Banks avoiding SSL logins

Opinion
Aug 29, 20053 mins

* SSL avoidance leaves bank users open to attack

A recent news item from Netcraft, a U.K. consultancy specializing in Internet analysis and technology tracking, noted that “After years of training customers to trust only SSL-enabled sites, banks are shifting their online banking logins to the unencrypted home pages of their Web sites.”

Netcraft continues:

“Although the data is encrypted once the user hits the ‘Sign In’ button, the practice runs counter to years of customer conditioning, as well as the goals of the browser makers. Three of the five largest U.S. banks now display login forms on non-SSL home pages, including Bank of America, Wachovia and Chase, as well as financial services giant American Express.”

The full article can be found here.

The reason for this change is that although content provided over an SSL connection is secured there’s processing overhead that slows response unless SSL accelerator hardware is employed which is, in turn, expensive.

The banks are now putting login forms on their home pages which are not SSL-enabled. When the customer completes the login the data is sent to an SSL-enabled URL.

Over the last few years, with security becoming increasingly important in building consumer trust in online banking, users have been trained to look for the “golden lock” icon as evidence that their Web transactions are secure.

This recent change by the banks is confusing to consumers so, for example, Bank of America notes on a blue lock icon link on its login form: “You may notice when you are on our home page that some familiar indicators do not appear in your browser to confirm the entire page is secure… Please be assured that your ID and passcode are secure and that only Bank of America has access to them.”

In April Microsoft’s Eric Lawrence pointed out in his blog that avoiding the use of SSL in this manner isn’t a great idea: “If the login form was delivered via HTTP, there’s no guarantee it hasn’t been changed between the server and the client” and points out that the new method adopted by the banks makes a man-in-the-middle (MTM) attack possible.

Of course, MTM attacks are not common at present, but the first time one happens in a financial services environment will be an ugly setback for online commerce – not to mention the potential brand damage that the company will face. If you work for any business where consumer confidence matters and you’re thinking of using this non-SSL login method, think again.