Bank's defense of bad security: Everyone else does it

Bank's defense of bad security: Everyone else does it

Summary: When I wrote "Many Banks failing to use SSL authentication", I was surprised to see how many people didn't get it and actually got angry with me for pointing out a serious security issue with online banking even though all the security experts agree that this is a real serious problem. But even more of a surprise, one of my more astute readers "CitizenW" pointed out to me that Navy Federal has this explanation for their bad security. Now I can understand if some people misunderstood me, but this is an official ignorance from the Bank!

SHARE:
TOPICS: Security
61

When I wrote "Many Banks failing to use SSL authentication", I was surprised to see how many people didn't get it and actually got angry with me for pointing out a serious security issue with online banking even though all the security experts agree that this is a real serious problem.  But even more of a surprise, one of my more astute readers "CitizenW" pointed out to me that Navy Federal has this explanation for their bad security.  Now I can understand if some people misunderstood me, but this is an official ignorance from the Bank!  If this security hole isn't fixed immediately, I'm going to keep escalating the situation until they do.  Here is my official response to Navy Federal and the people who run their online systems and I am going to send a copy of this letter to their management.

Navy Federal:
In fact, the home page itself is informational and not encrypted.  Therefore it does not display the familiar "Lock" symbol in the bottom right-hand corner, nor does the address line begin with https.  However, it is "safe" to enter your sign-on information from the home page.  Your Access Number, User ID and Password are not transmitted until you click the "Sign On" button.

My response:
Safe?  Who ever told you this is "safe" needs to be fired!  If your home page is NOT using HTTPS and it DOESN'T have the SSL security "lock" icon, how do I know I'm on the Navy Federal Website?  Oh because DNS tells me it is?  What happens if someone poisons a DNS server cache or performs a man in the middle attack and hijacks DNS?  Such an attack is trivial from a hotspot or any home that's running no encryption or WEP encryption.  Are you telling me that this isn't your problem?  If you were using HTTPS with the SSL security "lock" icon, it wouldn't matter if the DNS is hijacked or if there is a man in the middle because the user would know it's not Navy Federal.  The fact that you perform encryption on the username and password is useless if the user doesn't know if they're on the real Navy Federal website or not.  Once they've entered in the Access Number, User ID, and Password, what good is SSL if the user already fed that information to the attacker?

Navy Federal:
Signing on to secure sites from an unsecure page is a common industry practice, and not unique to Navy Federal. You may see this same functionality at other Web sites.

My response:
No you're not unique; you're just among the batch of ignorant American Banks that don't understand basic SSL server side authentication.  As a proud American I'm embarrassed to say only American Banks are so ignorant.  None of the Canadian and European Banks are this ignorant of basic online security.  But do me a favor and run this portion of your answer past your legal department and ask them if "but your Honor, everyone else does it" will ever fly in a class-action lawsuit.

 Navy Federal:
Please note: Navy Federal can only take steps to establish a secure, encrypted connection after you click on the "Sign On" button. To help protect the information that you enter into your computer's browser before the secure connection is established (such as your Access Number, User ID and Password), we highly recommend that you install the following security software on your personal computer (PC): anti-virus software, a firewall and spyware detection software.

My response:
Yes you're not at fault if the user is careless with their own computer security, but you are responsible for using basic SSL security and you're failing that miserably.  Banking fraud is everyone's problem because we the consumers end up paying for it one way or another.  You and every other Bank that doesn't use an HTTPS login page need to fix this immediately.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

61 comments
Log in or register to join the discussion
  • You've been writing to the TalkBack audience too long...

    There are polite ways to tell people that they are making a mistake.
    Flaming on your introductory communication is probably not the
    most effective way to generate behavior modification.
    palmwarrior
    • Yes, I tried that the first time

      This is the second time around, and I'm just getting really annoyed at the lackadaisical behavior of "everyone else is doing it". Yes I was very blunt (perhaps too rough), but I'm trying to voice the frustrations of the consumer against Banks that don't seem to care about basic security. Remember it's your money and my money they're playing with. In any case, I'm sorry if the message offends you or anyone else.
      georgeou
      • But that would require work

        Typical American Response. Why should we do something if it works as is, who cares if it is secure or not.

        Sounds like what I would do when running networks. Who would expect to find a wireless network in the middle of no where anyway right? Whoops, caught me with my pants down and now I have to either set up some hardcore encryption or start running cable to everything.
        nucrash
        • Ofcourse that's past tense

          I learned my lesson and fortunately some one educated me without creating a mess of things.
          nucrash
    • cough cough

      George wrote;

      If this security hole isn't fixed immediately, I'm going to keep escalating the situation until they do. Here is my official response to Navy Federal and the people who run their online systems and I am going to send a copy of this letter to their management.

      just out of curious, where would you start with you complaint??? a low level teller at a bank or would you actually start with;
      Administrative contact or Technical Contact listed on oh lets say easywhois.com?? or perhaps call one of the numbers listed there? now to be honest i don't know if those contacts are still there or not but wouldnt one start there?

