Given: John Smith uses a coffee shop’s Internet hotspot to transfer funds between his checking and savings accounts at his bank’s website. The bank’s website uses the HTTPS protocol to protect sensitive account information. A hacker was able to obtain John’s bank account user ID and password and transfer all of John’s money to another account. How did the hacker obtain John’s bank account user ID and password?

A.
John’s bank is using an expired x.509 certificate on their web server. The certificate is on John’s Certificate Revocation List (CRL), causing the user ID and password to be sent unencrypted.

B.
John uses the same username and password for banking that he does for email. John used a POP3 email client at the wireless hotspot to check his email, and the user ID and password were not encrypted.

C.
John accessed his corporate network with his IPSec VPN software at the wireless hotspot. An IPSec VPN only encrypts data. The user ID and password are sent in clear text. John uses the same username and password for banking that he does for his IPSec VPN software.

D.
The bank’s web server is using an x.509 certificate that is not signed by a root CA and is also using an expired public key, causing the user ID and password to be sent unencrypted.