Peter Gutmann wrote: > (hmm, their admins must have gone to the same security night school as the BoA > ones :-).
I don't understand how big companies can be willing to send their customers through multilayer telephone menu hell just to be put on hold for 20 minutes, but think that it is unacceptable to have to click a "Secure Online Banking" button on the home page before entering their id and password. As you have pointed out, the latter seems to be the standard for banks outside the US, and I'm sure it works for them. It looks like they are all getting their web sites from the same Hack-In-A-Box. I just checked out my credit union in the US that used to be an example of doing things right so I could say something nice about them here, but it appears that their online management have also been replaced by the same pod people since I last had a reason to do online transactions with them. When I entered the http://www.bayfed.org URL that I'm familiar with, the first thing that happened was an immediate and invisible redirect to http://www.bayfed.com. Ok, maybe they finally bought that domain and decided to standardize on it. The behavior I remember it having a couple of years ago was an immediate redirect to https://www.bayfed.org. There on the home page is a form to enter my member number and password and a login button. Next to it is a turquoise padlock icon labeled "security advisory". The word "advisory" led to me to think, "Aha, they've succumbed to the dark side under management pressure, but at least they are going to warn me that this is not really secure and if I want to prevent any phishing attack I should do something like click on the login button without entering my information, then actually enter on the secured site". Nope. Hovering the mouse over the icon tells me that they secure their transactions using 128-bit SSL and I can get more information by clicking on the icon. Clicking it brings up a page saying... Yes, the same pod people wrote their web site: "Online Security Policy You may notice when you are on our public web site that some familiar indicators do not appear in your browser to confirm the entire page is secure. These indicators include the small "padlock" icon in your browser's status area and the "https" prefix in the Address bar. To provide all of our users with the fastest and most responsive possible access to our web site, we have chosen to make the process of signing in to Online Banking secure without unnecessarily securing any additional pages on the public web site. Again, please be assured that your member number, password and other information are secure, and that Bay Federal alone has access to them: only public, non-sensitive web pages will remain unsecured, while any page that collects or reveals your sensitive personal information will continue to be handled with the strictest available security measures." Hmm, one difference from the BoA and Wachovia examples is that this is under the heading "Security Policy". It can be argued that their unsecured home page, which collects a member number and password, violates the portion of the policy that says "only public, non-sensitive web pages will remain unsecured, while any page that collects or reveals your sensitive personal information will continue to be handled with the strictest available security measures". By the way, it does get worse. https://www.bayfed.org gives me a warning about a certificate that expired over a year ago, then when I accept it redirects me to the unsecured http://www.bayfed.com. Clicking on the login button on the home page without entering my ID and password does not take me to a secured page that gives me a chance to log in securely -- Just a page that says that the ID and/or password are not valid, with no exit other than the browser back button. So there appears to be no way to get to an SSL secured login page even if I wanted to. Well, there is a way. If I notice the URL of the invalid user error page I can guess that https://ebanking.bayfed.com/ might work, and indeed it does present a login page. Thanks, BayFed. -- Sidney Markowitz http://www.sidney.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
