Comments on: Navy Federal Credit Union Web Site Operating with Security Issue

By: Uninstall Program

Uninstall Program — Tue, 29 Jun 2010 19:24:29 +0000

That's so terrible without SSL protection for online banking!

By: Miami Web Design

Miami Web Design — Thu, 29 Apr 2010 13:50:50 +0000

OMG!!!! This is a very long blog. I can't complete it for one day. I need to bookmark it for further reading.

By: m65

m65 — Mon, 26 Apr 2010 08:57:13 +0000

When it comes to banking and people's money there shouldn't be such problems. I use internet banking all the time and if I heard my bank had such a problem I'd probably find myself another one to handle my earnings.

Edwin Kyalangalilwa
kamagra l acne

By: Dubai Job

Dubai Job — Thu, 07 Jan 2010 10:00:57 +0000

lots of credit, thats why we are facing this worst economic
condition these days. i hope we can have a solution regarding
this matter.

By: mfarney

mfarney — Wed, 23 Dec 2009 03:48:25 +0000

By: Chris H

Chris H — Fri, 04 Sep 2009 03:42:24 +0000

I'm glad to see this is resolved! I'm also glad to see that NFCU has finally secured their home page also with SSL. Although they only have secured http://www.navyfederal.org All the other sites (navyfcu.org, nfcu.org, etc) throw SSL certificate errors. Not exactly how I would have configured the web server for best customer experience, but effective.
On another note, if you are online banking no matter what the institution, YOU NEED TO PAY ATTENTION TO EVERY LITTLE ERROR, POP UP AND THE SUCH ON THE WEBSITE!!!! Most folks will ignote the SSL Certificate error that pops up when you visit navyfcu.org, nfcu.org or others. This is not good! If you get a pop up like that, call the institution!! If you don't see the lock icon for the site... Call the institution!! Navy Federal was very succeptable to spoofing and man in the middle attacks by offering the login prompt on an insucure page. Someone could have developed the exact same page and logged all the credentials that were used without even the user knowing.
I have been, and always will be a loyal NFCU member. They're definitely one of the better financial institutions out there.

By: Scott Jarkoff

Scott Jarkoff — Sun, 30 Aug 2009 19:47:24 +0000

While I completely sympathize with your situation, it is not the intent of this post to bring up Navy Federal banking policies.

Our primary concern was the prospect of NFCU customers being phished, no thanks to their shoddy web site security. This appears to have been addressed and we are, as all NFCU customers should be, thankful.

I wish you the best of luck resolving your issue. Nobody should have to deal with incorrect charges, especially if it is the fault of the bank.

By: Scott Jarkoff

Scott Jarkoff — Sun, 30 Aug 2009 19:44:14 +0000

The RSA email sent to our hosting provider, SliceHost, was sent after the purported response by NFCU in the comments. This was part of Update 2 above.

I did not cover the SSL warning because I have not directly run across that issue. Rich had mentioned to me he saw something similar but then realized it was due to http://navyfcu.org/ being the URL used to visit the site rather than http://www.navyfcu.org/. It seems the company is not automatically redirecting the former to the latter as they should, but that should not matter since, as you mentioned, Firefox issues a warning to the user.

By: facebook-500341233

facebook-500341233 — Sun, 30 Aug 2009 19:32:59 +0000

Did the RSA e-mail come before or after the purported response from NFCU in the comments?

Also, have you covered that www.nfcu.org fires a SSL warning on Firefox and iPhone for using the wrong cert? They had this issue fixed, but it popped up again starting about a week or so ago. NavyFederal.org does not fire the warning.

By: facebook-42604282

facebook-42604282 — Fri, 21 Aug 2009 16:49:52 +0000

I am probably a victim of NFCU's security “oversight” and now they are charging ME for their mistake with overcharges totalling close to $300 in one week! Way to treat those serving our Country NFCU.

By: DonaldWelker

DonaldWelker — Thu, 20 Aug 2009 22:49:11 +0000

I would not argue that RSA's claims are not inaccurate and exaggerated, thus my statement that I don't concur with their actions. I am not surprised, because it is my impression that RSA is getting paid to troll the Net looking for their clients' logos being used without express permission, and then to send the sort of notices you received — which would be independent of the actual point of your blog.

You didn't just put the picture up though, you linked it to something other than the logo owner. Now, I would expect that RSA would still have dinged you if you had linked the picture to NFCU, but perhaps it would have been worded differently (I think we both realize those notices are probably scripted). I don't argue that your usage is not fair use; IMO RSA should have referred this to NFCU to decide whether to pursue it or not.

By: Scott Jarkoff

Scott Jarkoff — Tue, 18 Aug 2009 16:07:37 +0000

I'm struggling to follow your logic.

Fair use allows us to use their logo in the manner utilized. We're
using the logo as part of an image of the NFCU web site and nothing
more.

When clicked, the image merely takes visitors to an article on
TechMiso with the design looking absolutely nothing like the official
NFCU web site. Nowhere does TechMiso make an attempt to confuse users
in to believing they are visiting an officially sanctioned NFCU web
site. Furthermore, we make no attempt to phish NFCU customers.

Based on the manner in which you worded your comment, are you
stipulating that the use of any company's logo may only follow what
that company considers acceptable?

Please clarify why you are finding it so difficult to be surprised at
RSA's actions, especially considering _all_ the claims they had
attempted to making.

By: DonaldWelker

DonaldWelker — Tue, 18 Aug 2009 15:55:25 +0000

Why do you suppose that it would be OK with them to post their logo with a hyperlink to anything at all, especially if it wasn't them? Given the way your graphic is configured, I have a hard time being surprised at RSA's action. Not that it's particularly bright, mind you.

By: DonaldWelker

DonaldWelker — Tue, 18 Aug 2009 15:50:53 +0000

NFCU home page is now set to HTTPS.

By: DonaldWelker

DonaldWelker — Tue, 18 Aug 2009 15:44:44 +0000

NFCU has updated their home page to SSL as of this evening (HTTP redirects to HTTPS).

By: NFCUCloudMonitor

NFCUCloudMonitor — Tue, 18 Aug 2009 08:31:43 +0000

Good to see that monitoring the cloud – and listening to sharp members like you, can improve everyone's experience :)

By: Scott Jarkoff

Scott Jarkoff — Mon, 17 Aug 2009 12:33:24 +0000

Thanks for the heads-up about the change. They literally must have
pushed the change out within the last 24 hours. I was logged in to
account access around this time yesterday and the main page did not
redirect to https.

In any event, this change is good news and a win-win for both NFCU
customers _and_ the company. I am glad to see they took the time to do
the right thing.

By: Bradley Evans

Bradley Evans — Mon, 17 Aug 2009 11:28:44 +0000

Looks like Navy Federal's site is now https. Just thought you'd want to know.

By: Bradley Evans

Bradley Evans — Mon, 17 Aug 2009 11:28:24 +0000

Looks like Navy Federal's site is now https. Just thought you'd want to know.

By: Rich Chuckrey

Rich Chuckrey — Sat, 15 Aug 2009 12:07:35 +0000

Good point in that last paragraph, but try putting the 'real' NFCU page side-by-side with a faked (phishing) SSL NFCU page and which one would you rather log into? You would probably ignore the 'real' NFCU page and enter your personal NFCU access number and password into the phishing page with SSL. No?