Re: Bank of America - On Line Banking *NOT* Secure?

From: Bob Deblier (bob.deblier_at_nospam.com)
Date: 06/25/05 

Date: Sat, 25 Jun 2005 18:25:55 GMT

On Sat, 25 Jun 2005 12:44:05 -0400, Neil - Salem, MA USA wrote:

> Could someone please check out Bank of America's web site at
> http://www.bankofamerica.com and examine it for poor on non-existent
> security?
>
> I have used On Line Banking for years ...up until a week ago. That's when
> Bank of America revised their web site. As their web site is now, any
> customer who wishes to use On Line Banking enters his or her account number
> and Passcode into form fields on a web page that is NOT secured with SSL!
>
> They do post a comment that says, "You may notice when you are on our home
> page that some familiar indicators do not appear in your browser to confirm
> the entire page is secure. Those indicators include the small "lock" icon in
> the bottom right corner of the browser frame and the "s" in the Web address
> bar (for example, "https").
>
> "To provide the fastest access to our home page for all of our millions of
> customers and other visitors, we have made signing in to Online Banking
> secure without making the entire page secure. Again, please be assured that
> your ID and passcode are secure and that only Bank of America has access to
> them."
>
> In other words, they are saying, "Trust us." They are also encouraging
> people to use ignore the advice of security experts who all say, "Do NOT
> enter sensitive data into a web form if the web page does not indicate that
> it has been secured with SSL! With Internet Explorer, the simplest way to
> confirm that the page is secure is to look for the icon of the pad lock in
> the bottom right portion of the browser."
>
> It is completely irresponsible on the part of Bank of America to suggest to
> their customers that they (the customers) use a poor security practice
> (putting sensitive data into a form on an unsecured web page) - justifying
> such a suggestion with the words, "please be assured."
>
> I fear that millions of customers may be publicly exposing their account
> information on the Internet. If that is the case, this is a scandal.
>

>From a quick glance at the html code of that page it seems that
all javascript code which transmits sensitive information back to BoA does
so via an https (in other words: encrypted) url. You could easily have
verified this for yourself before hitting the panic button.

Disclaimers: I'm not in any way affiliated with Bank of America. You
shouldn't be expected to trust anyone, including me. I'm not an HTML or
javascript expert. Your mileage may vary - you may not have been given the
same web page that I saw. If you want to be sure, analyze the
html/javascript code yourself, or find a security consultant you can
trust to do it for you.

Sincerely,

Bob Deblier