Navy Federal Credit Union Web Site Operating with Security Issue

Online banking users are hopefully aware of the need to login to their banks web-based system using secure means, such as via a web site protected using SSL encryption. Every legitimate bank offers such protection, normally disallowing customers the ability to login via unsecure means. But not every bank appears to be conscious of the myriad of potential security risks associated with their site. Navy Federal Credit Union is plagued by a huge security vulnerability on their web site and is possibly the easiest bank on which to perform a phishing expedition.

Updated – August 12, 2009: Added correspondence from the RSA Anti Fraud Command Centre and SliceHost Support regarding a take-down notice and trademark infringement claim. This little article has apparently generated some interest and visibility by an NFCU “security” contractor.

Updated – August 15, 2009: The saga appears to have come to an end as the RSA AFCC responds to SliceHost after TechMiso stipulates the content was not infringing. The attack dogs are ostensibly caged for now.

As web browsers have matured throughout the years their ability to quickly and easily identify secure web sites has gotten exponentially better. Years ago the only way to determine if a genuine SSL connection was established was to look for the lighted “lock” icon in both Internet Explorer and Netscape.

Fast forward to today where all current major browsers display the SSL connection status in the browser location bar. For example, Firefox 3.5 uses the leftmost side of the location bar to visually present the validity of the certificate presented by the server. If a valid Certificate Authority can verify the authenticity of the certificate, if company information is present in the certificate and if the fully qualified domain name on the certificate matches the one in the address bar then the background color of this area is green to let users know they are essentially safe from a potential phishing attack.

Any other combination of the above will result in a different background color, alerting to a probable security issue. At this juncture users should not attempt to login because there is a high risk for their data being stolen or misused.

But even with all the security controls offered by browser vendors, nothing can stop people from forsaking security for convenience. In this case, Navy Federal Credit Union (NFCU) does just that – it offers customers the ability to login to their web based banking system from their unsecured home page. How many users merely enter their credentials in the form provided without ever thinking twice about whether the site they are visiting truly is NFCU?

Even though the web browser does not display any sign of a secure connection or an authentic connection to navyfcu.org, rest assured most users make use of the convenient form on the home page. This is a huge security risk because it is ripe for phishing. By allowing users to login to an online bank from an unsecure, unverified site, those same customers could be tricked in to entering their credentials from just about any domain.

To their credit, NFCU does offer the ability to enter login credentials from a secured page. By clicking the home page “sign on” button with an empty form users are then redirected to an SSL-enabled page where they are assured the site being visited is in fact the authentic NFCU web site.

Even though the NFCU home page is unsecured and offers the ability to enter details on a potentially phished page, the form data is in fact submitted via secure means. So although users may use this less-than-secure yet convenient method of logging on to NFCU, their credentials are secure – assuming they are entering the data from the authentic site.

But the secure transportation of data to NFCU is not the issue in question. The issue is the complete and utter disregard NFCU displays for the potential for their customers to be phished by malicious attackers seeking to gain access to NFCU customer accounts. Any bad guy could easily copy the entire contents of the NFCU home page and everybody would be none the wiser because NFCU fails to follow industry standard security best practices.

The best solution to this issue is for NFCU to completely remove the login form from their home page and replace it with a huge “LOGIN HERE” button which, when clicked, takes users to the secure login page. It is easy to implement, can be done in a mere 5 minutes and is exponentially more secure than the current method. Additionally, this mitigates the potential risk from any phishing site because users will be able to identify NFCU via browser security controls.

Alternatively, NFCU can do what Chase has done and merely secure their home page via SSL, redirecting all http visitors to their https site. This approach essentially provides the same level of assurance the previous method does, but in a different manner. Assuring users they are visiting the authentic NFCU home page rather than some mirrored version being run by malicious attackers is the ultimate goal.

The NFCU web site has been run like this for years. Considering today’s climate, I find it very peculiar they continue to take on such liability and allow their users to be potentially phished so easily. While I am amazed to a degree, since the average user does not entirely comprehend these issues in full it does make sense to see NFCU allow this vulnerability to persist.

If your bank is doing anything similar, ensure you take the necessary steps to protect your login credentials from being phished. Otherwise, if there is no other recourse, close your account and contact the bank to explain why you will no longer conduct business with them to their lacking security controls.

