Checking cer­tifi­cates

Dig­ital cer­tifi­cates are used to encrypt con­nec­tions and pro­vide users with the cer­tainty that they are con­nected to the cor­rect web­site. How­ever, they are also used by fraud­u­lent web­sites, so it is impor­tant to check they are actu­ally gen­uine, espe­cially when e-banking.

Pro­tect your­self by...

  • always entering your finan­cial institution’s web address man­u­ally into your browser.
  • paying proper atten­tion to any warning mes­sages and error alerts appearing when estab­lishing a con­nec­tion, and can­celling the process if needs be.
  • making sure that the address line (URL) is marked with a lock symbol.
  • checking whether the cer­tifi­cate was explic­itly issued for the finan­cial institution’s name (this is either dis­played next to the lock, or after you click the lock, under “Issued for”.)
  • ver­i­fying that the address con­tains the cor­rect domain name of your finan­cial insti­tu­tion.
  • only entering your per­sonal access data once the cer­tifi­cate has suc­cess­fully been checked.

Pro­tec­tion pro­vided and risks inherent in cer­tifi­cates

Every browser auto­mat­i­cally checks SSL cer­tifi­cates for authen­ticity and validity when estab­lishing a con­nec­tion, and only dis­plays the target web­site once this check suc­cess­fully ver­i­fied the web­site as cor­rect and dis­playing without any error noti­fi­ca­tions.

Since an ever increasing number of faked finan­cial insti­tu­tion web­sites how­ever are also fitted with a valid SSL cer­tifi­cate for phishing pur­poses, it is not suf­fi­cient just for the browser to check a cer­tifi­cate to make absolutely sure you are on the cor­rect web­site.

You should there­fore always enter your finan­cial institution’s web address man­u­ally into your browser, and check the cer­tifi­cate before starting any e-banking ses­sion!

Checking cer­tifi­cates in your browser

Gen­er­ally, your browser must not dis­play any error mes­sages when changing over to a pro­tected con­nec­tion. Oth­er­wise, there is some­thing wrong with the cer­tifi­cate or the con­nec­tion, and you should imme­di­ately ter­mi­nate the con­nec­tion.

You should there­fore never man­u­ally con­tinue to estab­lish a con­nec­tion if any warning notices or error mes­sages are dis­played!

 

An SSL con­nec­tion which has been cor­rectly estab­lished with the proper web­site and which is based on an authentic and valid cer­tifi­cate - i.e. a secure con­nec­tion - can be recog­nised by the fol­lowing three clear browser char­ac­ter­is­tics:

  1. A lock symbol in the address line
    This con­nec­tion was encrypted using a valid SSL cer­tifi­cate.
  2. The cor­rect finan­cial institution’s name (this is either dis­played next to the lock or after clicking the lock, under “Issued for”)
    The iden­tify of the cer­tifi­cate owner (the bank) has been con­firmed.
  3. Cor­rect domain name in the address line
    You are actu­ally on the finan­cial institution’s web­site.

Google Chrome:

Microsoft Edge:

Mozilla Firefox:

Apple Safari:

The spe­cific dis­play of these char­ac­ter­is­tics dif­fers slightly from one browser to the next. You can read up on it under our instruc­tions for the most common browsers.

Checking cer­tifi­cates using finger prints

Man­u­ally checking the authen­ticity of a cer­tifi­cate pro­vides even more secu­rity, even if it is a bit more labo­rious. In this case, the “finger print” dis­played in the browser has to agree with the finger print pub­lished by the finan­cial insti­tu­tion.

If a finger print cannot be iden­ti­fied, you must imme­di­ately ter­mi­nate the con­nec­tion!

The finger prints of the e-banking log-in pages of our part­ners plus detailed instruc­tions on how to check these fin­ger­prints with the help of var­ious browsers can be found on our “eBanking – but secure!” web­site.

E-banking facil­i­ties use dig­ital cer­tifi­cates to safe­guard that the web server accessed is actu­ally gen­uine, and to encrypt com­mu­ni­ca­tion chan­nels con­necting to servers. They employ the TLS/SSL pro­tocol to do so. They are also called “SSL cer­tifi­cates” and “SSL con­nec­tions” for short.

It only takes a few steps to check whether a con­nec­tion is pro­tected as it should be.

