Is AmSouth's on-line bank web site secure? [Archive] - Glock Talk

PDA

View Full Version : Is AmSouth's on-line bank web site secure?


NRA_guy
07-07-2005, 06:47
I think AmSouth's on-line bank web site is not secure.

It is here AmSouth (http://www.amsouth.com/)

Note that the site where you enter your ID and password at the top right is not secure (not "https").

You type in your ID and password in the "http" site then hit "login". Then it takes you to a secure web site.

I think the login site should be secure to protect my ID and password.

I emailed them and got back a "thank you for your comment, we have addressed your concerns" response. But they did not change it.

I'm concerned.

Should I be?

EvilGenius
07-07-2005, 20:07
Well, I bank online at Wells Fargo (http://www.wellsfargo.com/) and they do the same thing. I'd like it to be different, but it's not.

Toyman
07-08-2005, 06:54
The HTML references https://ibank.amsouth.com all over the place. It redirects to the secure server. My bank does it this way as well as many other sites.

NRA_guy
07-08-2005, 07:13
Originally posted by Toyman
The HTML references https://ibank.amsouth.com all over the place. It redirects to the secure server. My bank does it this way as well as many other sites. Yeah it takes you to a secure web site but only after you enter the ID and password, but you are entering your access info into a non-secure web site.

PS: Your initial ID for the AmSouth web site is your Social Security Number until/unless you log in and change it. Some folks will never change theirs.

David_G17
07-08-2005, 18:53
yeah, it's secure.

even though most browsers will throw a caution message, it is.

it's inside of an iframe, and when you click "log in" it doesn't just send the password and login name as plain text. since it's creating a connection with a secure site it's ok.

we had the same problem on a banking site i helped build. same issue came up. we even tried packet sniffing to try and hack it. it's secure.

jpa
07-11-2005, 00:30
https://ibank.amsouth.com/tether/ibanklogon.asp

This is the url for that individual frame of the index page. I'm assuming the main page being straight http is to take the load off the ssl server while still being convenient enough to log in from the main page.

NRA_guy
07-11-2005, 05:17
OK, thanks, guys.

I'll stop worrying about it.

David_G17
08-26-2005, 07:42
Apparently others are worried too. I just found this:
http://news.netcraft.com/archives/2005/08/23/banks_shifting_logins_to_nonssl_pages.html

Banks Shifting Logins to Non-SSL Pages Security

After years of training customers to trust only SSL-enabled sites, banks are shifting their online banking logins to the unencrypted home pages of their websites. Although the data is encrypted once the user hits the "Sign In" button, the practice runs counter to years of customer conditioning, as well as the goals of the browser makers. Three of the five largest U.S. banks now display login forms on non-SSL home pages, including Bank of America, Wachovia and Chase, as well as financial services giant American Express.

Web sites are generally reluctant to use "https" on busy home pages, since SSL involves a tradeoff: improved security, but slower response time. Consumers, meanwhile, prefer easy to-remember URLs for their online banking. In placing login screens on non-SSL home pages, banks are trying to have it both ways: fast page loading without the SSL-related performance hit. The login form's "action" URL points to an SSL-enabled https URL.

Since the introduction of SSL, Internet users have been urged to check for the "golden lock" icon to ensure a web session is encrypted before conducting e-commerce transactions. As phishing has grown rampant, the Anti-Phishing Working Group and Federal Trade Commission have warned consumers to be sure a web page is using SSL before sharing personal information.

Mindful of this, many of the banks using homepage logins include a link to security information. "You may notice when you are on our home page that some familiar indicators do not appear in your browser to confirm the entire page is secure," Bank of America notes in its security note, accessed by clicking an icon on the login form. "Those indicators include the small 'lock' icon in the bottom right corner of the browser frame and the 's' in the Web address bar (for example, 'https'). To provide the fastest access to our home page for all of our millions of customers and other visitors, we have made signing in to Online Banking secure without making the entire page secure. Please be assured that your ID and passcode are secure and that only Bank of America has access to them."

This growing practice was criticized by Microsoft in April. "If the login form was delivered via HTTP, there's no guarantee it hasn't been changed between the server and the client," Microsoft's Eric Lawrence wrote on the IE7 blog. "A bad guy sitting on the wire between the two could simply retarget the POST to submit to a HTTPS site that he controls."

Netcraft's SSL Survey provides detailed information about encrypted transactions and e-commerce, including the growth rate for SSL-enabled sites, and which operating systems, server software and certificates are most widely used on these sites.

NRA_guy
08-26-2005, 14:11
Hmmm. So the big banks are sacrificing my banking security for their profit margin.

Hard to believe, huh?

Thanks.