Update 1 – July 19, 2009. It seems this article generated some interest from the RSA Anti Fraud Command Centre, a company “under contract to assist Navy Federal Credit Union in preventing or terminating online activity that targets, or may potentially target Navy Federal Credit Union’s clients as potential fraud victims.” It seems they are not too happy with the spirit of this post, which is pretty peculiar considering that we are pointing out a pretty serious, long-standing security flaw with the Navy Federal Credit Union web site. Here is the first email I received from the RSA Anti Fraud Command Centre:

Dear Sirs:

RSA, an anti-fraud and security company, is under contract to assist Navy Federal Credit Union in preventing or terminating online activity that targets, or may potentially target Navy Federal Credit Union’s clients as potential fraud victims.

RSA has been made aware that a domain name, which abuses Navy Federal Credit Union’s trademark, has been registered with you. This domain http://techmiso.com/2434/navy-federal-credit-union-web-site-operating-with-security-issue/ not only violates Navy Federal Credit Union’s copyright, trademarks and other intellectual property rights, but may also become a host to a phishing attack, or other fraudulent scams against the bank and the bank’s clients.

The fraudulent website not only represents a misuse of Navy Federal Credit Union’s intellectual property; its purpose is to mislead the Navy Federal Credit Union clients. Our experience has shown that such sites become a host of phishing** and other fraudulent scams against the bank clients.

Please take all necessary steps to immediately shut down the fraudulent website, terminate its availability to the Internet and discontinue the transmission of any e-mails associated with this website.

We understand that you may not be aware of this improper use of your services and we appreciate your cooperation.

We specifically would ask that you also take the following actions (if relevant or possible):

Please provide us with a tar/zip file of the source code for this site, so that we may analyze it to help prevent further attacks.
If any customer data has been captured that is stored on your systems or equipment, please send us that data so that the customers to whom that data
relates can be notified and take steps to protect their credit.

Please provide a copy of any records you maintain that indicate the name, contact information, method of payment or similar information that may be useful in helping learn the identity and location of the customer for whom the website has been operated.

We specifically would ask that you also take provide a copy of any records you maintain that indicate the name, contact information, method of payment or similar information that may be useful in helping learn the identity and location of the customer for whom the website has been operated.

Thank you for your cooperation to prevent and terminate this fraudulent activity.

Sincerely,

RSA Anti Fraud Command Centre

Tel: +44(0)800-032-7751 (UK)
Tel: +1-866-408-7525 (US)
Fax: +972-9-9566658 (EU)
Fax: +1-212-208-4644 (US)
E-mail: afcc@rsasecurity.com

http://www.rsa.com

For more information about RSA’s AFCC http://www.rsa.com/node.aspx?id=3348

Navy Federal Credit Union Legal Department
contact Julie Griffin
AVP., Telecom
Tel: 703.206.3327/ 571.283.9930/ 703.919.9939
email: Julie_griffin@navyfederal.org

*”Phishing” is an e-mail scam that attempts to trick consumers into revealing personal information, such as their credit or debit account numbers, checking account information, Social Security Numbers, or banking account passwords, through an imposter’s Web site or in a reply e-mail.

At first glance I thought the RSAS AFCC email was bogus because of the what appears to be some severely lacking English skills. For an official inquiry, the email was peculiarly worded. After all, RSA surely must employ personnel capable of coherent and literate English skills. It just seemed really odd to go after TechMiso for an article designed to help point out a fatal flaw with NFCU’s web site and inform users of a smarter way to login to the banks site.

But after performing a bit of checking I was unable to find anything to truly lead me to believe this was a phishing attempt or a falsified claim. So I immediately responded to the RSA Anti Fraud Command Centre as well as Julie Griffin, the NFCU representative RSA asked me to contact, with the following reply:

Did you people bother to even read the article written at “the domain” specified in your email? Or, do you merely allow your bot to crawl the Internet uninhibited so that it may send out potentially libelous communications without verifying the authenticity of such claims prior to their transmission?

The article, which coincidentally I authored, is written about a web security vulnerability on the navyfcu.org web site. Ironic how a blog devoted to technology is improperly targeted by a business whichclaims it is under contract with NFCU for “preventing or terminating online activity that targets, or may potentially target Navy Federal Credit Union’s clients as potential fraud victims,” especially when the article was written to help shed light on a security issue with
NFCU’s web site!

