You would think
that your bank would make sure their website is secure so
that no one can steal your login info, right? Well,
if your bank or credit card company is American
Express, Bank
of America, Chase,
Discover,
First
Equity, MBNA,
Providian,
Wachovia, or
Washington Mutual, then
think again. (Banks that are not so careless with your
account security include Advanta,
CapitalOne,
Citibank, and
Peoples.)
It's easy to tell whether your connection to your
bank is secure: the address bar will start with
https:// instead of http://. (Note the
"s".) When you're on a page with https://, all
information is scrambled in both directions, so if
someone is eavesdropping on your connection, all they get
is scrambled data. If your page is plain http://,
your login data is vulnerable.
What's worse, the banks with the insecure logins
incorrectly tell you that their logins are in fact
secure! They invariably show padlock icons with
reassuring words like "Secure Area", and often those
icons are linked to pages that give you some B.S. about
how the page is actually secure even though it's not an
https:// page because your login data is encrypted
as soon as you hit the Submit button to send it to the
bank. But they're dead wrong about your login info being
secure. They're not only giving you an insecure login,
they're lying about it.
In a minute I'll give you the technical details as to
why they're wrong (if you're interested), but more
importantly you're probably wondering, "Okay, so what
do I do about this?" First, consider changing banks.
Any bank which plays fast and loose with your account
security -- and then lies to you about it --
doesn't deserve your business. If you don't want to go
that route, than a less drastic course of action is to
find the secure login page on your bank's website.
For most bank websites it's easy: Just type in the
wrong username and password, and then you'll be
taken to an error page which is properly secure, which
you can verify from the https://. If that doesn't
work then click around the bank's website and try to find
another login page. Often you can click the padlock next
to the login button which will take you to the bank's
B.S. explanation about how the login is supposedly
secure, but right under that they may provide a link to a
real, secure login page. Finally, you can try just typing
in the "s" when you're first loading the website, like
https://www.bankname.com. That doesn't work with
most of them, and I didn't try them all, but I found it
does work with Discover Card and Wachovia.
Here's the technical explanation for those who want
it: Your bank wants to put the login form right on
their home page so that customers don't have to bother
clicking over to a separate login page. That means the
home page should be secure. But secure pages have a
downside: they're slow. Your bank's computer has to
scramble the web page before it sends it to you, and your
computer has to unscramble the page when it receives it.
Banks don't want their home page to be slow!
So the banks had two choices: they could either
keep the home page fast by making it insecure and having
customers click over to a separate, secure login page in
order to log in, or they could put the login form on the
home page and make it secure, in which case the home page
was slow. Banks didn't like either of these options, so
they dreamed up what they thought was a good workaround,
except they're wrong.
When you click a Submit button on a web page, your
login data is sent to some web address, and it can be
either an http:// or an https://
address. The banks thought, "Aha! We'll put the login
form on a plain, insecure page, but the Submit button
will send the login data to our https:// address,
so the user's login data will be scrambled and no one
will be able to intercept it. That way we'll be able to
have a fast-loading home page and the login will still be
secure."
Here's why that doesn't work: A hacker
listening in on the conversation can intercept the bank's
home page as it's sent to your computer. The hacker
changes the code of the page so that the Submit button
will send the login form to
https://www.HackerWebsite.com instead of to
https://www.BankName.com. When the page loads in
your computer it doesn't look any different than normal.
You type in your username and password and click Submit,
and your login info is sent straight into the hands of
the hacker. The hacker then sends the same login info to
your bank so that you successfully log into your bank's
website, and you're none the wiser. But later the hacker
can go log into your bank account himself.
Yeah, it's unlikely this will happen, but
definitely not impossible. And there's no excuse for
the banks not to provide a secure login. In fact, it's
simple for them to do so -- they just don't want to.
The banks' method of security is like having a
house with two doors and locking only one of them.
That's stupid from a security standpoint. Your security
is only as good as your weakest link. Banks have been
warned not to use this insecure method by Netcraft
and Microsoft
for almost a year now, but most banks aren't listening.
As is often the case, it's up to consumers to look after
their own interests.