Re: Chase Bank responds to Website Security Design Flaws in Security http://www.dslreports.com/forum/r20972147 en Tue, 01 Dec 2009 13:32:35 EDT Tue, 01 Dec 2009 13:32:35 EDT Re: Chase Bank responds to Website Security Design Flaws http://www.dslreports.com/forum/remark,20981114 sivran :
said by therube See Profile :

Anyhow, in other forums, I have been known to use this tagline:

BANK OF AMERICA.COM ONLINE BANKING SUCKS IN THE HUGEST WAY IMAGINABLE

And it is so. They took what was once a very useful, meaningful web site & turned it into a morass of what might come out of a horses posterior. I have to assume they do this to totally piss of their customers - at least this one (or perhaps in the name of "security").
How so? The basic layout and information provided on bofa online has not changed in years. They've added a few bells and whistles, true, but it's still the same number of clicks, the same layout, the same information to pay your bills or look over your accounts as it's been for years.

Heck, they even encrypted their main page finally.

Personally I find it much better than WaMu's online banking. Though admittedly, WaMu's is cleaner.
--
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon profitable cause...]]> http://www.dslreports.com/forum/remark,20981114 Wed, 20 Aug 2008 17:38:41 EDT Re: Chase Bank responds to Website Security Design Flaws http://www.dslreports.com/forum/remark,20977401 SnowyOne :
said by therube See Profile :

Chase was allowing unsecured logins, or they were allowing secured logins from a page which itself was unsecured? And by virtue of that leaves them more vulnerable to various types of attacks that may have resulted in giving up your username/password.
The login data was transmitted via SSL regardless of whether the page it was entered into was encrypted or not.
A short sighted view would be that when entering your data in a legit Chase login page, it doesn't matter that the page isn't SSL, because the data won't be transmitted until it's encrypted & that's true.
The problem with this is one of education & appearances of a website asking for sensitive data.
It should be a common practice that if a page isn't encrypted, don't trust it with your stuff.
Maybe now that Chase is coming onboard more will follow.]]> http://www.dslreports.com/forum/remark,20977401 Wed, 20 Aug 2008 00:09:03 EDT Re: Chase Bank responds to Website Security Design Flaws http://www.dslreports.com/forum/remark,20977392 nwrickert : Chase was allowing a secured login from an insecure page. The dslreports link you gave does the same, but at least it isn't a bank.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.1]]> http://www.dslreports.com/forum/remark,20977392 Wed, 20 Aug 2008 00:07:36 EDT Re: Chase Bank responds to Website Security Design Flaws http://www.dslreports.com/forum/remark,20977331 therube : Well looky here, an insecure page that purports to have a secure login. A little gold lock & all:

http://www.dslreports.com/login/L3ByaXZhY3k=?secure=1

So I'm confused - kind of.

Chase was allowing unsecured logins, or they were allowing secured logins from a page which itself was unsecured? And by virtue of that leaves them more vulnerable to various types of attacks that may have resulted in giving up your username/password.

There is a difference. And the wording used to describe it can skew ones judgments on the matter.

Anyhow, in other forums, I have been known to use this tagline:

BANK OF AMERICA.COM ONLINE BANKING SUCKS IN THE HUGEST WAY IMAGINABLE

And it is so. They took what was once a very useful, meaningful web site & turned it into a morass of what might come out of a horses posterior. I have to assume they do this to totally piss of their customers - at least this one (or perhaps in the name of "security").

When this DNS issue came up, I was glad that BoA had that "sitekey" authentication tool, as I believe that by virtue of seeing your key, it lessened fears that you were ending up at a spoofed page.

