According to a report on CNNMoney, many of the nation’s biggest bank are using less than “best practice” methods to keep their websites safe.
On the list are Capital One, JPMorgan Chase, SunTrust, and Wells Fargo – though reportedly the two worst offenders are HSBC and TD Bank. In the case of HSBC and TD, neither of their homepages secure private connections with customers, leaving those customers open to logging into fake websites run by cyberthieves.
Is anyone doing it totally right? Yes – BNY Mellon (BK) and PNC (PNC).
Using an https:// vs. an http:// is the difference between a secured session and an open session that anyone on the Web can spy on — and using it in banking is basically considered a bare minimum — in much the way putting a front door on one’s house is the bare minimum for physical security.
HSBC and TD banks have decided that they don’t need a front door — or at least not one that is immediately apparent.
HSBC.com users are redirected twice before the session starts communicating securely. TDBank.com customers must click on a “login” button to start a private session. Anyone on the same corporate Wi-Fi or corporate network can tap into an Internet session and set up a fake bank page.
Jason Sabin, chief security officer of DigiCert, which provides websites with secure certificates, told CNNMoney that websites learned to secure their front doors a decade ago.
TD Bank has said it’s working on implementing this extra security measure on its website. HSBC does not claim to be fixing the problem, but does say that it makes life hard for hackers in other parts of its site security. HSBC requires that customers use a special device or banking app to login. This gives customers a second, temporary passcode.
“That’s not OK. They should be using https throughout their site. It doesn’t cost any more,” Sabin said in an interview.
However, while the secure site is the biggest issue, old encryption seems to be a bigger one shared by all banks called out in the reporting.
Websites rely on certificates, which are in turn protected by encryption, which turns plain text into jumbled code. But encryption algorithms need to improve if they want to stay ahead of hackers.
The majority of banks have failed to upgrade their websites, even though it’s often a cheap — or, at times, free — and easy process.
Pressure is mounting to see that problem fixed, with Google Chrome putting extra pressure on these banks. If you visit Chase.com, the browser displays a warning sign next to the website address.
“Your connection may not be private,” the site warns. “Your connection to www.chase.com is encrypted with obsolete cryptography.”
As of today, this encryption is dated, but not ineffective – there is no evidence that hackers can get through it yet. But, according to some experts, it is only a matter of time before they do.
“[Banks are saying] Hey, there’s a crack in the plane, but we won’t fix it because we don’t think it’ll cause the plane to crash today,” cybersecurity expert Robert Graham said, according to CNN Money.
American Express, Bank of America, Citibank and U.S. Bank reportedly have a similar issue with the type of encryption they use — though it’s not as serious as issues seen on other banks’ sites.
All banks assured CNNMoney that their customers are secure online. Additionally, JPMorgan Chase and TD Bank say they’re currently working on upgrading to SHA-2 (a more secure encryption). The other banks declined to say when they’ll update their systems.
To check out what else is HOT in the world of payments, click here.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More