Slashdot Mirror

Average end user doesn't even notice when a major site isn't EV

It is literally the difference between a greenlock, and half the URL bar lit up in bright green displaying the full registered company name.

It is a far more obvious change than an s in the URL, or a tiny colour. In some browsers an EV certificate will replace the entire URL. This is about the most obvious thing available in terms of informing users about encryption that we have come up with. Users have historically taken on the in retrospect incorrect advice of looking for the encryption lock leading to fraudsters obtaining DV certificates in an attempt to continue to look legitimate.

It is 2018. The age of blaming users for being blind is over. Vendors have provided the tools to very easily identify the information needed and it is now up to me and you to educate users about what to look for in their legitimacy of their website.

Seriously it doesn't take much effort. Which one is more legit when displayed to the user:
Secure: https://www.banksofaamerica.co...
Bank of America Corporation [US]: https://www.bankofamerica.com/

Claiming the users can't tell the difference is just silly.

The green lock only appears for sites with Extended Validation.

No it doesn't.

Domain Validation only requires that you control the domain to get the cert. It doesn't give you a green lock.

Yes it does.

Organization Validation has some checks and requires proof of control of the domain. It doesn't give you a green lock.

Yes it does.

Your advice is only true for users of Microsoft browsers and covers 20% of the market share. The green lock is provided to any encrypted connection with a valid certificate chain in Firefox, Chrome, and Safari. The entire concept of telling people to look at a colour or a symbol was completely stupid in the first place as colour doesn't convey information of "who" but only "what". If someone incorrectly gets an EV certificate due to an oversight at a CA (happens often enough) then this can be identified with actual text but not with colour alone.

Modern browsers use the colour to identify encryption and certificate validity and then use actual verified text to identify the organisation the certificate was issued to (for OV and EV certs).
e.g.
https://www.slashdot.org/ - Green lock "Secure"
https://www.bankofamerica.com/ - Green lock "Bank of America Corporation [US]

The outlier is Internet Explorer 11 and Edge which only uses the green colour on an EV certificate, but otherwise still provides EV information in the address bar like all the other browsers.

There is a solution to this: have two grades of certificates

You're right. There is a solution to this. It was developed 12 years ago in the form of EV certificates and has been in use for a long while along with a far better indicator than the one you proposed:

If you go to https://www.slashdot.org/ you will see a little green lock and the word "Secure"
If you go to https://www.bankofamerica.com/ you will see a little green lock and the words "Bank of America Corporation [US]"

No need for any fancy domain name URL checking.

Just use this: https://www.bankofamerica.com/...

Bank of America MasterCard. They have a feature called ShopSafe whereby you can create multiple virtual credit cards (linked to your real CC) for use online. You simple specify the amount and duration and new CC and CVV/CVC numbers are generated. As a bonus, only the first vendor to use a virtual card can use that card. You can bump the limit and/or expiration date and "delete" the virtual card at any time.

That's what I was describing above. Almost perfect, except, "Please note that ShopSafe requires you to have Adobe Flash installed on your computer. Download Adobe Flash" :(

There is risk in everything. Understand the type and extent of those risks. For example, you could get hit by a car while trying to pay a bill in person and die or end up in the with hospital with thousands of $$ in bills. Paying by check or online looks pretty safe by comparison.

Furthermore, paying with a credit card limits your risk to $50 for fraudulent charges - just check your statement every month. If you're really paranoid, get a Bank of America MasterCard. They have a feature called ShopSafe whereby you can create multiple virtual credit cards (linked to your real CC) for use online. You simple specify the amount and duration and new CC and CVV/CVC numbers are generated. As a bonus, only the first vendor to use a virtual card can use that card. You can bump the limit and/or expiration date and "delete" the virtual card at any time.

Bank of America already offers this

http://promo.bankofamerica.com...

Some of it was caused by Mom&Dad being able to take out cheap home equity loans on their homes. The crash in 2008 kind of brought some of that to an end.

I know it's off topic, but FYI, those are coming back. Working in the banking sector, I've been hearing since last year that banks are starting to push low APR home equity loans again. A lot of online lending portals like LendingTree and personalized bank sites like Bank of America's are now advertising HELOC loans a lot more.

https://www.bankofamerica.com/...

Yeah you're exactly right, the half of the population who click on anything would totally not do that if only they could see the protocol. Because that's what was keeping everyone safe for so many years back in the halcyon days of innocence when everyone used IE6 and malware was non-existent.

Even if you're dumb enough to click anything and everything, your brain is pretty good at pattern matching. Even the worst offenders when it comes to irresponsible computer usage generally at least subconsciously notice when a URL says something like somenefariousprotocol://Bank0fAmerica.com instead of https://bankofamerica.com./ Speaking from some pretty extensive experience scamming people in EvE Online, I can tell you that even the slightest deviation from what's expected by the target (even if it's not something they're normally consciously aware of) is often enough to jog even the dumbest persons brain into suspicious mode (and if not that, at least a more observative mode) and ruin the entire thing.

Bank of America offers ShopSafe (perhaps others offer something similar) that allows one to create a virtual CC (with unique number and CSC) associated with your real CC. You can set the dollar and expiration limits on the vCC and only the first vendor that charges to it is allow to make subsequent changes. You can even manually close the card before is expires. When I shop at a new online store, especially for a one-time purchase, I do this. Vendors can't make recurring charges to a closed CC.

You can buy "prepaid" cards to load finds for purchases made via their respective "stores".

I cannot imagine any situation where you would register a real world credit card to allow direct charges with either of them.

It's sad that people blindly accept that giving a service provider direct access to their credit card or bank account number is a suitable way to pay anything, and its what leads to situations just like this one.

