In an unbelievable story from SANS, they note that American Express and Chase log in is not secure.  I looked at those sites myself and its true.  Recently in the interests of customer usability, banks in the US have taken to offerring log in from the home page, and how they implement this is critical.

Major banking sites insecure, researcher warns – Computerworld

At issue are the user log-in areas on sites like Chase.com and Americanexpress.com that ask customers to submit their ID and password information. Although these forms may be encrypted, they do not use authentication technology to prove they are genuine, according to Johannes Ullrich, chief research officer at the SANS Institute.

Compare these to Wells which handles this correctly by making the home page secure (https – note the ‘s” in the http://).   This is so basic its something I had to highlight here.  Bank of America is guilty too.  The username at BofA is entered in clear unsecure fashion, however they do ensure that the password is entered securely.  I would need a professional security officer opinion, but I am sure that entering any part of the log in, username in the case of BofA, is very bad practise.

I picked a few random banks, such as the Fifth Third Bank in Minnesota – their log in is perfectly secure, showing as https://www.53.com/wps/portal/personal .  So Well done Fifth Third for showing up the big guys.

I am so curious to hear from American Express, Bank of America, and Chase, and how they will respond.

I checked a few UK sites, and they don’t offer sign in from the home page, so don’t have this problem.

Relevance to Bankwatch:
Security is not to be taken lightly and size does not guarantee trust and security.

Good:  https://www.wellsfargo.com/
Bad:    http://www.chase.com/

Technorati Tags: online_banking, online_security