Comments on: Secure? Don't bank on it.

Question: Secure? Don't bank on it.

musicinmybrain — Mon, 02 Apr 2007 17:29:44 -0800

Calling webbish folks: I'd like to make sure this form is as unsecured as it appears before I complain. More inside!

So as far as I can tell this form is completely unsecured (which is kind of bad, as it encourages you to use your Social Security number). The page isn't encrypted, the lock icon doesn't appear even briefly when it's submitted (try arbitrary gibberish that won't validate server-side), and the form post action is not to a https:// address. It seems painfully ironic that a privacy choices form would itself be a security problem.

Before I complain to Wachovia, though, I'd like to make sure I'm not overlooking a way this form could be secure that I don't know about.

By: aubilenon

aubilenon — Mon, 02 Apr 2007 17:35:15 -0800

You're right, it's crap. Complain.

By: majick

majick — Mon, 02 Apr 2007 17:38:03 -0800

No, the form is not submitted over an SSL link. SSL alone wouldn't make it "secure," but it would certainly help.

If you wish to make use of the form with encryption, however, you can just tack it on to the URL yourself and it appears to work just fine.

By: odinsdream

odinsdream — Mon, 02 Apr 2007 18:03:59 -0800

Use this one instead.

The link you followed must have not included the https part.

By: smackfu

smackfu — Mon, 02 Apr 2007 18:34:22 -0800

OTOH, they do have a picture of a lock, with a tooltip of "secure form", so that makes it OK.

By: event

event — Mon, 02 Apr 2007 18:53:17 -0800

This is bad and well worth complaining about. Their little picture of a lock is a real kicker.

By: Sweetie Darling

Sweetie Darling — Mon, 02 Apr 2007 18:55:22 -0800

Is it a phishing address? I got a cookie warning from ehg-wachovia.hitbox.com, which I never get when we access my husband's legit Wachovia account.

By: Sweetie Darling

Sweetie Darling — Mon, 02 Apr 2007 18:57:26 -0800

Oops, never mind. I got to the same page from online banking login. Sorry 'bout that.

By: malphigian

malphigian — Mon, 02 Apr 2007 18:58:45 -0800

FYI, the https:// version works fine:
https://wachovia.com/personal/forms/privacy_optout -- maybe you just clicked a bad link?

A lot of web servers have http and https pointing to the same directory. This isn't really a security issue unless someone links to the wrong one.

I don't think it's a phishing address.

By: smackfu

smackfu — Mon, 02 Apr 2007 18:59:19 -0800

Yeah, it's linked (insecurely) from the Privacy link at the bottom of every page.

By: musicinmybrain

musicinmybrain — Mon, 02 Apr 2007 19:00:21 -0800

Thanks for the alternative links, majick and odinsdream. I had tried the swap to https:// myself, in fact... but I posted the regular http:// version because that's how it's linked from the main Wachovia privacy page (d'oh!).

By: Gerard Sorme

Gerard Sorme — Mon, 02 Apr 2007 19:36:11 -0800

Look at this!
http://www.chase.com/
and the controversy it caused:
http://blogs.zdnet.com/Ou/?p=226

Even though the log-in is redirected to an SSL secured page, it is actually not secure for an instant. Does Chase care? Read all the comments under the ZDNet article. Bottom line: No. They use the same trick with the graphic of a lock. People have been told, "Look for the lock," so...Chase gave them a lock!

-

By: knave

knave — Mon, 02 Apr 2007 20:14:41 -0800

Gerard, correct me if I'm wrong, but the "action" attribute for the logon form is a POST to a https:// url. In other words, the data should be encrypted. I'm a Chase customer, and I use that form, so this is not a hypothetical question at all for me.

By: rbs

rbs — Mon, 02 Apr 2007 20:17:05 -0800

I'm so glad you posted this. I've noticed this on my credit card sites and it drives me crazy!

By: Civil_Disobedient

Civil_Disobedient — Mon, 02 Apr 2007 22:08:23 -0800

If the form action uses POST to send the parameters, the originating script need not be from a secure site. If, on the other hand, the form action uses GET, the form variables will be sent in the URL, which is insecure regardless of whether the transport layer is SSL or not.

While the Wachovia form does submit the form using POST, it's not specifically to a secure site. It looks like they just used a relative path, which is LAZY programming on their part. Had they simply hard-coded a SSL-enabled URL in the post action, they could have avoided all this hassle.

By: allterrainbrain

allterrainbrain — Mon, 02 Apr 2007 22:54:07 -0800

The grapevine being what it is, I expect somebody at Wachovia mgmt has seen this thread by now and will make sure to get these (simple) changes made -- both the relative-URL submission Civil Disobedent points out and the fact that all the internal links point to the http rather than htpps page. But just in case, yeah, it might be worth notifying them.

And thanks for caring enough to ask about it here. Pretty amazing to see a major bank asking for SSNs on an "http" page in 2007.

By: allterrainbrain

allterrainbrain — Mon, 02 Apr 2007 23:01:03 -0800

(Yes I meant https.)
(And it might be worth pointing out explicitly that even as we discuss this, the changes may be underway -- but as of this post the privacy links in the global footer are still pointing to the http page.)

By: footnote

footnote — Tue, 03 Apr 2007 05:54:07 -0800

I was glad to see that the awesome Commerce Bank seems to have proper security. Just another reason to love my bank.