login page for Air Canada site. No SSL/TLS, but note the padlock icon and statement, "Your personal information is encrypted..."

Examples from Amir Herzberg

• http://www.bankofamerica.com/index.cfm No SSL/TLS, padlock icon above login form, click on padlock icon to see misleading "just trust us" explanation similar to Chase site.

• http://tdwaterhouse.com/ Page only partially secured with SSL/TLS, padlock on login form. (Note that KDE Konqueror does recognize this page a partially secure and shows a padlock icon in the normal browser-chrome address bar area; click that and Konqueror indicates "Some of this document is secured with SSL, but the main part is not.")

See also AmirHerzberg, Phishing and Spoofing FAQ. Especially see the Is Padlock OK section, which asks the question, "My bank's site says 'protected by SSL' and/or displays padlock sign; is it protected?" and for which Amir's answer is:

• Unfortunately, several sites - including some major bank sites, e.g. Chase - present a padlock and/or otherwise claim to use SSL and cryptography to protect the login process, while actually only encrypting the password in transit using a script in the login page... if the user received a spoofed login page, this will not be visible; of course, the spoofed page will send the password to the attacker.

And find more good writing on this topic by Bob Lord in the phishing tag on his blog, especially these entries:

• Banks are a Phisher's Best Friend

• Phishing and SSL

See Also

BobLord also quotes from a related paper by Aaron Emigh that's worth reading, Online Identity Theft: Phishing Technology, Chokepoints, and Countermeasures