Skip to content
GeoDataVision
Thread Options
#199977 - 06/14/04 04:28 PM Internet Banking Log In
SusyG Offline
100 Club
Joined: Oct 2001
Posts: 120
I have seen many websites that have the Internet Banking Login and Password on the homepage. While this is great for customers, and I would love to do it to save the customers time, these user id's and passwords are not sent from a secure site and with no encryption from what I can tell. How are banks doing this? Do they not realize it isn't secure? Or is there something I am missing? Many vendors even use being able to login from the home page as a selling point. Please tell me I am missing the boat somewhere. On my home computer, I have to scan it for spyware and malware every time I use it so that my keystrokes aren't recorded. I can't imagine logging into my account from an unsecure page. (Yes, I have teenagers in the house and I have recently purchased software to help with this and it is working great).

Return to Top
eBanking / Technology
#199978 - 06/14/04 04:44 PM Re: Internet Banking Log In
Anonymous
Unregistered

Excuse my ignorance in advance if my answer makes no sense, but wouldn't a log in page located anywhere within your web site (including home page) be an unsecure page? I mean, you are not within a "secure" section until you actually log in.

Return to Top
#199979 - 06/14/04 05:11 PM Re: Internet Banking Log In
SusyG Offline
100 Club
Joined: Oct 2001
Posts: 120
No, the way we do it is by clicking on a hyperlink from the homepage to get to the login screen which is secure.

Return to Top
#199980 - 06/14/04 05:14 PM Re: Internet Banking Log In
Anonymous
Unregistered

But still - if getting to the log in page from the home page is just a hyperlink click away, that page is not really secure at all. You may have it set up so someone can not bookmark it, but unless I am missing something, it can not be secure.

Return to Top
#199981 - 06/14/04 06:16 PM Re: Internet Banking Log In
SusyG Offline
100 Club
Joined: Oct 2001
Posts: 120
Yes, it is as secure as is possible. We use SSL for our login page just like we do for internet banking. The user id and password are encrypted.

Return to Top
#199982 - 06/14/04 06:25 PM Re: Internet Banking Log In
Paragon Offline
Diamond Poster
Paragon
Joined: Dec 2003
Posts: 2,164
Entities that 'start' access to home banking from a home page, or any other page, must also use encrypted transmissions or take other appropriate measures to ensure the protection of sensitive information at whatever point that a user name and password are keyed in.

Return to Top
#199983 - 06/14/04 06:35 PM Re: Internet Banking Log In
SusyG Offline
100 Club
Joined: Oct 2001
Posts: 120
Just gotta say - that picture is really creepy.

Return to Top
#199984 - 06/15/04 08:24 PM Re: Internet Banking Log In
Paragon Offline
Diamond Poster
Paragon
Joined: Dec 2003
Posts: 2,164
I changed the picture.

Back to the subject. A key to determine whether or not you are at a secure page - it will have https, versus http, in the URL - with the "s" meaning that whatever is transmitted from that point is under security parameters. Also, you can verify this by looking at the bottom of your browser - it will have a 'lock' displayed if the page that you are on is a secure page.

Of course, 'secure' is a relative term when it involves the internet.

Return to Top
#199985 - 06/15/04 08:34 PM Re: Internet Banking Log In
Anonymous
Unregistered

Thanks Paragin - that makes a lot of sense (the https, not you changing your picture)

Return to Top
#199986 - 06/15/04 08:41 PM Re: Internet Banking Log In
SusyG Offline
100 Club
Joined: Oct 2001
Posts: 120
Yes, that's how ours is set-up. I just don't see how other banks, etc., are letting customers log-in on a page that isn't secure and if they even realized that was what they were doing. It is inconvenient for the customers to have to go to another page to log-in and they don't understand why they can't log in from our home page like they can on some other sites. I have explained to them why and told them to go ask their other banks why they aren't protecting the user id and passwords of their customers.

Return to Top
#199987 - 06/15/04 08:45 PM Re: Internet Banking Log In
Paragon Offline
Diamond Poster
Paragon
Joined: Dec 2003
Posts: 2,164
But, customers can bookmark the login page, avoiding your home page, correct? On the other hand, it appears that most customers don't realize that they can bookmark a login page and that's OK as a visit to the home page each time cannot be a bad thing.

Return to Top
#199988 - 06/15/04 08:56 PM Re: Internet Banking Log In
Jay-Risk Offline
Gold Star
Joined: May 2004
Posts: 274
New England
I realize that a userID and password login combination is not the panacea, and that one could argue that this type of log-on routine can be defeated, but what else can you really do given that our customers are geographically remote and we can't stifle commerce. It's not like we can enact a biometric solution or some other more robust security measure when customers are coming through the public networks to our controller, IDS and firewall. At that point the customer is no different than an employee who has unique userID and password, which permits access to the "profile" of allowed locations the user can visit with the specific userID and password. Sure, someone with an auto-dialing device (war dialer) could probably eventually guess the userID naming convention and password scheme, but what other method can you really employ if you want to have some degree of ease of use for the customer, while at the same time enacting at least some type of challenge-and-response routine to thwart off the casual troublemaker.

