therube
join:2004-11-11
Randallstown, MD
1 edit | reply to Mele20
Re: Chase Bank responds to Website Security Design Flaws
Well looky here, an insecure page that purports to have a secure login. A little gold lock & all:
http://www.dslreports.com/login/L3ByaXZhY3k=?secure=1
So I'm confused - kind of.
Chase was allowing unsecured logins, or they were allowing secured logins from a page which itself was unsecured? And by virtue of that leaves them more vulnerable to various types of attacks that may have resulted in giving up your username/password.
There is a difference. And the wording used to describe it can skew ones judgments on the matter.
Anyhow, in other forums, I have been known to use this tagline:
BANK OF AMERICA.COM ONLINE BANKING SUCKS IN THE HUGEST WAY IMAGINABLE
And it is so. They took what was once a very useful, meaningful web site & turned it into a morass of what might come out of a horses posterior. I have to assume they do this to totally piss of their customers - at least this one (or perhaps in the name of "security").
When this DNS issue came up, I was glad that BoA had that "sitekey" authentication tool, as I believe that by virtue of seeing your key, it lessened fears that you were ending up at a spoofed page.
EDIT:
Revised dslreports link, http://www.dslreports.com/login?secure=1 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | Chase was allowing a secured login from an insecure page. The dslreports link you gave does the same, but at least it isn't a bank.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.1 |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
 ·RoadRunner Cable
 ·Clearwire Wireless
| reply to therube
said by therube  :Chase was allowing unsecured logins, or they were allowing secured logins from a page which itself was unsecured? And by virtue of that leaves them more vulnerable to various types of attacks that may have resulted in giving up your username/password. The login data was transmitted via SSL regardless of whether the page it was entered into was encrypted or not.
A short sighted view would be that when entering your data in a legit Chase login page, it doesn't matter that the page isn't SSL, because the data won't be transmitted until it's encrypted & that's true.
The problem with this is one of education & appearances of a website asking for sensitive data.
It should be a common practice that if a page isn't encrypted, don't trust it with your stuff.
Maybe now that Chase is coming onboard more will follow. |
|
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
·RoadRunner Cable
| reply to therube
said by therube :Anyhow, in other forums, I have been known to use this tagline: BANK OF AMERICA.COM ONLINE BANKING SUCKS IN THE HUGEST WAY IMAGINABLE And it is so. They took what was once a very useful, meaningful web site & turned it into a morass of what might come out of a horses posterior. I have to assume they do this to totally piss of their customers - at least this one (or perhaps in the name of "security"). How so? The basic layout and information provided on bofa online has not changed in years. They've added a few bells and whistles, true, but it's still the same number of clicks, the same layout, the same information to pay your bills or look over your accounts as it's been for years.
Heck, they even encrypted their main page finally.
Personally I find it much better than WaMu's online banking. Though admittedly, WaMu's is cleaner.
--
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon profitable cause... |
|