      Also, i understand the point of not "knowing" if a user is really at navyfederal.com, but when you do click sign on it does show it is an https link. And since from my reading of stats the majority of internet users are still on dial up they will see that link at the bottom of the screen for quite awhile.

      also, you go onto rants occassionally, about secrity, which is fine because it does educate the readers. However, would it not be more beneficial to actually educate readers of how security works???

      just my 4cents worth
      richvball44
      • cough cough

        The point is that once you click on the "sign in" button it is too late, regardless of where it looks like it takes you. If the page you are on (the enter login information page) is SSL, then the site certificate is valid (unless you get the warnings) and you can be confident that you are actually on the site that you think you are.
        wthomson
  • A better defense.

    Since you're most likely running some version of Windows, you've probably been Pwned anyway. So why bother?
    Letophoro
    • Oh that's ideal

      We are all going to die eventually, so let's take are cianide pill now and forget the rest.

      Or, why not post your ATM number with your PIN on Myspace. You figure with Windows, it will happen eventually, just give me your money now and save me the trouble of having to rob you.
      nucrash
      • he-he

        Good response.
        georgeou
      • Sarcasm is wasted on you, isn't it?

        In a strange twist of fate, I actually agree with George on the issue of banking security. I am a member of Navy Federal, and I've written to them in the past about their lack of security. Their responses (when I've gotten one) have been pro forma at best. I was simply throwing out something unrelated to the topic at hand - much like George turns a discussion of MS's latest patch into a diatribe against Linux or FireFox.
        Letophoro
        • Yes it is

          Am generally pretty bad with web sarcasm. For Research I go to uncylopedia.com to educate myself better.
          nucrash
  • Very Nice

    I would agree that you are talking to these guys as a bunch of incompetent fools, but they pretty much asked for it. There defense is highly lacking, much like their security.

    Send them some Paypal Spam and see how many login/passwords you get back from these guys.
    nucrash
  • Try this one

    Citibank has a random, one-time-use credit card number generator for online purchases. I think its a great idea! Now for the gotcha - you can ONLY use it with IE! Not something that I would recommend.
    Roger Ramjet
    • I've used it with Firefox and Safari...

      It's a nice idea. Citibank complains when I run Firefox on SuSE but it gives me access to the credit card number generator anyway. Citibank supports Firefox and Safari on the Mac.
      palmwarrior
    • Not True, Roger

      No, you can utilize Citi VAN one-time-use credit card numbers on a linux system with Konqueror or Firefox, I do it regularly. What you can't do is run the local desktop implementation.
      ebrke
      • Citibank

        Also, Citi does present a secure page from which to login without your having to search for it, as with Bank of America.
        ebrke
      • SURE it does . . .

        [Confirmation

        Congratulations! You have successfully launched Virtual Account Numbers.

        To get started now...

        step 1
        with your Cardmember User ID and Password.

        step 2

        step 3
        at your favorite online store. Next time you're ready to shop, just click on one of the icons shown below from your desktop to quickly launch your Virtual Account Numbers software.

        NOTE: For your protection, you will be automatically logged out of citicards.com when you login to Virtual Account Numbers ]

        No pop up (blocker wasn't active), no nothing. Just a success page - with no links. Is this thing Java? I thought I had java loaded . . .
        Roger Ramjet
    • Other banks can do that as well

      As an American living in Sweden, my bank allows a one-time card number with a limit, or even limit its usage to one site. It works well in Firefox, though the only gripe I've had is its ability to autocopy into the form I'm using. Bank is fsb.se (in Swedish)
      Free_Thinker
  • Federal Mandates?

    Do Federal mandates exist and, if so, do U.S. Banks have the obligation to follow them?

    [url=http://www.zdnet.com/5208-10533-0.html?forumID=1&threadID=20401&messageID=391545&start=1]Tombalablomba's Banking system[/url] 'has it right'!

    I should think this issue would potentially expose Banks to 'class action' suits!
    D T Schmitz
    • Whoopsie. Wrong link

      Sorry. Wrong link. (I hate it when that happens.)

      Here's what [url=http://www.zdnet.com/5208-10533-0.html?forumID=1&threadID=20401&messageID=391545&start=1]Tombalablomba had to say[/url]
      D T Schmitz