Friday, June 02, 2006

Navy Federal gets hammered by George Ou


The e-banking folks at Navy Federal have taken a nice beating at the hands of ZDNet blogger George Ou. Navy Federal commits what is, unfortunately, an all-too-typical gaffe: serving up many of their pages in clear-text rather than through a secure (SSL) link.

As Ou points out (and as I noted out in, "Making Phishers solve a captcha") the use of clear-text for banking application-serving is problematic. DNS cache poisoning and other DNS hacks are possible attack vectors for in-the-clear apps. Why not get the user accustomed to expecting a secure connection for each page, every page?

Navy Federal:
Signing on to secure sites from an unsecure page is a common industry practice, and not unique to Navy Federal. You may see this same functionality at other Web sites.

George Ou:
No you're not unique; you're just among the batch of ignorant American Banks that don't understand basic SSL server side authentication... do me a favor and run this portion of your answer past your legal department and ask them if "but your Honor, everyone else does it" will ever fly in a class-action lawsuit.

Banks should aggressively protect their customers' security. The financial impact of securing all pages with SSL is pitifully insignificant. Someone at the FDIC needs to knock heads together and make this a requirement for online banking applications.

ZDNet: Bank's defense of bad security: Everyone else does it

No comments: