Thursday, June 30, 2011

How Many Things can Credo Do Wrong in One Billing Cycle Without Actually Phishing?

My latest cell phone bill is here. Yippee. But these folks did so many things wrong that I think I just have to say something. If I call them, they won't listen (actually, Credo might), so I'll write it up here where they almost certainly won't listen.

First, this is from the e-mail informing me that my bill is ready:

Nothing strange here, except when I click on the "sign in" link (something to be done only with care), it didn't take me to Credo Mobile:

Note the URL. Who the heck is I know who it sounds like, and I strongly suspect it's really Credo, but they think it's a good idea for me to click on a link that takes me to a web site I have never before seen, and then provide my login credentials? Credo is training users to fall for phishing attacks.

Not comfortable with that, I type the correct address into my browser, This is the page I get:

Note the Member Sign-In box at the lower right, and also note that there is no indication in the address bar of HTTPS in use. This amateur behavior is not new to Credo. At least one other outfit that I do online transactions with does this same thing; I'll post on that later. Sites that try to get users to submit passwords seemingly in the clear often have a more secure failure-mode. For example, if I provide my cell number but omit the password, I get here:

That's not really my phone number. Every month I get to see the same error message, but it's worth it to see the green https:// in the address bar before proceeding.

1 comment:

lukeness said...

There's a slightly easier way: Click on Member Services near the upper right corner, then either Personal or Business accounts (whatever applies to you). That brings you to a login page with https.