Disappointing trend for online banking sites



Given how easy it is for people to be fooled by phishing sites, you would think banks would try and keep as many “easy ways to identify a legitimate bank site” as possible wouldn’t you? I mean, user-friendliness is certainly a big selling point in things software and even web site related so you would think banks would make it easier for those that are visiting to identify if they can trust that the site they’re visiting REALLY is a bank site.



Unfortunately, that’s not the case according to the Security Fix. According to his post…

However, Web sites for Bank of America, Wachovia, American Express and Chase no longer cause a user’s browser to display the little padlock as they did in years past,

Apparently in an effort to make sure their pages load as quickly as possible banks are forgoing the typical https:// login page for a page which merely CALLS to the secure login. Technically your login information is still encrypted, but there are a lot of reasons why this isn’t as good.

First, yes https:// pages load more slowly than http:// pages. Tough. I can survive an extra five seconds without seeing the login. I’d gladly PAY that 5 seconds if it meant I could VERIFY that I really am looking at a page served from my banks website.

I’ve spent literally years telling people that one way they can be sure that information is encrypted between them and a website they’re banking with or ordering from is that https, or lock icon. Now in reality yes it’s possible to spoof that (and least in Internet Explorer) and it is worth checking the certificate, but for most of the people I deal with the attitude is either a) I’m never entering a credit card number onto a website or b) lock? I’ll have to look for that next time I order something. I mean, there’s not that much in my account anyone would be interested in anyway…

I’ve specifically refused to log in to an unsecured portal for a bank previously, instead finding the same login served up through an https:// connection.

The Microsoft blog chimes in with a good point that if the initial connection isn’t https, then you can’t be REALLY sure that it’s REALLY coming from the correct source anyway and hasn’t been hijacked or rewritten along the way. The little secure login box that’s supposed to securely (https) submit your login info could have been rewritten to take you to Joe’s phishing log….

All of this was prompted by a netcraft report on the trend.

Let’s hope the IT departments at the banks falling for this idea wake up and smell the toast burning. It might be worth writing letters to voice opinions. We need every tool we can get to fight spoofing and to work to help people learn to identify legitimate and fraud sites. Today most fraud sites are advertised by links in email, what if they were DNS hijacked though? SSL logins (and original page delivery by SSL) is the best way to be able to verify.

Update – 8/24 Sunbelt blog has a reference to the trend.

Related Posts

Blog Traffic Exchange Related Posts
  • Spammers/ phishers looking to get past "turin test" images A lot of web sites these days use "turin tests" to keep from having automated bots sign up for mail or other services. (Or post entries to a forum or something.) For those that don't know, a turin test is a test designed to filter machines from people. I doubt......
  • AntivirusOnlineScan 6 v8? the next Rogue? I see a google hot trend right now is searches for AntivirusOnlineScan 6 and many of the results seem to be incoherent sites talking about antivirusonlinescan v8. It makes me wonder if we're seeing the rumblings of the next big rogue security software push. Sure enough http://antivirusonlinescanv8.com/ is flagged as......
  • Another set of interesting tools for investigating how google sees your sites. There is a nice collection of tools at www.iwebtool.com, specifically at http://www.iwebtool.com/tools/. It's more than just how google sees your site, there are tools that show how your page ranks at alexa, etc. http://www.iwebtool.com/visual_pagerank for instance is the Visual Pagerank tool and http://www.iwebtool.com/pagerank_prediction is the google pagerank prediction tool. If......
Blog Traffic Exchange Related Websites
  • Building A Better Page Rank Websites cannot be successful without a wide range of quality traffic flowing in regularly. Yes, there are many different things you can do to attract visitors to your site but organic search engine traffic - especially from Google - tops any traffic your efforts could bring your way in both......
  • Tactics To Boost A Website's Page Website Arrange Classify In the net business industry, increasing a website's rank would be the top most priority of virtually all web marketers. Victims aware of search engine optimization techniques are knowledgeable about the system getting used by Google certainly the page rank. Marketers use various ways on increasing their website's rank, depending......
  • The Key to Blogging for Profit In the last two blog posts, we talked about identifying and banking on your strengths, and identifying and banking on your sources of traffic. Any time that you find a significant source for blog or website traffic, there are almost always going to be ways that you can build even......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site