Welcome to MSDN Blogs Sign in | Join | Help

This is a bad idea...

The new FirstTech Credit Union page puts the logon dialog on an unsecured page. Their explanation [1]:

Why This Is Secure
Using the Online Banking Login on the 1sttech.com pages is safe, even though you do not see the lock in your browser as your Account ID and PIN (Personal Identification Number) are not transmitted until you click on the "login" button. Upon doing so, a secure session is established between your browser and our systems. Your information is then encrypted using 40-bit or 128-bit encryption algorithm (128-bit is used if your browser supports it) and sent to our systems for authentication into Online Banking. Please note that First Tech never transmits your information without it being encrypted first.

We recognize that most of the internet public has been wisely trained to look for the lock in their browser when submitting sensitive data online, this is why we created the “why this is secure” message and added the lock icon to the login button. The design of our website made it difficult to include the popular member request of offering a Home Banking login box to every page on our www.1sttech.com site. Our solution was to verify that the process was secure, then communicate this to our members via the hover text and the “why this is secure” page.

It's good they have thought about the security part of the problem. It's bad that with this implementation they are training people to not rely on the browser's notification about the status of the connection security, but on a webpage icon. Once trained, people would blindly accept the same icon on another page as sign of secure transport layer, even though it might be there just because the page designer decided it's a good “Login“ pictogram. Not to mention all the phish emails that will start doing the same to lupe people to trust their links.

People should never trust the web page content about the status of the connection.

[1] http://www.1sttech.com/home/security/online_banking/online_banking_security.html

Published Thursday, August 05, 2004 12:54 PM by Franci Penov
Filed under:

Comments

# re: This is a bad idea...

My credit union has the same thing on their site. (www.octfcu.org) They have the same disclaimer button, and similar language in their explanation. I wonder if it was done by the same company... I agree, very bad practice.
Thursday, August 05, 2004 4:14 PM by .

# re: This is a bad idea...

Technically they're right. When your input page loads over SSL it doesn't mean jack. What's important is how it's submitted and I'm sure most people would not even know that their credentials are sent clear text if the submit would go over HTTP, without SSL, because everybody I know has those switch notifications off. So they would think they're sending their data over secure connection even when they would not, because the input page had a lock.
Thursday, August 05, 2004 4:35 PM by Jerry Pisk

# re: This is a bad idea...

That is correct. It's possible to have https page that submits the user data in clear text. As it is possible to submit encrypted data from unsecured page.

But that's hardly the point. The point is that it's a bad idea to train your customers to rely on what the content of the page says about the underlying connection security. The same content (i.e. lock icon) can mean totally different thing on another page.

People are very gullible. They should be trained to be more suspicious, not less.
Thursday, August 05, 2004 4:45 PM by Franci Penov

# re: This is a bad idea...

I work for a brokerage firm - when we wrote our online service (around 1999-2000) - we did this too. It ended up being a HUGE point of contention between IT and Marketing..

The marketing people said "We want a login/password right from the dub-dub-dub site! Period." and we said, "Well, you can't.. not really. Either [use the technique above] which is bad practice.. or make the main www site be https - which makes the whole site much slower".. No matter how you slice it, if you want a login box from the main www site, it's going to be not pretty.

We explained that this technique (above) was not very good - but the marketeers won after all. We have MANY screaming arguments in the board room. They pretty much pulled rank and we HAD to do it.

In the end, it didn't matter because we outsourced the back-end of our business and the product we took 1.5 years to build was only used for about 8 months before it was replaced! :-)

Point is, you Microsoft folks need to get out more.. there is a WHOLE LOT MORE to programming than this very academic viewpoint you guys have. No offense. :-) but corporate politics and deadlines often make us do LOTS of things we wouldn't normally do sitting in a classroom.
Thursday, August 05, 2004 4:51 PM by drebin

# re: This is a bad idea...

But what would be a better practice?

I agree that the content of the page can easily mislead a user and we shouldn't be encouraging them to trust that.

However, teaching them to look for the lock present on the login form can be just as misleading.

Since the browser doesn't indicate whether or not the post will happen over an SSL connection, there's nothing on the login form that can be trusted for guidance.

Should we teach users to view the source and look at the action of the <form> tag?
Thursday, August 05, 2004 8:30 PM by Doug Lawty

# Credit Union puts login area on an unsecure page

FirstTech Credit Union may understand the importance of banking security, however they seem to be struggling with the obvious implementation of such. First they put the login area on unsecured page, then they come up with some crazy explanation as...
Friday, August 06, 2004 1:05 AM by Lockergnome's Web Developers

# An even worse idea

I wanted to log into a website that holds information about my truck loan. The login is an insecure page. They required my Social Insurance Number (much like the SSN in the USA) as an identifier. In Canada it is illegal to identify people by their SIN, unless they expressly permit it.

So, the INsecure website is asking for a very important number that can be very damaging ifit got into the wrong hands, and they are doign it illegally. The best part is when you submit the form (I managed to find a secure version buried in the bowels of their site), a javascript popup displays basically stating that by submitting your SIN you agree to allow them to use your SIN to identify you. What kind of backass way of doing things is this?
Friday, August 06, 2004 9:20 AM by gfox
New Comments to this post are disabled
 
Page view tracker