Mele20 Premium Member join:2001-06-05 Hilo, HI |
Mele20
Premium Member
2008-Aug-18 11:07 pm
Chase Bank responds to Website Security Design FlawsFinally, Chase Manhattan Bank is again using SSL for its main webpage and login from that page. Evidently, this results from a very interesting study on banking website security design flaws presented at SOUPS'08 July 23-25, 2008. Chase was one of 214 financial institutions whose websites were studied for security design flaws. While Chase now uses a secure login on their main webpage Chase still presents security and contact information on INSECURE pages which can lead to phishing attacks. Plus, Chase still has work to do on login as it is still possible to login on an insecure Chase page but not easy like it was for several years. I protested to Chase, and in several threads on this forum, when Chase switched to insecure login on its main webpage back in 2006 and got nowhere with Chase. When they switched to insecure login, the chaseonline site login page was hidden and it took me 30 minutes to find it. When I called Chase online, the tech said they had been looking for the secure login page and asked me how I found it. Later, Chase made the chaseonline page easier to find but continued with an insecure login on the main page until this study, and the various Quicktime videos, I guess embarrassed them enough that they finally changed it. Not only does Chase still provide contact information on insecure pages, but as far as I know they still do not require difficult passwords and difficult user ID. As this study points out Chase and other banks need to do exactly what my home bank, Bank of Hawaii (boh.com) has done for some time now: encrypt the entire site. With Chase I was going back and forth from secure to insecure pages a few minutes ago after trying the new secure login on Chase's main page (instead of going directly to chaseonline login page and avoiding login on chase.com) which redirects to chaseonline. I ended up not being able to logout properly because, by going back and forth between secure and insecure pages, I lost the tab where I was logged into my credit card account. It appears that losing the tab automatically closed the connection as I had to login again but still that is a little disturbing. As the paper's authors state, if the entire banking site was encrypted then no problems regarding insecure pages for FAQ, contact information, etc would happen. I actually installed Quicktime (old version on a not much used virtual machine) so I could watch the videos on Chase problems. The link below has links to the videos and to the pdf version of the research paper. » www.eecs.umich.edu/%7Eap ··· ich.edu/ |
|
|
said by Mele20:Finally, Chase Manhattan Bank is again using SSL for its main webpage and login from that page. I'm guessing that the recent problems with DNS cache poisoning might have been one of the motivations. Repeated the above link, since it was not clickable in Mele20 's post (site software was confused by the embedded ":"). |
|
|
no_one to Mele20
Anon
2008-Aug-19 12:19 am
to Mele20
The login itself was still secure. Plus for phishing purposes putting a little lock on the bottom would not be that hard. At least good enough to fool most people. Just copy the website. Put a little fake lock and phish away. |
|
Mele20 Premium Member join:2001-06-05 Hilo, HI 1 edit |
Mele20
Premium Member
2008-Aug-19 2:07 am
Obviously, you didn't read the authors' paper nor did you watch the videos or you would not claim that the login was still secure.
As for a fake lock, obviously you don't use Fx3. |
|
SnowyLock him up!!! Premium Member join:2003-04-05 Kailua, HI |
to Mele20
said by Mele20:While Chase now uses a secure login on their main webpage Chase still presents security and contact information on INSECURE pages which can lead to phishing attacks. Plus, Chase still has work to do on login as it is still possible to login on an insecure Chase page but not easy like it was for several years. The amount of "http" pages where a login is possible are considerable. One area where they may have missed the boat is on their security pages. It would make sense to encrypt those pages if for the only reason to illustrate what an "https" page looks like. » www.chase.com/ccp/index. ··· ity_home |
|
therube join:2004-11-11 Randallstown, MD 1 edit |
to Mele20
Well looky here, an insecure page that purports to have a secure login. A little gold lock & all: http://www.dslreports.com/login/L3ByaXZhY3k=?secure=1So I'm confused - kind of. Chase was allowing unsecured logins, or they were allowing secured logins from a page which itself was unsecured? And by virtue of that leaves them more vulnerable to various types of attacks that may have resulted in giving up your username/password. There is a difference. And the wording used to describe it can skew ones judgments on the matter. Anyhow, in other forums, I have been known to use this tagline: BANK OF AMERICA.COM ONLINE BANKING SUCKS IN THE HUGEST WAY IMAGINABLE And it is so. They took what was once a very useful, meaningful web site & turned it into a morass of what might come out of a horses posterior. I have to assume they do this to totally piss of their customers - at least this one (or perhaps in the name of "security"). When this DNS issue came up, I was glad that BoA had that "sitekey" authentication tool, as I believe that by virtue of seeing your key, it lessened fears that you were ending up at a spoofed page. EDIT: Revised dslreports link, http://www.dslreports.com/login?secure=1 |
|
|
Chase was allowing a secured login from an insecure page. The dslreports link you gave does the same, but at least it isn't a bank. |
|
|
SnowyLock him up!!! Premium Member join:2003-04-05 Kailua, HI |
to therube
said by therube:Chase was allowing unsecured logins, or they were allowing secured logins from a page which itself was unsecured? And by virtue of that leaves them more vulnerable to various types of attacks that may have resulted in giving up your username/password. The login data was transmitted via SSL regardless of whether the page it was entered into was encrypted or not. A short sighted view would be that when entering your data in a legit Chase login page, it doesn't matter that the page isn't SSL, because the data won't be transmitted until it's encrypted & that's true. The problem with this is one of education & appearances of a website asking for sensitive data. It should be a common practice that if a page isn't encrypted, don't trust it with your stuff. Maybe now that Chase is coming onboard more will follow. |
|
sivranVive Vivaldi Premium Member join:2003-09-15 Irving, TX |
to therube
said by therube:Anyhow, in other forums, I have been known to use this tagline: BANK OF AMERICA.COM ONLINE BANKING SUCKS IN THE HUGEST WAY IMAGINABLE And it is so. They took what was once a very useful, meaningful web site & turned it into a morass of what might come out of a horses posterior. I have to assume they do this to totally piss of their customers - at least this one (or perhaps in the name of "security"). How so? The basic layout and information provided on bofa online has not changed in years. They've added a few bells and whistles, true, but it's still the same number of clicks, the same layout, the same information to pay your bills or look over your accounts as it's been for years. Heck, they even encrypted their main page finally. Personally I find it much better than WaMu's online banking. Though admittedly, WaMu's is cleaner. |
|