Comments on: Navy Federal Credit Union Web Site Operating with Security Issue

By: Bank Jobs Dubai

Bank Jobs Dubai — Sat, 30 Jan 2010 09:08:25 +0000

This site will be interesting specially for the student.

By: Dubai Job

Dubai Job — Thu, 07 Jan 2010 10:00:57 +0000

lots of credit, thats why we are facing this worst economic
condition these days. i hope we can have a solution regarding
this matter.

By: mfarney

mfarney — Wed, 23 Dec 2009 03:48:25 +0000

When it comes to banking and people's money there shouldn't be such problems. I use internet banking all the time and if I heard my bank had such a problem I'd probably find myself another one to handle my earnings.
__________________
Mathew Farney - Web Hosting

By: Chris H

Chris H — Fri, 04 Sep 2009 03:42:24 +0000

I'm glad to see this is resolved! I'm also glad to see that NFCU has finally secured their home page also with SSL. Although they only have secured http://www.navyfederal.org All the other sites (navyfcu.org, nfcu.org, etc) throw SSL certificate errors. Not exactly how I would have configured the web server for best customer experience, but effective.
On another note, if you are online banking no matter what the institution, YOU NEED TO PAY ATTENTION TO EVERY LITTLE ERROR, POP UP AND THE SUCH ON THE WEBSITE!!!! Most folks will ignote the SSL Certificate error that pops up when you visit navyfcu.org, nfcu.org or others. This is not good! If you get a pop up like that, call the institution!! If you don't see the lock icon for the site... Call the institution!! Navy Federal was very succeptable to spoofing and man in the middle attacks by offering the login prompt on an insucure page. Someone could have developed the exact same page and logged all the credentials that were used without even the user knowing.
I have been, and always will be a loyal NFCU member. They're definitely one of the better financial institutions out there.

By: Scott Jarkoff

Scott Jarkoff — Sun, 30 Aug 2009 19:47:24 +0000

While I completely sympathize with your situation, it is not the intent of this post to bring up Navy Federal banking policies.

Our primary concern was the prospect of NFCU customers being phished, no thanks to their shoddy web site security. This appears to have been addressed and we are, as all NFCU customers should be, thankful.

I wish you the best of luck resolving your issue. Nobody should have to deal with incorrect charges, especially if it is the fault of the bank.

By: Scott Jarkoff

Scott Jarkoff — Sun, 30 Aug 2009 19:44:14 +0000

The RSA email sent to our hosting provider, SliceHost, was sent after the purported response by NFCU in the comments. This was part of Update 2 above.

I did not cover the SSL warning because I have not directly run across that issue. Rich had mentioned to me he saw something similar but then realized it was due to http://navyfcu.org/ being the URL used to visit the site rather than http://www.navyfcu.org/. It seems the company is not automatically redirecting the former to the latter as they should, but that should not matter since, as you mentioned, Firefox issues a warning to the user.

By: facebook-500341233

facebook-500341233 — Sun, 30 Aug 2009 19:32:59 +0000

Did the RSA e-mail come before or after the purported response from NFCU in the comments?

Also, have you covered that www.nfcu.org fires a SSL warning on Firefox and iPhone for using the wrong cert? They had this issue fixed, but it popped up again starting about a week or so ago. NavyFederal.org does not fire the warning.

By: facebook-42604282

facebook-42604282 — Fri, 21 Aug 2009 16:49:52 +0000

I am probably a victim of NFCU's security “oversight” and now they are charging ME for their mistake with overcharges totalling close to $300 in one week! Way to treat those serving our Country NFCU.

By: DonaldWelker

DonaldWelker — Thu, 20 Aug 2009 22:49:11 +0000

I would not argue that RSA's claims are not inaccurate and exaggerated, thus my statement that I don't concur with their actions. I am not surprised, because it is my impression that RSA is getting paid to troll the Net looking for their clients' logos being used without express permission, and then to send the sort of notices you received — which would be independent of the actual point of your blog.

You didn't just put the picture up though, you linked it to something other than the logo owner. Now, I would expect that RSA would still have dinged you if you had linked the picture to NFCU, but perhaps it would have been worded differently (I think we both realize those notices are probably scripted). I don't argue that your usage is not fair use; IMO RSA should have referred this to NFCU to decide whether to pursue it or not.

By: Scott Jarkoff

Scott Jarkoff — Tue, 18 Aug 2009 16:07:37 +0000

I'm struggling to follow your logic.

Fair use allows us to use their logo in the manner utilized. We're
using the logo as part of an image of the NFCU web site and nothing
more.

When clicked, the image merely takes visitors to an article on
TechMiso with the design looking absolutely nothing like the official
NFCU web site. Nowhere does TechMiso make an attempt to confuse users
in to believing they are visiting an officially sanctioned NFCU web
site. Furthermore, we make no attempt to phish NFCU customers.

Based on the manner in which you worded your comment, are you
stipulating that the use of any company's logo may only follow what
that company considers acceptable?

Please clarify why you are finding it so difficult to be surprised at
RSA's actions, especially considering _all_ the claims they had
attempted to making.