Return to Top
#199989 - 06/15/04 09:04 PM Re: Internet Banking Log In
Jay-Risk Offline
Gold Star
Joined: May 2004
Posts: 274
New England
Quote:

Thanks Paragin





I know that Paragon refers to a model of perfection or excellence, but I'm wondering what Paragin is. That could be like Paraffin as in kerosene (meaning Paragon ignites thought), or it could mean Paradigm (meaning that Paragon encourages positive change), or it could mean that CubDave types too fast.

Return to Top
#199990 - 06/18/04 01:34 PM Re: Internet Banking Log In
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,502
On the Net
I am not a software expert but am told from a good source that some of these login pages are in fact SSL secured. There is a way to add security to an unsecured page and often the page will not show that, as an example, by use of the padlock. I can't say that would protect you against a key logger. I don't know that any thing would based on the few key logger programs I played with.

When someone gets into Internet Banking, they should read the security policy and ask questions if they have any. And banks should do a good job explaining this. I plan to touch on this next week on my Website Auditing Webinar.

And this is a great question by the way.

Return to Top
#199991 - 06/18/04 06:40 PM Re: Internet Banking Log In
hunterath Offline
Junior Member
Joined: Apr 2004
Posts: 43
Kansas
I think you're right, andy. SSL won't do a thing against a keylogger. I believe it only encrypts the transmitted data going between the server and your browser. with a keylogger, your keystrokes are stored in a file on your computer and then covertly emailed. a good firewall *might* catch it if you've configured it correctly, but the best defense against one is not to get infected in the first place. update your operating system and antivirus software routinely.
_________________________
nobody in his right mind would let me express opinions on his behalf (until I pass the bar...)

Return to Top
#199992 - 06/18/04 07:58 PM Re: Internet Banking Log In
Paragon Offline
Diamond Poster
Paragon
Joined: Dec 2003
Posts: 2,164
128-bit encryption must be used for access to our internet banking product (Internet Explorer), so that is another security element to consider or possibly make sure is being used.

Return to Top
#199993 - 06/21/04 08:11 PM Re: Internet Banking Log In
D C Offline
Junior Member
D C
Joined: Feb 2002
Posts: 43
I've seen it explained as using frames technology to divide the screens into various sections. The login section is linked to the secure server and information typed in that frame is encrypted before passing to the secure server. Other frames on the page are informational only and do not require extra security.

Return to Top
#199994 - 06/21/04 10:23 PM Re: Internet Banking Log In
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,502
On the Net
I think some may be encrypted and some may not. The lesson learned is to check and verify, to understand the process and be comfortable with it.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#199995 - 06/24/04 07:55 PM Re: Internet Banking Log In
Tom Royal Offline
New Poster
Joined: Dec 2003
Posts: 2
New Smyrna Beach, Florida
Andy is correct, it is possible to encrypt the login information on a homepage that is not being accessed through the SSL protocol. Without going into all of the technical details, this can be accomplished by a couple of different methods. The simplest method implemented is by using frames on the front page, with the login form actually residing on the internet banking server and being served securely inside a frame. Alternatively there are client-side programming methods that allow you to encrypt/decrypt data before it is transmitted across the internet. Hope that helps.

Return to Top
#199996 - 07/02/04 03:59 PM Re: Internet Banking Log In
Jokerman Offline
10K Club
Joined: Nov 2003
Posts: 12,846
Nevermind.
Last edited by Jokerman; 07/02/04 04:44 PM.
Return to Top
#199997 - 07/02/04 07:05 PM Re: Internet Banking Log In
reinkesd Offline
100 Club
reinkesd
Joined: May 2003
Posts: 232
Connecticut
You guys got it now. That's how we will be accomplishing a home page login on our new site by providing the secure login page as a framed section of the home page.

And, to Dave's question, a secure site is located on a secure server. You don't necessarily need to login to get to the secure page. Think of online shopping, you're bopping along and then it says enter your credit card number. You're now on a secure page (hopefully), but you didn't need to login to get there.

Great discussion.

Return to Top
#199998 - 07/02/04 08:53 PM Re: Internet Banking Log In
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,502
On the Net
Consider these additional issues as you re-do Websites and have secured pages.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#199999 - 07/13/04 03:17 PM Re: Internet Banking Log In
Anonymous
Unregistered

Have you considered using a new technology called "IP Intelligence" or geolocation to improve your login authentication process? Using your online customer's IP address, you can identify your customer's Internet location (city, state, country). The customer doesn't need to provide any additional information since the IP address is automatically provided when they access your site.

Return to Top
#200000 - 08/14/04 06:04 AM Re: Internet Banking Log In
Anonymous
Unregistered

well that seems like a good idea BUT....it doesnt matter if their location is identified because if it is a criminal element, he/she can do damage and be gone...(poof) before anyone gets to them. Dont even mention an international thief....then what? Interpol's reach and speed "aint" up to that challenge yet...

Return to Top

Moderator:  Andy_Z