Bank Sites Still Driven by Marketers
For years, banks, e-commerce companies and other operators of Web sites that deal in personal financial information have trained customers to look for the little "padlock icon" in the corner of their Web browser window. That padlock indicates that users are connected via a secure server, and it has become a trusted seal for Internet transactions.
Increasingly, however, many of the nation's largest financial institutions are doing away with the padlock on their home pages, a development that some experts say could lead more consumers to fall prey to phishing scams.
The padlock is a visual representation that a Web site uses what's known as "secure sockets layer," or SSL, technology. SSL allows Web site visitors to both verify (with a fair degree of accuracy) the identity of the company they're about to do business with and to ensure that the information transmitted -- usually usernames and passwords -- cannot be easily read by anyone who might intercept the transmission along the way. The Web address of sites that use SSL begin with "https://"
If you visit another big bank, Suntrust.com for example, you will see upon landing at the home page a yellow padlock icon on the bottom right corner of the browser that -- if you click on it -- will list a whole bunch of third-party verified information that allows you to be reasonably certain that you are in fact at Suntrust bank's official site.
However, Web sites for Bank of America, Wachovia, American Express and Chase no longer cause a user's browser to display the little padlock as they did in years past, according to a blog entry from the folks over at Netcraft, a Web security firm based in Bath, England.
The Bank of America site, for example, does have a tiny padlock to the right of the username and password box, but clicking on it only brings up a Web page explaining what SSL is all about, and doesn't offer any of the details that would allow visitors to make an informed decision about whether to trust the site.
Until recently, these institutions required customers who wanted to access their information via the site to click on a link on the homepage that took them to the account login page. Now, all of the above-mentioned institutions (and probably many others) include the customer login form on their homepages.
While the main page itself is not protected with SSL, any information entered into the "username" and "password" boxes is protected by SSL and encrypted, although nowhere on the homepage is there a padlock icon, or "https://" address (those only show up after the information has been submitted.)
Bank of America said it made the change as a matter of convenience for its customers: "To provide the fastest access to our home page for all of our millions of customers and other visitors, we have made signing in to Online Banking secure without making the entire page secure. Please be assured that your ID and passcode are secure and that only Bank of America has access to them."
This strikes me as an unfortunate development, for a number of reasons. One, the banks themselves have spent the better part of the past decade training customers to look for the padlock icons. What's more, the major financial institutions -- including American Express -- have required online merchants to display the padlocks as a condition of allowing them to process credit card transactions.
In addition, the Federal Trade Commission and the Anti-Phishing Working Group have urged consumers to be wary of any banking or online commerce site that does not prominently display the telltale padlock and https:// when accepting user credentials.
Granted, encrypted pages generally do take a fraction of a second longer to load than non-encrypted ones, and undoubtedly many people visiting the bank sites are there to find other information besides logging into their account. Plus, banks have enormous customer bases and can't reliably predict how many traditional customers will suddenly want to start banking online or accessing their accounts over the Web site, said Chuck Wade, principal at Hopkinton, Ma- based Interisle Consulting, a company that works with banks on security issues.
"The major banks have giant scale issues ... they have such huge populations of customers that they are now starting to approach problems previously only seen by federal government Web sites," Wade said.
And it's not as if phishers and other bad guys haven't figured out ways to spoof or fake the little padlock icon at counterfeit bank sites.
Still, Wade said, moving away from displaying SSL on homepages risks unraveling years of consumer education.
"The same institutions that have been actively involved in educating consumers about what to expect in a safe site are suddenly shifting their policies. Unfortunately, this is yet another case of the marketing folks [at the banks] driving what happens on their site rather than the security people," Wade said.
Posted by: H. Carvey | August 24, 2005 7:33 AM | Report abuse
Posted by: say_what | August 24, 2005 1:56 PM | Report abuse
Posted by: joe st sauver | August 26, 2005 2:21 PM | Report abuse
Posted by: R Gariazzo | October 20, 2005 1:25 PM | Report abuse
The comments to this entry are closed.