False sense of security in https

Like most Internet users, I use https a lot. Whenever I login to a, say, my bank, Firefox shows a nice picture of the bank and a message the communication is secured and authorized. Should for any reason the communication between my computer and the bank being intercepted, I should get a security warning. That way I should be assured, I am communication with the bank and not with a phishing site.

Few people realize even when you make certain you don’t ignore any security warnings there’s still a chance the communication is compromised: when the computer you’re using is itself compromised by, for example, a sophisticated virus.

A sophisticated computer virus or hacker could install software on the computer that changes both the DNS settings of the computer and changes the root-certificates of the browser.
DNS is used by your own computer to ‘know’ what particular ip-address and server it should communicate to.  The computer asks the DNS-server of your provider (like XS4all, AOL) to translate www.myexample.com to an address like A popular metaphor for DNS is the ‘yellow pages’ or ‘telephone directory’.
The address of the DNS server itself are usually set by you’re provider, but a virus or hacker could change them. That way, you could be redirected to a physing site, even if webbrowsers should www.myexample.com.

Far fetched? A few months ago there was a virus that would change dns-settings on the computer that it infected. The virus was infecting the computers in the students-flat I lived a few year ago. Microsoft has a page on the same subject too and I found a few forum postings.

If the DNS settings are changed only, you would still get a https warning when you login to site that’s secured using https. However, what if a hacker of virus would also take over your browser and change the root-certicates? A bit harde, but certainly not impossible. That way, the webrowser will display no security warning, eventhough you’re communicating with a con site.

Fortunately, all banks in the Netherlands still require an extern device while doing any money transfers, payments or other sensitive operations. Rabobank uses requires a Random Reader that generates a number you have to enter manually, ING (formerly postbank) requires you to enter a number you receive at your mobile phone.
The random reader doesn’t have any external interface (you have to enter the data manually) so hacking that device is virtually impossible. The only way would be breaking into someone’s house and replacing it with your own random reader.
As said ING requires you to enter a number you receive via you’re cell-phone. A modern cell-phone or mobile-phone is connected to the internet, and installing software is possible on many modern phones. That way, a mobile phone could be compromised. Using a sophisticated combination of a hacked computer and a hacked mobile phone, a hacker could get someone to transfer money to his own bank account. Hard, but not entirely impossible.

Final word, I mention two banks in the above example. My article however, is not limited to banking sites, but to any site that uses https or https in combination with sms-verification using a cell-phone.