Might I suggest you consider looking at the navyfcu.org web site and resolving the issue I outlined in the article at the URL cited below? More importantly, is it too much to ask that a human actually read the article before an automated bot send out emails to web site owners without verifying the validity of any potential issues?

If you have a specific claim with the TechMiso article then please kindly clarify your concern without the use of a form letter. We are more than willing to assist because we care about NFCU and its customers, hence the article we wrote which addresses our concern with security vulnerability on navyfcu.org.

TechMiso has no reason to immediately shut down because there is absolutely nothing fraudulent in use. As I mentioned, if you have an issue then please clarify what your concern is.

I look forward to hearing back from you.

Best Regards,

Scott Jarkoff
Faithful NFCU customer

I received the following response from RSA, which essentially completely ignored anything relevant.

Dear Sirs:

RSA, an anti-fraud and security company, is under contract to assist Navy Federal Credit Union in preventing or terminating online activity that targets, or may potentially target Navy Federal Credit Union’s clients as potential fraud victims.

The problem with the material on the blog is that it suggests that Navy Federal’s website is not secure.

You claim in your Blog that you care about NFCU and its customers whereas the blog you wrote only confuses and frightens the customers.

The bank has asked RSA Security to try taking the offending blog down.

It is true that the first page isn’t https secured but it is secured in different ways.

We will forward the complaint to the bank regarding the first login page.

Sincerely,

RSA Anti Fraud Command Centre

Tel: +44(0)800-032-7751 (UK)
Tel: +1-866-408-7525 (US)
Fax: +972-9-9566658 (EU)
Fax: +1-212-208-4644 (US)
E-mail: afcc@rsasecurity.com

http://www.rsa.com

For more information about RSA’s AFCC http://www.rsa.com/node.aspx?id=3348

Navy Federal Credit Union Legal Department
contact Julie Griffin
AVP., Telecom
Tel: 703.206.3327/ 571.283.9930/ 703.919.9939
email: Julie_griffin@navyfederal.org

*”Phishing” is an e-mail scam that attempts to trick consumers into revealing personal information, such as their credit or debit account numbers, checking account information, Social Security Numbers, or banking account passwords, through an imposter’s Web site or in a reply e-mail.

Their stipulation is that the material on TechMiso suggests the NFCU web site is not secure? Uh, hello – it’s not. If you read the entire article then you will understand why we make the claim we’re making. I wonder if these people are required to pass some form of English comprehension prior to signing on with RSA.

At this point I really questions whether this was a valid claim or not. It seemed so peculiar, and lacked any legal basis, that I decided to ignore any further emails from the RSA AFCC. I ended up receiving nothing more from this supposed security company.

It was at this point that Jennifer Sadler, someone purporting to be an NFCU Public Relations employee commented on the blog post, thanking us for the post. As far as I was concerned, this was proof positive that NFCU did not have an issue with the post and recognized the issue with their web site.

Update 2 – August 12, 2009. After figuring that the “fight” with the RSA AFCC was over because I had not heard from them in almost a month, I was very surprised to see an email from SliceHost support with the subject line “Trademark Infringement” sitting in my Inbox this morning. It seems the attack dogs at the RSA AFCC have not had enough miso soup and were back for more.

Apparently not convinced by our earlier conversation, these clowns have resorted to making a trademark infringement claim, most likely on the small little graphic in the upper-right of the post. Fair use? Moron in a hurry test?

Here is the email in full:

Dear Customer,

We have received a complaint alleging that you are infringing on the complainant’s trademark rights. A copy of the complaint is attached hereto.

