Re: Bank of America - On Line Banking *NOT* Secure?

From: Tim Smith (reply_in_group_at_mouse-potato.com)
Date: 06/28/05 

Date: Tue, 28 Jun 2005 01:50:37 GMT

In article <KdSdnVk_E_9LFCDfRVn-ig@comcast.com>,
 "Neil - Salem, MA USA" <Neil@Salem.Massachusetts.USA> wrote:

> Could someone please check out Bank of America's web site at
> http://www.bankofamerica.com and examine it for poor on non-existent
> security?
>
> I have used On Line Banking for years ...up until a week ago. That's when
> Bank of America revised their web site. As their web site is now, any
> customer who wishes to use On Line Banking enters his or her account number
> and Passcode into form fields on a web page that is NOT secured with SSL!

You need to be more specific. When I go to that page, there is no place
on that page to enter account information. There is a sign in link on
the top, and on the left side, there is a drop-down to select my state
and a sign in button.

Both of these routes lead to, after picking my state, a HTTPS page,
which is the first place that it asks for my account information.

If I try your state, I do get to an HTTP page that has a place to enter
account information, but hovering over the "sign in" button, I see that
the address it submits to is an HTTPS URL.

So, it looks like it is safe for your state, in the sense that your
account information is sent over a secure connection. However, it is
not as secure as it could be, because you don't get to examine the
certificate until it is too late.

It is more secure the way they do it in my state (Washington), since the
form is on an HTTPS page, so I can click the little lock icon in my
browser and read the certificate before sending anything sensitive to
the bank. 

-- 
--Tim Smith