Network News

X My Profile
View More Activity

Bank Sites Still Driven by Marketers

For years, banks, e-commerce companies and other operators of Web sites that deal in personal financial information have trained customers to look for the little "padlock icon" in the corner of their Web browser window. That padlock indicates that users are connected via a secure server, and it has become a trusted seal for Internet transactions.

Increasingly, however, many of the nation's largest financial institutions are doing away with the padlock on their home pages, a development that some experts say could lead more consumers to fall prey to phishing scams.

The padlock is a visual representation that a Web site uses what's known as "secure sockets layer," or SSL, technology.  SSL allows Web site visitors to both verify (with a fair degree of accuracy) the identity of the company they're about to do business with and to ensure that the information transmitted -- usually usernames and passwords -- cannot be easily read by anyone who might intercept the transmission along the way. The Web address of sites that use SSL begin with "https://"

If you visit another big bank, Suntrust.com for example, you will see upon landing at the home page a yellow padlock icon on the bottom right corner of the browser that -- if you click on it -- will list a whole bunch of third-party verified information that allows you to be reasonably certain that you are in fact at Suntrust bank's official site.

However, Web sites for Bank of America, Wachovia, American Express and Chase no longer cause a user's browser to display the little padlock as they did in years past, according to a blog entry from the folks over at Netcraft, a Web security firm based in Bath, England.

The Bank of America site, for example, does have a tiny padlock to the right of the username and password box, but clicking on it only brings up a Web page explaining what SSL is all about, and doesn't offer any of the details that would allow visitors to make an informed decision about whether to trust the site.

Until recently, these institutions required customers who wanted to access their information via the site to click on a link on the homepage that took them to the account login page. Now, all of the above-mentioned institutions (and probably many others) include the customer login form on their homepages.

While the main page itself is not protected with SSL, any information entered into the "username" and "password" boxes is protected by SSL and encrypted, although nowhere on the homepage is there a padlock icon, or "https://" address (those only show up after the information has been submitted.)

Bank of America said it made the change as a matter of convenience for its customers: "To provide the fastest access to our home page for all of our millions of customers and other visitors, we have made signing in to Online Banking secure without making the entire page secure. Please be assured that your ID and passcode are secure and that only Bank of America has access to them."

This strikes me as an unfortunate development, for a number of reasons. One, the banks themselves have spent the better part of the past decade training customers to look for the padlock icons. What's more, the major financial institutions -- including American Express -- have required online merchants to display the padlocks as a condition of allowing them to process credit card transactions.

In addition, the Federal Trade Commission and the Anti-Phishing Working Group have urged consumers to be wary of any banking or online commerce site that does not prominently display the telltale padlock and https:// when accepting user credentials.

Granted, encrypted pages generally do take a fraction of a second longer to load than non-encrypted ones, and undoubtedly many people visiting the bank sites are there to find other information besides logging into their account. Plus, banks have enormous customer bases and can't reliably predict how many traditional customers will suddenly want to start banking online or accessing their accounts over the Web site, said Chuck Wade, principal at Hopkinton, Ma- based Interisle Consulting, a company that works with banks on security issues.

"The major banks have giant scale issues ... they have such huge populations of customers that they are now starting to approach problems previously only seen by federal government Web sites," Wade said.

And it's not as if phishers and other bad guys haven't figured out ways to spoof or fake the little padlock icon at counterfeit bank sites.

Still, Wade said, moving away from displaying SSL on homepages risks unraveling years of consumer education.

"The same institutions that have been actively involved in educating consumers about what to expect in a safe site are suddenly shifting their policies. Unfortunately, this is yet another case of the marketing folks [at the banks] driving what happens on their site rather than the security people," Wade said.

By Brian Krebs  |  August 23, 2005; 5:40 PM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: The Worm Business
Next: Google Patches?

Comments

"...we have made signing in to Online Banking secure without making the entire page secure..."

What?

I've worked in the financial industry...and know that there are many, many banks and credit card companies that have old, out-of-date processes, and they move at a glacial pace when it comes to change or updating.

The thing is, I'd be willing to update my browser software for the sake of security. If the banks decided to downgrade their security in order to meet the needs of their customer (and at the same time, make things less secure) then maybe it's an issue for the customer, not the bank.

Of course, it's also the end user themselves that're being targeted...home systems are getting compromised b/c it's easier to do that than break into a bank. Remember the guy in Manhatten a couple of years ago who loaded keyloggers on Kinko's PCs? He collected 450 online banking account username/password pairs.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Posted by: H. Carvey | August 24, 2005 7:33 AM | Report abuse

This is a huge step backward for secure banking. Haven't these banks ever heard of phishing?

What they are doing is creating a less secure and less trusted environment. If these banks can't afford to deploy the technology necessary to support the use of real security on the home page, then they should simply move the user login off the home page to a page that can support SSL.

Who are the security "experts" that are advising these banks. Yikes!

Posted by: say_what | August 24, 2005 1:56 PM | Report abuse

Hi,

This is just one of a large number
of technical issues associated
with online banking web sites.

I discuss it, and a number of
others, in a talk I was invited to
give May 5th, 2005 for the Quad
State [Bank] Security Officers'
Conference:

"Phishing: Some Technical
Suggestions for Banks and Other
Financial Institutions,"
http://www.uoregon.edu/~joe/quadstate/quadstate.pdf (or .ppt)

There are MANY steps that banks
could take today to improve and
harden their online operations
if they wanted to do so, or
if they were required to do so
as matter of industry-wide
regulatory mandates. Some banks
are doing so today, others,
obviously, aren't (yet).

Regards,

Joe St Sauver, Ph.D.

Posted by: joe st sauver | August 26, 2005 2:21 PM | Report abuse

Unbelievable.

Posted by: R Gariazzo | October 20, 2005 1:25 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company