EDIT:

Revised dslreports link, http://www.dslreports.com/login?secure=1]]> http://www.dslreports.com/forum/remark,20977331 Tue, 19 Aug 2008 23:51:18 EDT Re: Chase Bank responds to Website Security Design Flaws http://www.dslreports.com/forum/remark,20972569 SnowyOne :
said by Mele20 See Profile :

While Chase now uses a secure login on their main webpage Chase still presents security and contact information on INSECURE pages which can lead to phishing attacks. Plus, Chase still has work to do on login as it is still possible to login on an insecure Chase page but not easy like it was for several years.
The amount of "http" pages where a login is possible are considerable. One area where they may have missed the boat is on their security pages. It would make sense to encrypt those pages if for the only reason to illustrate what an "https" page looks like.
»www.chase.com/ccp/index.jsp?pg_n···ity_home]]> http://www.dslreports.com/forum/remark,20972569 Tue, 19 Aug 2008 03:10:44 EDT Re: Chase Bank responds to Website Security Design Flaws http://www.dslreports.com/forum/remark,20972441 Mele20 : Obviously, you didn't read the authors' paper nor did you watch the videos or you would not claim that the login was still secure.

As for a fake lock, obviously you don't use Fx3.]]> http://www.dslreports.com/forum/remark,20972441 Tue, 19 Aug 2008 02:07:29 EDT Re: Chase Bank responds to Website Security Design Flaws http://www.dslreports.com/forum/remark,20972170 anon : The login itself was still secure. Plus for phishing purposes putting a little lock on the bottom would not be that hard. At least good enough to fool most people. Just copy the website. Put a little fake lock and phish away. ]]> http://www.dslreports.com/forum/remark,20972170 Tue, 19 Aug 2008 00:19:54 EDT Re: Chase Bank responds to Website Security Design Flaws http://www.dslreports.com/forum/remark,20972147 nwrickert :
said by Mele20 See Profile :

Finally, Chase Manhattan Bank is again using SSL for its main webpage and login from that page.
I'm guessing that the recent problems with DNS cache poisoning might have been one of the motivations.

The link below has links to the videos and to the pdf version of the research paper.

aprakash page at eecs.umich.edu
Repeated the above link, since it was not clickable in Mele20 See Profile's post (site software was confused by the embedded ":").
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.1]]> http://www.dslreports.com/forum/remark,20972147 Tue, 19 Aug 2008 00:13:37 EDT Chase Bank responds to Website Security Design Flaws http://www.dslreports.com/forum/remark,20971933 Mele20 : Finally, Chase Manhattan Bank is again using SSL for its main webpage and login from that page. Evidently, this results from a very interesting study on banking website security design flaws presented at SOUPS'08 July 23-25, 2008. Chase was one of 214 financial institutions whose websites were studied for security design flaws. While Chase now uses a secure login on their main webpage Chase still presents security and contact information on INSECURE pages which can lead to phishing attacks. Plus, Chase still has work to do on login as it is still possible to login on an insecure Chase page but not easy like it was for several years. I protested to Chase, and in several threads on this forum, when Chase switched to insecure login on its main webpage back in 2006 and got nowhere with Chase. When they switched to insecure login, the chaseonline site login page was hidden and it took me 30 minutes to find it. When I called Chase online, the tech said they had been looking for the secure login page and asked me how I found it. Later, Chase made the chaseonline page easier to find but continued with an insecure login on the main page until this study, and the various Quicktime videos, I guess embarrassed them enough that they finally changed it. Not only does Chase still provide contact information on insecure pages, but as far as I know they still do not require difficult passwords and difficult user ID.

As this study points out Chase and other banks need to do exactly what my home bank, Bank of Hawaii (boh.com) has done for some time now: encrypt the entire site. With Chase I was going back and forth from secure to insecure pages a few minutes ago after trying the new secure login on Chase's main page (instead of going directly to chaseonline login page and avoiding login on chase.com) which redirects to chaseonline. I ended up not being able to logout properly because, by going back and forth between secure and insecure pages, I lost the tab where I was logged into my credit card account. It appears that losing the tab automatically closed the connection as I had to login again but still that is a little disturbing. As the paper's authors state, if the entire banking site was encrypted then no problems regarding insecure pages for FAQ, contact information, etc would happen.

I actually installed Quicktime (old version on a not much used virtual machine) so I could watch the videos on Chase problems. The link below has links to the videos and to the pdf version of the research paper.

»www.eecs.umich.edu/" >www.eecs.umich.edu/%7Eaprakash/?···ich.edu/
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason
Click for full size
]]> http://www.dslreports.com/forum/remark,20971933 Mon, 18 Aug 2008 23:07:34 EDT