Monday, March 10, 2008

Chase Website: Secure? Encouraging Good User Behavior?

In the past I've visited the Chase web site occasionally to pay my Mastercard bill, and I've always been struck by how difficult it is to get a secure login at their site. Here's the page one receives upon entry:



Note the pictures of padlocks, but no padlock in the lower right-hand corner of the Firefox window. So, it would be naive to assume they really encrypt the password as it travels from my browser to Chase. Some time back Amazon defaulted to non-secure login, but one could simply click a login button w/o entering any text, and be redirected to a secure login, from which user ID and password could be typed. Does Chase behave like this?



Nope, they insist upon forcing the user to use the insecure login. Or do they? I thought I should verify that Firefox really thinks this is an insecure login:




I don't think I'd suggest this to non-computer professionals, but I visited Google and searched for a secure Chase login:



They suggested https://chaseonline.chase.com, so I visited that page:



This looks better, but notice the slash through the padlock in the lower right. So, some of the page is encrypted, and some isn't. Presumably it's the fluff they send that's not, and my user ID and password, or at least my password, that is. However, a typical user isn't going to have a clue how to verify this, and so just has to trust Chase. Security is hard, and so I have little faith in a company's communications security solution when they decide to go their own way rather than making full use of established standards, e.g., SSL/TLS.

This last login is probably fine, but it's encouraging users--training users--to ignore the security information provided by browsers and just trust the web developers. This means they're training users to be susceptible to phishing attacks and trust the least skilled software developers out there. Maybe not a good practice.

1 comment:

Jeff Martens said...

Chase seems to have fixed their login page, though they lost me as a customer. Good for them.