Shostack + Friends Blog Archive


How Not To Train Users

To provide the fastest access to our home page for all of our millions of customers and other visitors, we have made signing in to Online Banking secure without making the entire page secure. Again, please be assured that your ID and passcode are secure and that only Bank of America has access to them.

Read Peter Gutmann’s “US Banks: Training the next generation of phishing victims” on the Cryptography mailing list.

As translation, “To save a buck, we’re going to make it even harder to tell if you’re at a real Bank of America site, or a fake. We care about your privacy.”