Verifying legitimate bank websites

Recently I wrote about Flagfox, a simple Firefox extension that puts a flag in the corner of the browser window indicating the country where the website being viewed resides. Hovering the mouse over the flag displays the IP address (explanation below) of the website and clicking the flag brings up more details, including the city where the site is located.

This can be important because there are many ways to be tricked into thinking you are at, for example, a bank website, when you are really viewing a well-crafted, scam copy designed to steal personal information. Flagfox can go a long way toward verifying that you are really looking at the website you expect. Anyone doing financial transactions online would be well served to use it.

When banks explain why their websites are safe and secure, they focus on the SSL encryption used to transmit data over the Internet. That's only part of the puzzle however. We can encrypt data and send it to the bad guys too. That's where Flagfox can help.

The problem is verifying the physical location of legitimate websites.

For example, on my computer, Flagfox reports that the login page for Capital One credit cards is in McLean, Virginia. Is this the real site, or, has my computer been compromised such that I'm looking at a phony copy?

The only way to verify the location is to ask the bank. So that's what I've been doing.

On July 3rd, I contacted eight banks asking where their websites were physically located. In some cases I emailed, in other cases I filled in a form on their website. In each case I pointed to my previous blog posting and asked for a comment. The banks I contacted were: Citibank, Chase, Washington Mutual, Bank of America, Wells Fargo, Wachovia, HSBC and Capital One.

About IP Addresses

Flagfox determines the country based on the IP address of the website. Every computer on the Internet is reachable by a unique number called an IP address (a single IP address often front-ends multiple computers, but that's another topic).

It is impossible for the computer(s) running a website to hide their IP address. Just as the Flagfox extension displays it, so too can any Internet-aware software that cares to do so. And, just like you can learn the IP address of a website, the website also knows your IP address. To see this in action, go to ipchicken.com.

Thus, one way to detect scam websites would be for financial companies to publicize the IP address(es) of their website. Customers could put a yellow sticky on their monitor with the IP address and verify it with Flagfox before logging in to the website.

The Bank of America did just that. They wrote back that their website uses these three IP addresses:
  171.161.161.173
  171.159.193.173
  171.159.65.173

But, IP addresses are for computers not for people. Humans are better off dealing with countries, states and cities. Capital One credit card customers would, I'm sure, prefer to remember McLean, Virginia rather than the IP address 208.80.48.53.

It has been two days since I contacted the eight banks (yes, it's a holiday in the U.S., but bank websites don't do holidays). Three haven't responded at all. Four responded with canned messages that failed to address the topic. Only Bank of America seems to have read the question.

If I learn anything from these companies, I'll pass it on. If you do financial transactions online, try asking your financial institution. Can't hurt.

Update July 7, 2008: Attacking the registrar for a domain is one way to redirect people to phony websites. See this July 7th ComputerWorld article for a recent example: ICANN blames June site hijack on registrar

See a summary of all my Defensive Computing postings.