Problem
Websites!

About Us / Contact

We highlight commercial websites that are unreasonably hard to use, don't work properly, or don't actually offer what they promise. It's a way for web developers everywhere to learn what kind of mistakes they should avoid -- and of course, an opportunity for the companies listed here to fix the problems we document.

Home

The Problems

Page too wide, words too huge

Listing on eBay

Browser stealing

Legal Fish

Forms are broken

Western Union

Hidden phone #, bait & switch

Stratosphere Hotel

Splash / Flash combo

Tropical Smoothie Café

Site won't load

Wallace TC Realty

User-Hostile Navigation

Willits Bicycles

Broken Registration Process

Vegan Passions

Security Vulnerability

Chase.com

No way to buy their product

Hotel Interactive

Orphaned pages

BBB Bike Parts

Insufficient information

CatEye

Fixed Sites!

Univ. Fed. Credit Union

Bike Mine

How to not wind up here

Website Design Tips

Other Resources

Site Review & Makeover

Fixed!

Big Security Vulnerability

University Federal Credit Union

reviewed Dec. 29, 2006
fixed July 2007

The customer login on UFCU's website was insecure, making it a target for hackers. We reported this problem to them years ago, but they were seemingly unconcerned. Then, after reporting that problem to the world here, UFCU fixed the problem a few months later.

True, their fix leaves a bit to be desired -- customers now how to go through a multi-page login process, and UFCU uses a confusing (to the customer) "multi-factor authentication" system, but at least the login is finally secure, so we won't quibble over the details now.

---

Original Report

Most of the problems we list on this site merely leave the user annoyed, thwarted, or frustrated. But in this case the problem is more serious: At University Federal Credit Union's website, customers' financial information is at risk.

Sensitive pages are supposed to use a secure protocol, which means that the information traveling between the user's computer and the server is scrambled, so anyone who steals the info in transit just gets scrambled data that they can't don anything with. You'll know you're on a secure page when the address bar starts with https://, not just http:// (note the "s", which stands for "secure").

But UFCU's home page, which includes the login form, is not secure. There's no "s" in the http. That means the customer's login is vulnerable to being stolen.

UFCU says this is not a problem because the login form itself is secure. That is,when the user submits the form the username & password is supposed to be sent to https://ufcu.org. The problem with this is that there's no guarantee that the form will really go to UFCU. Since the login page itself is insecure, a hacker could modify the page before it's delivered to the user, changing the form so that it will send the login info to his own server instead of UFCU's. He could change the form so that instead of pointing to https://UFCU.org, it goes to https://HackersWebsite.com.

So UFCU's insistence that everything is fine because the form is secure is ridiculous. It's like their promising to send an armored truck to your home to pick up a cash deposit, but the truck could be operated by a gang of criminals rather than by the credit union. Your money could be carried away "safely", but not by the people you thought you were giving it to.

This problem is serious enough that Netcraft and Microsoft have been telling companies for years not to leave their logins vulnerable the way that UFCU does.

It gets worse: Not only is UFCU playing fast and loose with customer's login information, they're publicly proclaiming otherwise. A link called "Security" under the login form goes to a page that tells the customer that "We use proven techniques to ensure your online transactions are secure," and goes on to provide reassurance that UFCU's methods mean that customers' financial data is safe. That reassurance is a lie.

It gets even worse. We personally informed UFCU of this problem well over a year ago, but they haven't bothered to address it.

To: University Federal Credit Union
Sent: Sunday, September 18, 2005 2:33 AM
Subject: Poor security at UFCU.org

The customer login on UFCU's website is insecure, notwithstanding the incorrect explanation at <http://ufcu.org/security.php>. It's true that the connection is secure once the user clicks the Login/Submit button, but there's no guarantee that the form is actually submitted to UFCU, rather than to a hacker who changed the form before it got to the customer's browser. This is possible because the login form itself isn't on a secure page.

UFCU should either put the home page on a secure server, or have the customer click from the home page to a separate login page that's a secure page.....

This is more serious than you may realize. I can easily imagine a lawsuit the first time a customer's account gets cleaned out based on UFCU's negligence.

This problem is described in more detail at http://news.netcraft.com/archives/2005/08/23/banks_shifting_logins_to_no nssl_pages.html

Please let me know whether UFCU intends to address this problem, and if so on what timetable....

How UFCU can fix this problem

UFCU has two different ways it could fix this problem:

• Put its home page on a secure server (https://)
• Remove the login form from the home page, and have a link to a secure login page

What UFCU customers can do

• Share your concerns with UFCU. Of course, they didn't listen to us, Netcraft, or Microsoft, so you might not fare much better. But if a larger number of customers complain, then UFCU might take notice.
• Bank elsewhere. It's not unreasonable to feel that a financial institution that plays fast and loose with your login information doesn't deserve your business.
• Find the secure page before logging in. If you decide to remain at UFCU, there's a trick you can use to force the site to give you a secure login page. From the home page, click the "Sign In" button without typing in your account name or password. That will take you to a "Wrong login, please try again" page, but that page is secure, so you can safely log in there.