Here’s an email recently sent to a bank with a serious security problem and a lack of concern for their clients. They’ve been made aware of this in the past year or so at least twice and they still choose to ignore it. I find it as a IT security professional disturbing.
(Some components of the email have been removed for privacy and security purposes; These are clearly marked.)
Why do you not digitally sign your Main login page at BBT.com with a Digital Certificate via SSL/TLS? In short why don’t you follow your own security guidelines (see quote below). Having such a certificate from a company such as Verisign serves primarily one interest; authenticating yourself to your users. It is also the foremost way in which to PREVENT Phishing. And in our day with DNS poisoning it also provides significant aid. You already possess a EV Class 3 Verisign Certificate and sign the page you get in case you mistype your password; Why not sign the main login page. (In fact the sole reason EV certificates were created was to make it easier to authenticate yourself to your clients visually.) Notice the authorities comments below.
“If you initiate a transaction and want to provide your personal or financial information through an organization’s website, look for indicators that the site is secure, like a lock icon on the browser’s status bar or a URL for a website that begins “https:” (the “s” stands for “secure”).”
Source-Federal Trade Commission’s “On Guard Online” Program
http://www.onguardonline.gov/topics/phishing.aspx
“Only enter personal information on a secure Web site…When entering personal data at a Web site, look for a “locked padlock” in the browser or “https” at the beginning of the Web site address to make sure the site is secure. “
Source- Better Business Bureau
http://www.bbbonline.org/idTheft/phishingScams.asp
“The term “https” should precede any web address (or URL) where you enter personal information. The “s” stands for secure. If you don’t see “https,” you’re not in a secure web session, and you should not enter data.”
Source- PayPal an eBay Company
https://www.paypal.com/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/RecognizePhishing-outside
“Look for ‘https://‘ and a lock icon in the address bar before entering any private information.”
Source- University of Georgia “Office of Information Security”
https://infosec.uga.edu/sate/phishing.php
NOTICE WHAT YOUR OWN SITE SAYS
“You can tell your online session with BB&T is secure through the following:
* An unbroken key or a locked padlock icon will appear at the bottom of your browser screen.
* The website address at the top of your browser screen will change from “http” to “https”. “
Source- Yourself
http://www.bbt.com/about/privacyandsecurity/onlinesecurity.html
As a IT Security Professional I understand that there are always weakness and methods of exploitation; but each layer of security helps our clients and adds to security. Please resolve this issue… Its just not a poor choice on your part… its probably liable.
Sincerely a Disappointed Customer,
<Name Removed for Privacy>
PS- All the following banks do what you don’t…
https://www.bankofamerica.com
https://www.suntrust.com
https://www.wachovia.com/
https://online.citibank.com “