We have established the following procedure for handling trademark infringement complaints where our customers appear as respondents:
(1) Upon receipt of a complaint, we will forward it to you.
(2) If you agree to take down or otherwise disable access to the allegedly infringing content, we will notify the complainant. If you do not agree to so, we will require that the complainant furnish us with the following information:
a) Federal trademark registration numbers the complainant relies on for his rights in the trademark(s) at issue. The trademark(s) must be registered on the principal register and registrations must be issued and active (not pending, not expired, cancelled, or abandoned).
b) The owner of the furnished trademark registrations as it appears on record with the USPTO. The name of the complainant must appear as the registrant of record.
c) The complainant must submit a statement attesting that, to the best of his knowledge, you do not have any implied or express permission from the complainant or his authorized parties to use the mark(s) nor do you make fair use of the mark(s).
In the event the complainant is unwilling or unable to supply the information, as outlined above, we will not provide assistance.
(3) If the complainant is able to satisfy the above information requirements, we will advise you that the complainant’s asserted rights appear valid and serve you with a 30-day takedown notice. In the event of non-compliance within the 30-day period, and absent any legal process served by you on Rackspace, precluding Rackspace from carrying out the takedown, Rackspace will be required to proceed with disabling access to the allegedly infringing content.

Please be advised that in the event Rackspace has to comply with the takedown demands, and you believe that the complaint is unsubstantiated, Rackspace recommends that you consult with your attorney regarding options relieving Rackspace of such responsibility.

Thank you for your attention to this matter.

Regards,
Renee Graves
Rackspace AUP
——————————————————-
Dear Sirs:

RSA, an anti-fraud and security company, is under contract to assist Navy Federal Credit Union in preventing or terminating online activity that targets, or may potentially target Navy Federal Credit Union’s clients as potential fraud victims.

RSA has been made aware that a domain name, which abuses Navy Federal Credit Union’s trademark, has been registered with you. This domain http://techmiso.com/2434/navy-federal-credit-union-web-site-operating-wi
th-security-issue/ not only violates Navy Federal Credit Union’s copyright, trademarks and other intellectual property rights, but may also become a host to a phishing attack, or other fraudulent scams against the bank and the bank’s clients.

The fraudulent website not only represents a misuse of Navy Federal Credit Union’s intellectual property; its purpose is to mislead the Navy Federal Credit Union clients. Our experience has shown that such sites become a host of phishing** and other fraudulent scams against the bank clients.

Please take all necessary steps to immediately shut down the fraudulent website, terminate its availability to the Internet and discontinue the transmission of any e-mails associated with this website.

We understand that you may not be aware of this improper use of your services and we appreciate your cooperation.

We specifically would ask that you also take the following actions (if relevant or possible):

* Please provide us with a tar/zip file of the source code for
this site, so that we may analyze it to help prevent further attacks.
* If any customer data has been captured that is stored on your
systems or equipment, please send us that data so that the customers to
whom that data

relates can be notified and take steps to protect their credit.

* Please provide a copy of any records you maintain that indicate
the name, contact information, method of payment or similar information
that may be useful in helping learn the identity and location of the
customer for whom the website has been operated.
*

We specifically would ask that you also take provide a copy of any records you maintain that indicate the name, contact information, method of payment or similar information that may be useful in helping learn the identity and location of the customer for whom the website has been operated.

Thank you for your cooperation to prevent and terminate this fraudulent activity.

Sincerely,

RSA Anti Fraud Command Centre
Tel: +44(0)800-032-7751 (UK)
Tel: +1-866-408-7525 (US)
Fax: +972-9-9566658 (EU)
Fax: +1-212-208-4644 (US)
E-mail: afcc@rsasecurity.com

http://www.rsa.com

For more information about RSA’s AFCC

http://www.rsa.com/node.aspx?id=3348

[49450]
—-
Slicehost Support
support@slicehost.com

What a complete and utter set of lies by the RSA AFCC! NFCU needs to settle these attack dogs down. What is there to gain by going after TechMiso other than a hot, steaming bowl of miso soup goodness?

I opted not to remove the content and promptly responded to the good folks at SliceHost with the following:

Hello Renee,

Thank you for the email and for contacting me about the trademark complaint submitted by RSA.

I do not agree to take down or disable access to the content specified in the complaint because I stipulate there is no trademark infringement taking place. The content is not an attempt to mislead NFCU clients but, rather, to inform them about a serious long-standing security issue with the NFCU web site. I already rejected the entire claim when RSA contacted me directly.

The article in question displays an image depicting a small portion of the NFCU web site, specifically the account access login form, and is in no way infringing on any NFCU trademarks. The article delves in to a long-lasting security issue with the NFCU web site and does not make any attempts to misrepresent NFCU or its trademarks. Our use of any potential NFCU marks under this claim are fair use.