Fur­ther infor­ma­tion for those inter­ested

SSL con­nec­tion oper­ating prin­ciple

In gen­eral, the TLS/SSL pro­tocol is the one most fre­quently used to estab­lish a secure con­nec­tion to a web server. This is com­mu­ni­ca­tions tech­nology which encrypts infor­ma­tion to be trans­mitted so it cannot be cap­tured. At the same time, it guar­an­tees the authen­ticity of the web server to which you are con­necting, i.e. that the web server is gen­uine.

The basis of the pro­tec­tion pro­vided is a so-called dig­ital cer­tifi­cate issued by a trust­worthy body - a cer­ti­fi­ca­tion body - for a web server.

Since it can only be guar­an­teed that the web server is gen­uine and cannot be eaves­dropped on for as long as the cer­tifi­cate under­lying the SSL con­nec­tion is authentic and valid, cer­tifi­cate checking plays a cen­tral role here.

Checking cer­tifi­cates with browser sup­port

When browsers estab­lish a SSL con­nec­tion, they verify the fol­lowing cer­tifi­cate prop­er­ties:

  • Trust­wor­thi­ness of the cer­tifi­cate issuer: The cer­tifi­cate was issued by a trust­worthy cer­ti­fi­ca­tion body (i.e. it was dig­i­tally signed by this body). These checks safe­guard that the cer­tifi­cate is gen­uine.
  • Cer­tifi­cate validity: The cer­tifi­cate has not expired and has not been declared invalid (has been revoked) before its expiry date.
  • Web server address: The web server address pro­vided in the cer­tifi­cate agrees with the address used in the actual browser address field.

Only once these three checks have been suc­cess­fully con­cluded will there be no error mes­sages dis­played by the browser when estab­lishing a SSL con­nec­tion.

Ver­i­fi­ca­tion of the above cer­tifi­cate prop­er­ties by browsers offers a great degree of secu­rity, can how­ever never iden­tify cer­tifi­cates which were issued by a cer­tifi­cate body to a fraud­ster due to insuf­fi­cient appli­cant checks. A few fraud cases of this kind did emerge.

Since fraud­sters are highly likely to choose an address for their cer­tifi­cates which dif­fers from the one of the actual target (finan­cial insti­tu­tion), such improp­erly issued cer­tifi­cates can be iden­ti­fied by checking the address dis­played in the browser.

To this end, users will have to iden­tify whether the so-called domain sec­tion of the address actu­ally belongs to the organ­i­sa­tion they want to con­tact (e. g. a finan­cial insti­tu­tion). Cur­rent browsers graph­i­cally under­line this part of the address to make ver­i­fi­ca­tion easier (for instance in bold or deep black let­ters).

Checking cer­tifi­cates by com­paring finger prints

Every SSL con­nec­tion user can check the authen­ticity of the cer­tifi­cate under­lying a con­nec­tion man­u­ally. To this end, they will have to verify the cer­tifi­cate finger print.

A finger print is usu­ally dis­played as a hexa­dec­imal char­acter string con­sisting of the let­ters A-F (although no dif­fer­en­ti­a­tion is made between upper­case and low­er­case let­ters) and the num­bers 0-9.

Finger prints can be ver­i­fied by man­u­ally com­paring this char­acter set with a ref­er­ence set which users will have received from their finan­cial insti­tu­tion. If the char­acter sequence read from the cer­tifi­cate and the ref­er­ence sequence received from a finan­cial insti­tu­tion are iden­tical, this is a gen­uine cer­tifi­cate.

Pro­vided that the char­acter set received from a finan­cial insti­tu­tion is gen­uine, man­u­ally checking a finger print is there­fore the most secure method of checking cer­tifi­cates.

There is then no need to addi­tion­ally check the address line as described for cer­tifi­cate checking with browser sup­port.

What else would you like to learn about security when e-banking?

Reg­ister for a course now
and learn more:

Basic courses

This basic course will point out cur­rent threats on the Internet and con­veys mea­sures as to how you can pro­tect your­self by taking some simple mea­sures.

fur­ther infor­ma­tion

Prac­tical courses

Learn and prac­tice the most impor­tant mea­sures for your com­puter and e-banking secu­rity on com­puters pro­vided by us.

fur­ther infor­ma­tion

Send this to a friend