SPLIT POST DUE TO NEW USER BEING UNABLE TO TAG MORE THAN TWO USERS AT A TIME.
@mark_m I occasionally treat Westpac as not-as-big-a-bank and this can throw people off occasionally. In fairness to you, I probably should just go with the common consensus on that one.
@syncretic is right in asking that I support my claim with some evidence.
Last I checked, Westpac was using a digital feudalist… Amazon if my memory serves. Thankfully, checking whether a domain is being reverse-proxied through a CDN (Content Delivery Network) is quite easy. Unfortunately the problem gets a bit more difficult to check for when a site is just using a server owned by Amazon, Google, Microsoft etc and in those cases one must look at the IP addresses they use and often you need to run a ‘whois’ request on them which is not made easy in browsers.
To check a site for evidence of the most concerning issue, the MitM attack, one can simply:
- Bring up the Developer Tools > Network Tab in your web browser (in a Firefox-based browser like Tor Browser or LibreWolf simply hit Ctrl+Shift+E. Alternatively right-click on a page and select ‘Inspect’, then tap the Network Tab)
- Visit the site. You’ll see a bunch of resources appear in the Network tab list,
- Find a resource that has finished downloading and check the HTTP Response that was sent back to the browser. If it says:
server: cloudflare or cf-ray: <HEXADEMAL_NUMBERS>, or
server: AmazonS3 or via: <HEXADECIMAL_NUMBERS>.cloudfront.net (CloudFront), or
server: AkamaiGhost or something to that effect,
Then that site is being reverse proxied by Cloudflare, Amazon or Akamai. Its man-in-the-middled by what I call a techno-feudalist. This doesn’t mean the site is bad, or the developers are bad. But treat it with great caution. I personally minimise my access to those sites, opting for archived copies of the page, if at all. Many website developers are ignorant to the internet takeover, or they believe that CAPTCHAs are bad and people will leave their site if it has a bot CAPTCHA. Or they think load-balancing is too expensive or difficult etc.
Anyway I challenge anyone to find an independent bank that is not being MitM’d. (HINT: There is one I know of, out of approximately forty. Some I was unable to check because of the types of road-blocks some sites put up so I would love to be proven wrong here)
It bears repeating that Medibank (specifically members.medibank.com.au) was and is reverse proxied by Amazon Cloudfront. MitM’d from a server in the US if it makes any real difference… it doesn’t. Namely the server is server-13-225-34-42.cdg3.r.cloudfront.net
This is not “paranoia” this is what Europe have invested a lot of time and energy to stop and here in Australia we roll over and consign ourselves to being taken over. As an example Google Analytics was made illegal in Europe, moving data offshore is illegal, and a gentleman in Europe won a court case to be able to buy a computer without Microsoft Windows. The latter might be a good thread of of discussion in itself at Choice, in fact.
So to bring this back to the topic at hand, what good is a password at all if everything on the pages you access and in your communications is being man-in-the-middled and could possibly be spied on and collected by servers in the location of the hegemon. Or maybe that is why the humble password is not so important, maybe mass surveillance, combined with assessing your mouse movements or button taps, or your biometrics like your fingerprint (someone mentioned above which is creepy as all hell) as you browse is how they ensure you are you. Microsoft have a patent on using brainwaves so maybe they plan to use that too, if they are not using it already.
This is not to discourage, I’m just laying out some of the challenges I think we must face moving forward, I agree that passwords should be solid they get hacked then they should probably bear some responsibility, but we cannot really talk about password security before addressing the elephant is the room, which to my understanding is the MitM Attack happening in silence.
The 2FA RSA token is good against fruadulant transfers, but in terms of privacy, we have close to none, with the exception of one bank. Again prove me wrong, please. Show me that another bank is not MitM’d - I would love to have a ‘CHOICE’.