Banks still don’t get security for their online sites. A long time ago, I signed up for online banking with BANK_X (I’m not giving out any information that would help phishers here) and noticed some worrisome signs, including a sudden increase in directed phishing spam, so I cancelled the service. About a decade later I figured they might have improved things, so I tried again. It’s a little better, but there’s still at least one significant problem.
After getting my account initially working, I had to activate the bill payment feature separately. This involved a delay, and I got an email from “Bill Pay” this morning saying it had been activated. It’s a lucky thing the email from Mr. Pay didn’t get marked as spam.
I logged into my account in the usual way, from the bank’s website (never blindly click on email links!) and found that the page didn’t look the same as usual. Only my checking account was showing; and then I noticed I was in a different domain from the one that normally services my online banking. I was logged out in the middle of navigating it, and I went back to the BANK_X site and logged in again. This time things looked normal. This had me worried, so I sent an in-site message stating my concern. The response said that I should be seeing the image I had selected when setting up the account on each page, and if I wasn’t seeing it, there might be a security problem.
I discovered that by clicking on the bill payment tab I got taken to the same odd-looking page on a different domain as before, and confirmed my recollection that I wasn’t seeing the image in question. This was sounding seriously worrisome, so I called the bank. The person I talked with told me that behavior sounded wrong and asked me to try again from another computer. I booted up my laptop, found the same behavior there, and called back. The person who answered this time got the information from the one I’d talked to at first, and this time I was talking with someone who understood the system better. She said that bill payment is in fact handled by a different service, and that I won’t see the selected image there. I pointed out that this was contrary to to the instructions on the BANK_X website; she agreed with me and suggested I send in feedback, which I’ll be doing shortly.
Most customers are oblivious to all suspicious behavior on a bank’s website and will just forge blindly ahead, which is why phishers are able to scam people so easily.
I have serious doubts about using this bill payment service, even after my most pressing fears were assuaged.
Update: A representative of BANK_X replied to my feedback and said that once you’ve logged in and see the security image once, nothing can possibly go wrong, so you don’t need to see the security image again and you shouldn’t worry if you find yourself on a different domain. Idiots.