More importantly, the infringement claim does not pass the “moron in a hurry test” at all. Any user visiting the content in question will surely *not* be confused in to believing they are at an officially sanctioned NFCU web site. For more information on the “moron in a hurry test” please visit http://en.wikipedia.org/wiki/A_moron_in_a_hurry

As I already mentioned, I have been in contact with RSA regarding this matter. They emailed me directly and I responded saying we will not remove the content because there is no infringement, misrepresentation or attempt to phish NFCU clients. In fact, an NFCU representative that RSA asked us to contact ended up commenting on the blog post, offering thanks for pointing out the security flaw.

In any event, thanks again for the email. Please let me know how you would like to proceed at this point.

Best Regards,

–
Scott Jarkoff

http://techmiso.com/

It should be interesting to see what type of response this generates. I am very interested in pursuing this and seeing how far the rabbit hole leads and where we end up.

Update 3 – August 15, 2009. I had not had an opportunity to update the site yesterday due to a very busy day at work. The latest actually arrived in my inbox Friday morning, August 14, 2009. The most recent email I sent to SliceHost, in response to the take-down notice RSA sent our hosting provider, seems to have convinced RSA to back down. The wonderful folks at SliceHost support sent me the following concise email:

Hello Scott,

I just received the following response from the complainant.

I will go ahead and close the ticket at this time. We will continue to monitor the incoming complaints and will let you know if something arises. Thanks for your cooperation in this matter. If you have any further questions or concerns, please feel free to contact us!

Kindest Regards,
Renee Graves
Rackspace AUP

—————————————————————————————————————
Dear Rack Space Team,

Please disregard the shut down request email below.

Best Regards,
RSA AFCC

I am very glad to see RSA has opted to stop fighting such a pointless battle. They would have made better use of their time and energy working to reconcile the issues with the NFCU web site rather than attempting to silence a blog aimed at helping inform their customers (incidentally, I am an NFCU customer so I care about this stuff) of a long-standing security issue.

I want to thank the SliceHost Support Team for their kind, professional and very helpful assistance with this issue. In this day and age, it is nice to have a provider who comprehends these types of issues and does not automatically act to disable a web site without allowing their customers to first respond to the take-down notice. This is a testament to their excellent customer service, and clearly depicts why SliceHost is one of the most popular web hosts these days.

banking, navy, nfcu, phishing, security

Print article

This entry was posted by Scott Jarkoff on July 18, 2009 at 12:30, and is filed under Articles, Features. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.

mfarney

When it comes to banking and people's money there shouldn't be such problems. I use internet banking all the time and if I heard my bank had such a problem I'd probably find myself another one to handle my earnings.
__________________
Mathew Farney - Web Hosting

aljallbertt

Thanks you for information.nfcu

Chris H

I'm glad to see this is resolved! I'm also glad to see that NFCU has finally secured their home page also with SSL. Although they only have secured http://www.navyfederal.org All the other sites (navyfcu.org, nfcu.org, etc) throw SSL certificate errors. Not exactly how I would have configured the web server for best customer experience, but effective.
On another note, if you are online banking no matter what the institution, YOU NEED TO PAY ATTENTION TO EVERY LITTLE ERROR, POP UP AND THE SUCH ON THE WEBSITE!!!! Most folks will ignote the SSL Certificate error that pops up when you visit navyfcu.org, nfcu.org or others. This is not good! If you get a pop up like that, call the institution!! If you don't see the lock icon for the site... Call the institution!! Navy Federal was very succeptable to spoofing and man in the middle attacks by offering the login prompt on an insucure page. Someone could have developed the exact same page and logged all the credentials that were used without even the user knowing.
I have been, and always will be a loyal NFCU member. They're definitely one of the better financial institutions out there.

facebook-500341233

Did the RSA e-mail come before or after the purported response from NFCU in the comments?

Also, have you covered that www.nfcu.org fires a SSL warning on Firefox and iPhone for using the wrong cert? They had this issue fixed, but it popped up again starting about a week or so ago. NavyFederal.org does not fire the warning.

Scott Jarkoff

The RSA email sent to our hosting provider, SliceHost, was sent after the purported response by NFCU in the comments. This was part of Update 2 above.

