Discussions

XML & Web services: Bank of America's home page login fields not secure?

  1. Maybe I'm stupid or something, but when I goto www.bankofAmerica.com, the front page has a login form (where you put in the password and id) for logging in....but it's in http? not https and yet they claim that it's secure.....Am I missing something?
  2. no they actually use SSL when submitting login form.
    look at the following javascript function i took from their frontpage.
    you see https:// in front of target pages


    function doSignIn() {

    var state = getState();

    if (state == "") {
    return;
    }
    else if (state == "CA") {
    if (!doEditChecksCA(document.frmSignIn.id.value, document.frmSignIn.pc.value)) {return}
    document.frmSignIn.Customer_Type.value = "CA";
    document.frmSignIn.Access_ID.value = document.frmSignIn.id.value;
    document.frmSignIn.Current_Passcode.value = document.frmSignIn.pc.value;
    document.frmSignIn.action = "https://onlineid.bankofamerica.com/cgi-bin/sso.login.controller";
    }
    else if ((state == "WA") || (state == "ID")) {
    // WA / ID customers get redirected to external sign in page for NW
    if (confirm('Please click OK to go to the Online Banking Log On page for Washington and Idaho. You will need your account number, social security number and password to sign in. Click Cancel to return to the Bank of America home page.')) {
    location.href = "/state.cgi?section=signin";
    }
    return;
    }
    else if (state == "OR") {
    // OR customers get the Comcard Sign In
    // Comcard edit checks same as CA
    if (!doEditChecksCA(document.frmSignIn.id.value, document.frmSignIn.pc.value)) {return}
    document.frmSignIn.Customer_Type.value = "COMCARD";
    document.frmSignIn.Access_ID.value = document.frmSignIn.id.value;
    document.frmSignIn.Current_Passcode.value = document.frmSignIn.pc.value;
    document.frmSignIn.action = "https://onlineid.bankofamerica.com/cgi-bin/sso.login.controller";
    }
    else {
    if (!doEditChecksModel(document.frmSignIn.id.value, document.frmSignIn.pc.value)) {return}
    document.frmSignIn.Customer_Type.value = "MODEL";
    document.frmSignIn.Access_ID.value = document.frmSignIn.id.value;
    document.frmSignIn.Current_Passcode.value = document.frmSignIn.pc.value;
    document.frmSignIn.action = "https://onlineid.bankofamerica.com/cgi-bin/sso.login.controller";
    }

    imgSignIn = new Image();
    imgSignIn.src = "/images/tracking/homepage_signin.gif";

    document.frmSignIn.submit();

    }
  3. mmm....I guess that means that as long as the browser knows it's submiting info to https, it'll encrypt the data (what if the cert. is bad on the other end? Does the browser check for that first?). But I thought you have to be in https first and have the little lock at the bottom of your browser in order for the infomation to be sent securely.
  4. If the certifcate is bad, all it will do is flash a message on the screen, the communication is just as encrypted as when the certificate is good.
    All certificates do is offer a guarantee of sorts that the other party is trusted.
    They do not determine whether the encryption happens or not.
    For this reason I make my own certificates for private sites since you don't have to pay verisign 100's o $.
  5. Tim,

    What is the process for making certificates for your private sites ? Sounds like a great idea.

    Can you point me to some web links perhaps ?

    Thanks,
    Mike
  6. we use openssl
    http://www.openssl.org
  7. A brave title. Can't wait until some Bank Of America tech guy happens upon this thread! :)

    However, the login page is submitted via HTTPS so it is ineed secure.

    However, the fact that you picked it up like you did highlights an ever present internet issue.

    It hasn't just got to BE secure. it has to FEEL secure.

    Now from what you posted, it didn't make you FEEL secure because the padlock icon was open. There are probably plenty of others who may feel the same way.

    It's a simple enough change to make on a site. just make the login page https as well. That way the padlock will be all nice and locked, making everyone FEEL secure before they type in the credentials that let them get at their bank accounts....

    But to re-iterate. The site does NOT send unencrypted passwords from it's login page.

    Chz

    Tony
  8. Totally agree with you Tony. How many people will go into the javascript of the source and make sure the pages are send securely...?