I have seen many websites that have the Internet Banking Login and Password on the homepage. While this is great for customers, and I would love to do it to save the customers time, these user id's and passwords are not sent from a secure site and with no encryption from what I can tell. How are banks doing this? Do they not realize it isn't secure? Or is there something I am missing? Many vendors even use being able to login from the home page as a selling point. Please tell me I am missing the boat somewhere. On my home computer, I have to scan it for spyware and malware every time I use it so that my keystrokes aren't recorded. I can't imagine logging into my account from an unsecure page. (Yes, I have teenagers in the house and I have recently purchased software to help with this and it is working great).

Excuse my ignorance in advance if my answer makes no sense, but wouldn't a log in page located anywhere within your web site (including home page) be an unsecure page? I mean, you are not within a "secure" section until you actually log in.

No, the way we do it is by clicking on a hyperlink from the homepage to get to the login screen which is secure.

But still - if getting to the log in page from the home page is just a hyperlink click away, that page is not really secure at all. You may have it set up so someone can not bookmark it, but unless I am missing something, it can not be secure.

Yes, it is as secure as is possible. We use SSL for our login page just like we do for internet banking. The user id and password are encrypted.

Entities that 'start' access to home banking from a home page, or any other page, must also use encrypted transmissions or take other appropriate measures to ensure the protection of sensitive information at whatever point that a user name and password are keyed in.

Just gotta say - that picture is really creepy.

I changed the picture.

Back to the subject. A key to determine whether or not you are at a secure page - it will have https, versus http, in the URL - with the "s" meaning that whatever is transmitted from that point is under security parameters. Also, you can verify this by looking at the bottom of your browser - it will have a 'lock' displayed if the page that you are on is a secure page.

Of course, 'secure' is a relative term when it involves the internet.

Thanks Paragin - that makes a lot of sense (the https, not you changing your picture)

Yes, that's how ours is set-up. I just don't see how other banks, etc., are letting customers log-in on a page that isn't secure and if they even realized that was what they were doing. It is inconvenient for the customers to have to go to another page to log-in and they don't understand why they can't log in from our home page like they can on some other sites. I have explained to them why and told them to go ask their other banks why they aren't protecting the user id and passwords of their customers.

But, customers can bookmark the login page, avoiding your home page, correct? On the other hand, it appears that most customers don't realize that they can bookmark a login page and that's OK as a visit to the home page each time cannot be a bad thing.

I realize that a userID and password login combination is not the panacea, and that one could argue that this type of log-on routine can be defeated, but what else can you really do given that our customers are geographically remote and we can't stifle commerce. It's not like we can enact a biometric solution or some other more robust security measure when customers are coming through the public networks to our controller, IDS and firewall. At that point the customer is no different than an employee who has unique userID and password, which permits access to the "profile" of allowed locations the user can visit with the specific userID and password. Sure, someone with an auto-dialing device (war dialer) could probably eventually guess the userID naming convention and password scheme, but what other method can you really employ if you want to have some degree of ease of use for the customer, while at the same time enacting at least some type of challenge-and-response routine to thwart off the casual troublemaker.

I am not a software expert but am told from a good source that some of these login pages are in fact SSL secured. There is a way to add security to an unsecured page and often the page will not show that, as an example, by use of the padlock. I can't say that would protect you against a key logger. I don't know that any thing would based on the few key logger programs I played with.

When someone gets into Internet Banking, they should read the security policy and ask questions if they have any. And banks should do a good job explaining this. I plan to touch on this next week on my Website Auditing Webinar.

And this is a great question by the way.

I think you're right, andy. SSL won't do a thing against a keylogger. I believe it only encrypts the transmitted data going between the server and your browser. with a keylogger, your keystrokes are stored in a file on your computer and then covertly emailed. a good firewall *might* catch it if you've configured it correctly, but the best defense against one is not to get infected in the first place. update your operating system and antivirus software routinely.

128-bit encryption must be used for access to our internet banking product (Internet Explorer), so that is another security element to consider or possibly make sure is being used.

I've seen it explained as using frames technology to divide the screens into various sections. The login section is linked to the secure server and information typed in that frame is encrypted before passing to the secure server. Other frames on the page are informational only and do not require extra security.

I think some may be encrypted and some may not. The lesson learned is to check and verify, to understand the process and be comfortable with it.

Andy is correct, it is possible to encrypt the login information on a homepage that is not being accessed through the SSL protocol. Without going into all of the technical details, this can be accomplished by a couple of different methods. The simplest method implemented is by using frames on the front page, with the login form actually residing on the internet banking server and being served securely inside a frame. Alternatively there are client-side programming methods that allow you to encrypt/decrypt data before it is transmitted across the internet. Hope that helps.

Nevermind.

You guys got it now. That's how we will be accomplishing a home page login on our new site by providing the secure login page as a framed section of the home page.

And, to Dave's question, a secure site is located on a secure server. You don't necessarily need to login to get to the secure page. Think of online shopping, you're bopping along and then it says enter your credit card number. You're now on a secure page (hopefully), but you didn't need to login to get there.

Great discussion.

Consider these additional issues as you re-do Websites and have secured pages.

Have you considered using a new technology called "IP Intelligence" or geolocation to improve your login authentication process? Using your online customer's IP address, you can identify your customer's Internet location (city, state, country). The customer doesn't need to provide any additional information since the IP address is automatically provided when they access your site.

well that seems like a good idea BUT....it doesnt matter if their location is identified because if it is a criminal element, he/she can do damage and be gone...(poof) before anyone gets to them. Dont even mention an international thief....then what? Interpol's reach and speed "aint" up to that challenge yet...