I did not cover the SSL warning because I have not directly run across that issue. Rich had mentioned to me he saw something similar but then realized it was due to http://navyfcu.org/ being the URL used to visit the site rather than http://www.navyfcu.org/. It seems the company is not automatically redirecting the former to the latter as they should, but that should not matter since, as you mentioned, Firefox issues a warning to the user.

facebook-42604282

I am probably a victim of NFCU's security "oversight" and now they are charging ME for their mistake with overcharges totalling close to $300 in one week! Way to treat those serving our Country NFCU.

Scott Jarkoff

While I completely sympathize with your situation, it is not the intent of this post to bring up Navy Federal banking policies.

Our primary concern was the prospect of NFCU customers being phished, no thanks to their shoddy web site security. This appears to have been addressed and we are, as all NFCU customers should be, thankful.

I wish you the best of luck resolving your issue. Nobody should have to deal with incorrect charges, especially if it is the fault of the bank.

DonaldWelker

Why do you suppose that it would be OK with them to post their logo with a hyperlink to anything at all, especially if it wasn't them? Given the way your graphic is configured, I have a hard time being surprised at RSA's action. Not that it's particularly bright, mind you.

Scott Jarkoff

I'm struggling to follow your logic.

Fair use allows us to use their logo in the manner utilized. We're
using the logo as part of an image of the NFCU web site and nothing
more.

When clicked, the image merely takes visitors to an article on
TechMiso with the design looking absolutely nothing like the official
NFCU web site. Nowhere does TechMiso make an attempt to confuse users
in to believing they are visiting an officially sanctioned NFCU web
site. Furthermore, we make no attempt to phish NFCU customers.

Based on the manner in which you worded your comment, are you
stipulating that the use of any company's logo may only follow what
that company considers acceptable?

Please clarify why you are finding it so difficult to be surprised at
RSA's actions, especially considering _all_ the claims they had
attempted to making.

DonaldWelker

I would not argue that RSA's claims are not inaccurate and exaggerated, thus my statement that I don't concur with their actions. I am not surprised, because it is my impression that RSA is getting paid to troll the Net looking for their clients' logos being used without express permission, and then to send the sort of notices you received -- which would be independent of the actual point of your blog.

You didn't just put the picture up though, you linked it to something other than the logo owner. Now, I would expect that RSA would still have dinged you if you had linked the picture to NFCU, but perhaps it would have been worded differently (I think we both realize those notices are probably scripted). I don't argue that your usage is not fair use; IMO RSA should have referred this to NFCU to decide whether to pursue it or not.

DonaldWelker

Accidental duplicate ... please delete me.

DonaldWelker

NFCU has updated their home page to SSL as of this evening (HTTP redirects to HTTPS).

NFCUCloudMonitor

Good to see that monitoring the cloud - and listening to sharp members like you, can improve everyone's experience :)

Bradley Evans

Looks like Navy Federal's site is now https. Just thought you'd want to know.

Bradley Evans

Looks like Navy Federal's site is now https. Just thought you'd want to know.

Scott Jarkoff

Thanks for the heads-up about the change. They literally must have
pushed the change out within the last 24 hours. I was logged in to
account access around this time yesterday and the main page did not
redirect to https.

In any event, this change is good news and a win-win for both NFCU
customers _and_ the company. I am glad to see they took the time to do
the right thing.

Kim

I oversee our website for our financial institution and we also provide a home banking, "Enter Number" box on the home page - in fact it's on EVERY page of our website and we are happy to do it.

What makes ours different from Navy's is that once the user enters their "Number" in the box and clicks the "Login" button, a NEW window opens IN FRONT of our home page window, with our ACTUAL home banking secured login page. At that point, the user sees their anti-phishing image and personal phrase. We do not have a place on our home page to enter all the securty related items. Just the member number.

I can clearly see the potential for a security issue for Navy's home banking users. Think about it. Say some crumb-dumb clones Navy's home page and then spams a bunch of Navy home banking phishing e-mails. If the unsuspecting user clicks on the"Navy" link, they would undoubtedly unload ALL their personal login info on the home page of the crumb-dumb's fake website. I'm not sure what damage the crooks would do once they got the account info, but you never know. RSA and Navy can try to defend themselves all they want, but THAT'S A LEGITIMATE SCENARIO AND A REAL PROBLEM, FOLKS.

