back to Online Banking again

[sde]

I posted this before and since they seemed like they were truely interested in fixing it, i dropped it, but they have not.

http://firstregional.com

Notice this personal and business banking login page is not secure. Any other bank I go to has their online banking login on a secure page.

Diana Jenkins, the so called Network Administrator doesn't return my emails anymore. She must truely have no clue as to the possibility of someone on the network of their clients 'sniffing' out someone's login information. Hopfully none of their customers login on a school or work network with a nosey admin.

First Regional bank is located in southern california. Is there any internet banking laws that regulate the privacy of online banking? Is there an authority who you can report this to? Anyone have any ideas on how to fix this?

I'm thinking the best way may just be to post on every forum I know and then send them an email so they know how many people know the security holes that they knowingly ignore and fail to fix.

What should I do?

[Admin]

The request goes to a secure page, what is the problem?

[sde]

u sound like them

ok, well your username and password are sent BEFORE you are on a secure page, .. so sure, all my bank info are secure once i'm logged in, .. but if someone sniffs out my username and password, then they can get into my account anyway.

[Admin]

but it is sent to the secure page, perhaps i am missing something or i am confused?

[technobard]

I think I get it. BankOne does the same thing. There is a way to go straight to an HTTPS form, before entering the user/pass, but I agree I don't think there's a problem. When you type your user/pass, the info isn't sent until you POST. The form action (<form name="loginForm" method="POST" action="https://global1.onlinebank.com/cgi-forte/forteisapi.dll?ServiceName=WebTeller&TemplateName= WebTeller.htm&BankTag=firstreg0101" target="_top">) is to a secure URL. So when you actually transmit the info, you're fine. Right?

Having said that, I'm still more comfortable being in an HTTPS page to start with. On the link you provided, go to "Home Banking" on the menu, and select "Access Your Account". It will take you to an HTTPS form. I do the same thing with my bank.

[Belisarius]

Fire up Ethereal and see if you can sniff your password as you login.

[sde]

err .. so your saying that post data does not get sent until the secure connection is already made?

[Belisarius]

It sorta makes sense that when making a request to an HTTPS page, the encryption process will be done first, then the data will be sent.

[Admin]

Quote:

Originally Posted by Belisarius

It sorta makes sense that when making a request to an HTTPS page, the encryption process will be done first, then the data will be sent.

That is my understanding of the process.

The only reason to put someone on a secure page as they fill out information is to make them feel good.

[idx]

For general paranoia I would put the entire thing in HTTPS (maybe with a user-friendly note stating that the site is secure and to look for the look before proceeding/etc..), but a HTTPS post should be ok.

Although I can't get the local newspaper to return my emails either. They have a section where you can submit your classified ads, but they aren't securing your CC info..

-r

[technobard]

For those wanting a more technical explanation of the whole HTTPS (SSL) thing, check out the following link: SSL Encryption Introduction . The best part is just over half way down the page. It basically talks about the handshake that takes place between the browser and the server when initiating an HTTPS connection.

As I think about it, I guess the other thing to remember is that HTTP and HTTPS are stateless. You can store a session id to fudge your way around it, but it's still stateless. So, even if the page you're on is encrypted, the page you're POSTING to is an independent action that makes (or re-establishes by reusing a session id) a connection.