We highlight commercial websites that are unreasonably hard to use, don't work properly, or don't actually offer what they promise. It's a way for web developers everywhere to learn what kind of mistakes they should avoid -- and of course, an opportunity for the companies listed here to fix the problems we document. |
The Problems Fixed Sites! How to not wind up here Other Resources |
Big Security VulnerabilityChase.comreviewed Nov., 2007 Most of the problems we list on this site merely leave the user annoyed, thwarted, or frustrated. But in this case the problem is more serious: At Chase.com, customers' financial information is at risk. Sensitive pages are supposed to use a secure protocol, which means that the information traveling between the user's computer and the server is scrambled, so anyone who steals the info in transit just gets scrambled data that they can't don anything with. You'll know you're on a secure page when the address bar starts with https://, not just http:// (note the "s", which stands for "secure"). But Chase's home page, which includes the login form, is not secure. There's no "s" in the http. That means the customer's login is vulnerable to being stolen. When the user submits the form the username & password is supposed to be sent to https://chase.com. The problem with this is that there's no guarantee that the form will really go to Chase. Since the login page itself is insecure, a hacker could modify the page before it's delivered to the user, changing the form so that it will send the login info to his own server instead of Chase's. He could change the form so that instead of pointing to https://Chase.com, it goes to https://HackersWebsite.com. This problem is serious enough that Netcraft and Microsoft have been telling companies for years not to leave their logins vulnerable the way that Chase does. It gets worse: Not only is Chase playing fast and loose with customer's login information, they're publicly proclaiming otherwise. A link called "Ways we protect you" under the login form goes to a page (in an annoying popup window) that tells the customer that "Chase Online Banking uses Secure Socket Layer (SSL) technology to encrypt your personal information such as User IDs, passwords and account information over the Internet," and goes on to provide reassurance that Chase's methods mean that customers' financial data is safe. That reassurance is a lie. Chase's method of security is like being in a house with two doors and locking only one of them. Or, it's like their promising to send an armored truck to your home to pick up a cash deposit, but the truck could be operated by a gang of criminals rather than by the bank. Your money could be carried away "safely", but not by the people you thought you were giving it to. It gets even worse. We personally informed multiple Chase managers of this problem starting over two years ago, but they haven't bothered to address it. How Chase can fix this problemChase has two different ways it could fix this problem:
What Chase customers can do
|