Pete Thomas

You appear to show a lack of understanding of web security. The fact that an unsecured page presents the login form, does not mean that the login information itself is transmitted insecurely, I refer you to the relevant line of source code:

<form name="logon" method=post action="https://myaccounts.navyfcu.org/cgi-bin/ifsewwwc?Logon" autocomplete="OFF" style="margin:0px;" />

Note that the action attribute of the form tag is to a secure web page. An encrypted session to the NFCU server is set up to carry the customer login information.

Getting a valid SSL certificate for a domain is easy--and cheap, given the potential payoff from financial crimes against bank customers. Anyone that wanted to "phish" customers could register a confusing domain name and buy a certificate for that domain. Their SSL-secured fake login page for wouldn't trigger any security alerts

Rich Chuckrey

Good point in that last paragraph, but try putting the 'real' NFCU page side-by-side with a faked (phishing) SSL NFCU page and which one would you rather log into? You would probably ignore the 'real' NFCU page and enter your personal NFCU access number and password into the phishing page with SSL. No?

Adam

You appear to have missed this sentence in the original post: "Even though the NFCU home page is unsecured and offers the ability to enter details on a potentially phished page, the form data is in fact submitted via secure means."

Scott is obviously aware that the form is ultimately submitted to a secure URL. That is not the problem he is describing here. The problem is that users have no way of verifying the validity of the login page to ensure that it is actually coming from NFCU. Sure, they could look at the source code as you did to see where the form will submit to, but only the most technical users would understand how to do that or even what that means.

Pitabred

I just poked into the NFCU's website, and the target of the form is an HTTPS URL. That is not a security issue. It still transmits all of the data over a secure connection.

Rich Chuckrey

I doubt many NFCU customers know enough to check what the 'target form' is and whether or not it points to an 'HTTPS URL.' We're talking about common sense. What's the point in not securing a sign-on form?

Geek

The issue is not the fact that the POST is secure or not. The issue that is pointed out is the fact that users can access the login form itself without SSL. Users cannot check the certificate to verify that the login form itself is actually from NFCU, which leave them open to phishing.

Dan

You missed the point. The claim is not that the data is being transmitted insecurely, it is that the login page is not protected by a 3rd party authenticated certificate to prove you are actually visiting NFCU. Since users are used to logging in via a non-authenticated site, they would not notice if the domain was slightly off, thus making phishing attacks against NFCU very hard to detect by the lay person.

jctjhm

Scott -

Let me start off by mentioning that the technical team at Navy Federal Credit Union is a great fan of TechMiso as it provides valuable insight into a host of topics. We respect and appreciate your insight and thank you for your membership with Navy Federal.

We at Navy Federal value the trust and confidence that our members have in us to look out for their financial best interests and security is a top priority. As you mentioned in your blog post, all of Navy Federal's online financial transactions (form data) are submitted via secure means - ensuring that our member's credentials are secure. We are very diligent in monitoring for potential fraud and strictly validate our member’s identities. Our online website has scored well when reviewed by independent agencies and the occurrence of account fraud and identity theft incidents remain low. All that said, we continue to monitor and enhance security and have initiatives in place to address some of the items you mention regarding the SSL security with implementations in the near future. These enhancements along with a commitment to continually educate our members regarding the importance of online safety practices (e.g., firewalls, up-to-date security software, avoiding Phishing scams, etc.) will enhance the security of Navy Federal Online.

Thank you again for your well written blog post of July 18th. Please feel free to contact us in the future regarding any other information and/or suggestions you may have to share. Navy Federal is proud to serve its 3.2 million members!

Sincerely,
Jennifer Sadler
Public Relations
Navy Federal Credit Union
public_relations@navyfederal.org

Gregroy

Actually I never noticed that. Thanks for pointing that out. My bookmark is now set on the secure login page.

Scott Jarkoff

Glad to have helped. Doubtful NFCU will change their practices but with enough awareness the customers will modify their behavior to better protect themselves from phishing.

NFCU Sucks

Just one more nail in the coffin for NFCU in my book. Thanks for letting everyone know about this potential security issue!

Dubai Job

lots of credit, thats why we are facing this worst economic
condition these days. i hope we can have a solution regarding
this matter.

Navy Federal Credit Union Web Site Operating with Security Issue

Search

TechMiso Tweets

Recent Posts

Recent Comments