This is a bad idea...

The new FirstTech Credit Union page puts the logon dialog on an unsecured page. Their explanation [1]:

Why This Is Secure
Using the Online Banking Login on the pages is safe, even though you do not see the lock in your browser as your Account ID and PIN (Personal Identification Number) are not transmitted until you click on the "login" button. Upon doing so, a secure session is established between your browser and our systems. Your information is then encrypted using 40-bit or 128-bit encryption algorithm (128-bit is used if your browser supports it) and sent to our systems for authentication into Online Banking. Please note that First Tech never transmits your information without it being encrypted first.

We recognize that most of the internet public has been wisely trained to look for the lock in their browser when submitting sensitive data online, this is why we created the “why this is secure” message and added the lock icon to the login button. The design of our website made it difficult to include the popular member request of offering a Home Banking login box to every page on our site. Our solution was to verify that the process was secure, then communicate this to our members via the hover text and the “why this is secure” page.

It's good they have thought about the security part of the problem. It's bad that with this implementation they are training people to not rely on the browser's notification about the status of the connection security, but on a webpage icon. Once trained, people would blindly accept the same icon on another page as sign of secure transport layer, even though it might be there just because the page designer decided it's a good “Login“ pictogram. Not to mention all the phish emails that will start doing the same to lupe people to trust their links.

People should never trust the web page content about the status of the connection.


Add a Comment