Friday, July 09, 2010

News from 2009 - SSL Cert Atrocities from WAMU/CHASE

For historical reasons I'd rather not detail, I had an account with WAMU (now Chase). During the middle of the Chase acquisition, I noticed the ssl cert error displayed in this post. This was during the process of setting up an online savings account, which the bank was heavily touting at the time. I wish I had saved a screenshot, but at a slightly later time in the acquisition process, the cert error changed from expired cert to cert not matching URL.

I called customer support at WAMU/Chase and got absolutely nowhere. I went as far as to send a complaint to the OCC. Their response was that they can't do anything, as they do not regulate Internet banking.

Now think about this a bit. This is a bank. You trust them to hold your money - lots of it. This particular bank is heavily pushing their Internet-only services. They then commit the most atrocious ssl cert error possible - a cert that does not match the URL for their heavily-promoted online savings enrollment. This is an error that every modern browser screams loudly about - for good reason. This type of cert error is the one encountered with a man-in-the-middle attack. I've just entered all the information required for major identity theft, and I then have my browser telling me the site I've encountered is likely fake. When the error is reported the response is - crickets chirping. Not just from the bank itself, but from the regulators.

You may accuse me of being a luddite, but I still do a minimal amount of electronic banking. Most of my bills are paid with old fashioned checks sent via the US Postal Service. If banks want to gain the trust of customers like me, they need to start getting the very basics of security right - regardless of whether or not they are undergoing a merger.


Post a Comment

<< Home