May 16th, 2006
Bank's defense of bad security: Everyone else does it
When I wrote "Many Banks failing to use SSL authentication", I was surprised to see how many people didn’t get it and actually got angry with me for pointing out a serious security issue with online banking even though all the security experts agree that this is a real serious problem. But even more of a surprise, one of my more astute readers "CitizenW" pointed out to me that Navy Federal has this explanation for their bad security. Now I can understand if some people misunderstood me, but this is an official ignorance from the Bank! If this security hole isn’t fixed immediately, I’m going to keep escalating the situation until they do. Here is my official response to Navy Federal and the people who run their online systems and I am going to send a copy of this letter to their management.
Navy Federal:
In fact, the home page itself is informational and not encrypted. Therefore it does not display the familiar "Lock" symbol in the bottom right-hand corner, nor does the address line begin with https. However, it is "safe" to enter your sign-on information from the home page. Your Access Number, User ID and Password are not transmitted until you click the "Sign On" button.
My response:
Safe? Who ever told you this is "safe" needs to be fired! If your home page is NOT using HTTPS and it DOESN’T have the SSL security "lock" icon, how do I know I’m on the Navy Federal Website? Oh because DNS tells me it is? What happens if someone poisons a DNS server cache or performs a man in the middle attack and hijacks DNS? Such an attack is trivial from a hotspot or any home that’s running no encryption or WEP encryption. Are you telling me that this isn’t your problem? If you were using HTTPS with the SSL security "lock" icon, it wouldn’t matter if the DNS is hijacked or if there is a man in the middle because the user would know it’s not Navy Federal. The fact that you perform encryption on the username and password is useless if the user doesn’t know if they’re on the real Navy Federal website or not. Once they’ve entered in the Access Number, User ID, and Password, what good is SSL if the user already fed that information to the attacker?
Navy Federal:
Signing on to secure sites from an unsecure page is a common industry practice, and not unique to Navy Federal. You may see this same functionality at other Web sites.
My response:
No you’re not unique; you’re just among the batch of ignorant American Banks that don’t understand basic SSL server side authentication. As a proud American I’m embarrassed to say only American Banks are so ignorant. None of the Canadian and European Banks are this ignorant of basic online security. But do me a favor and run this portion of your answer past your legal department and ask them if "but your Honor, everyone else does it" will ever fly in a class-action lawsuit.
Navy Federal:
Please note: Navy Federal can only take steps to establish a secure, encrypted connection after you click on the "Sign On" button. To help protect the information that you enter into your computer’s browser before the secure connection is established (such as your Access Number, User ID and Password), we highly recommend that you install the following security software on your personal computer (PC): anti-virus software, a firewall and spyware detection software.
My response:
Yes you’re not at fault if the user is careless with their own computer security, but you are responsible for using basic SSL security and you’re failing that miserably. Banking fraud is everyone’s problem because we the consumers end up paying for it one way or another. You and every other Bank that doesn’t use an HTTPS login page need to fix this immediately.
George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.
