Search:  

 
theme to white backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » Chase Bank responds to Website Security Design Flaws
Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
(topic move) Contacting Comcast Security »
« Spyware terminator  

therube

join:2004-11-11
Randallstown, MD

1 edit

Re: Chase Bank responds to Website Security Design Flaws

Well looky here, an insecure page that purports to have a secure login. A little gold lock & all:

http://www.dslreports.com/login/L3ByaXZhY3k=?secure=1

So I'm confused - kind of.

Chase was allowing unsecured logins, or they were allowing secured logins from a page which itself was unsecured? And by virtue of that leaves them more vulnerable to various types of attacks that may have resulted in giving up your username/password.

There is a difference. And the wording used to describe it can skew ones judgments on the matter.

Anyhow, in other forums, I have been known to use this tagline:

BANK OF AMERICA.COM ONLINE BANKING SUCKS IN THE HUGEST WAY IMAGINABLE

And it is so. They took what was once a very useful, meaningful web site & turned it into a morass of what might come out of a horses posterior. I have to assume they do this to totally piss of their customers - at least this one (or perhaps in the name of "security").

When this DNS issue came up, I was glad that BoA had that "sitekey" authentication tool, as I believe that by virtue of seeing your key, it lessened fears that you were ending up at a spoofed page.

EDIT:

Revised dslreports link, http://www.dslreports.com/login?secure=1
permalink · 2008-08-19 23:51:18 · Print · Reply to this

nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL

Re: Chase Bank responds to Website Security Design Flaws

Chase was allowing a secured login from an insecure page. The dslreports link you gave does the same, but at least it isn't a bank.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.1
permalink · 2008-08-20 00:07:36 · Reply to this

SnowyOne
Premium
join:2003-04-05
Kailua, HI
·RoadRunner Cable
·Clearwire Wireless
said by therube See Profile :

Chase was allowing unsecured logins, or they were allowing secured logins from a page which itself was unsecured? And by virtue of that leaves them more vulnerable to various types of attacks that may have resulted in giving up your username/password.
The login data was transmitted via SSL regardless of whether the page it was entered into was encrypted or not.
A short sighted view would be that when entering your data in a legit Chase login page, it doesn't matter that the page isn't SSL, because the data won't be transmitted until it's encrypted & that's true.
The problem with this is one of education & appearances of a website asking for sensitive data.
It should be a common practice that if a page isn't encrypted, don't trust it with your stuff.
Maybe now that Chase is coming onboard more will follow.
permalink · 2008-08-20 00:09:03 · Print · Reply to this

sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
·RoadRunner Cable
said by therube See Profile :

Anyhow, in other forums, I have been known to use this tagline:

BANK OF AMERICA.COM ONLINE BANKING SUCKS IN THE HUGEST WAY IMAGINABLE

And it is so. They took what was once a very useful, meaningful web site & turned it into a morass of what might come out of a horses posterior. I have to assume they do this to totally piss of their customers - at least this one (or perhaps in the name of "security").
How so? The basic layout and information provided on bofa online has not changed in years. They've added a few bells and whistles, true, but it's still the same number of clicks, the same layout, the same information to pay your bills or look over your accounts as it's been for years.

Heck, they even encrypted their main page finally.

Personally I find it much better than WaMu's online banking. Though admittedly, WaMu's is cleaner.
--
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon profitable cause...
permalink · 2008-08-20 17:38:41 · Print · Reply to this
Forums » Up and Running » Security » Security(topic move) Contacting Comcast Security »
« Spyware terminator  

Thursday, 03-Dec 16:11:06 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [162] Comcast Releasing Promised Usage Meter
· [130] Avast Antivirus Has Gone Mad
· [103] Graduate Student Unveils Sprint's GPS Sharing With Feds
· [81] Latest Consumer Reports Survey Not Kind To AT&T
· [81] Comcast Makes NBC Universal Acquisition Official
· [70] Baltimore To Ban Lazy Cable Installs
· [64] Broadband Killed The Game Console
· [56] Sprint Defuses GPS Privacy Media Bomb
· [55] Rogers Unveils The ISP Dream Model
· [47] ACTA: Global Three Strikes
Most people now reading
· False positive in Avast! or is it real? [Security]
· Warrior tank seem underpowered these days [World of Warcraft]
· [TWC] Audio/Video outage in Brooklyn [Time Warner Cable TV/Voice]
· [Rant] Disrespect of PTO [Rants, Raves, and Praise]
· 1.7 and caller id in delaware [Verizon FIOS TV]
· Linux is terrorist - according to MS... [All Things Unix]
· Windows 7 boot manager editing questions [Microsoft Help]
· [Equipment] Ubiquiti third party firmware for the M series Bulle [Wireless Service Providers]
· PVP in wow today [World of Warcraft]
· [Scam] Cruise line mail? [Spam, Scam and Phishbusters]