My son has an iPhone. It has a preloaded balance. It CANNOT spend anymore than that. If he runs low he can ask me for a another iTunes card.

I have an Android phone. Same setup - preloaded balance that it CANNOT exceed. It does not have the ability to use anymore than the balance that I have loaded, which I (and ONLY *I*) can replenish as needed

For any service that will not bill any way OTHER than to a credit card, or for any online purchase, I use this:

https://www.bankofamerica.com/...

Individual CC's per transaction have already been here and gone. One example is here: https://www.bankofamerica.com/...

Not all, and not even the largest. From the Bank of America site (emphasis mine):

What's the difference between chip & signature and chip & PIN? Does my card have a PIN?
Chip & PIN is a very similar technology, except that you use a PIN to complete a purchase instead of a signature. Both chip & PIN and chip & signature offer enhanced security against counterfeiting compared to traditional magnetic stripe-only cards. Bank of America does not currently offer chip & PIN technology.

On the otherhand, if you use BofA's shopsafe for overseas online purchases - which requires you to login and generate a new single-use CC# each time - they will still shutdown your card every single time. You have to call them to re-enable it and prove your identity by telling them information that is available to anyone who can log in to the shopsafe system.

And they also give you that obnoxious line about how it is for your protection when in fact it is all about them protecting themselves at your inconvenience.

the most likely scenario for paying for the switch is that banks will offer their customers a "New, more secure card!" for the low, low price of ($10? $20?).

They don't cost any more than non-chip cards. I requested EMV cards from both Citibank and Bank of America (via online account management) and didn't have to pay anything.

Bank of America is doing Chip & Signature.

Bank Of America is planning to support Chip & Signature, not chip & PIN.

BoA eventually dropped the smartcard feature as an offering (probably due to cost and lack of POS adoption).

No, most Bank of America cards are available with the chip. View the list of all cards, then click the "More filters" link at the left, and one of the options you can check is "Chip Cards". I count 14 chip cards out of 21 total.

> Do the feds or any states consider cloned cards to be presumptively instruments of fraud?

Of course, and why not? It is certainly breach of contract, and there are many ways it could be used to defraud. It is hard to imagine a legitimate use, and even then it remains breach of contract. If you want a second card, just ask your bank, they are usually happy to help.

I'm sure that others differ a bit; and there are, no doubt, 2,634 pages of fine print and a mandatory binding arbitration process if they feel the need; but I grovelled through this sample contract, and the only references to the card concerned a demand to destroy it upon involuntary termination of the contract, the ability of the issuer to issue a new card (superseding the old) at any time and for any reason, and the possibility of incurring liability if an 'authorized user' of the account retains possession of the card and you are unable to retrieve it. Absolutely nothing about cloning, or even any broader references to not making 'card not present' transactions when it would be possible to present the card, or anything of that nature.

There really should be a more convenient way ... to send money to someone else, without giving them your credit card specifics. Visa, MasterCard, Amex, (and the others) should be providing this as a service to the cardholders ...

Not exactly what you asked for but... at least one MasterCard vendor (Bank of America) offers Shop Safe enabling you to create temporary virtual CC numbers tied to your real CC. Each number includes a CCID and allows you to specify a credit limit and expiration date (2 months to 1 year, but you can delete it anytime). The virtual card is locked to the first merchant to charge against it.

What we need is a number that can be given out but links to one merchant only. So if these numbers are retrieved by a third party damage is limited as they can only be used on the original site, and it would be trivial to revoke them when the intrusion was discovered.

I know everyone hates on Bank of America, but they have exactly that. It's the main reason I didn't cancel my account there (during all of the other recent issues they've had) - the ShopSafe system they have for their CCs is pretty amazing. You generate a new CC# for online purchases. Once it has been used once, it's linked to that merchant, and will fail if any other merchant attempts to use it (which can be a bit of a hassle on occasion -- Amazon is not the same as Amazon Kindle is not the same as Amazon Marketplace, even if all of those are in a single account system from my perspective -- also fails if the merchant ever randomly changes their listed name or accounts on their end).

I won't defend anything else they may or may not do, since I barely touch most of their services, but as a basic direct-deposit-account-and-credit-card service they've been pretty good for me and the ShopSafe option is pretty cool (and likely patented or something which would explain no other institution managing to do it).

I'm sure Google has a similar thing going on like Facebook where companies can pay extra $$$ to get unfettered access to the data as part of "we may share your data with interested third parties".

No they absolutely do not: "We do not share personal information with companies, organizations and individuals outside of Google" (Ref: http://www.google.com/policies/privacy/). There is no "we may share your data with third-parties" clause in the Google privacy policy, unlike almost every other company out there. Read the links carefully and you will see that Google has one of the best privacy policies (at least in terms on sharing information with third parties). Also note that some of these companies have way more personal and sensitive information about you that Google.

Disclaimers:
      * I work at Google
      * These are entirely my own views and opinions and do not represent Google's in any way.

Bank of America offers something they're calling a "Safepass Card", which looks suspiciously like SecurID to me.

Like this: https://www.citibank.com/us/cards/vanpromo/cmc_pop/index2.htm
or http://www.bankofamerica.com/privacy/index.cfm?template=learn_about_shopsafe
etc...

Such a system already exists. It was developed by an irish company called Orbiscom which was recently bought-out by Mastercard.
It's got different names - disposable credit cards, one-time use credit cards, Controlled Payment Numbers, etc. Bank of America call's theirs ShopSafe, Citibank calls theirs Virtual Account Numbers. I believe PayPal and Discover have their programs too -- all based on Orbiscom's technology.

It works pretty much exactly the way you described - you log into your account, generate a new CC# with a maximum limit and expiration date that you specify. Then the first merchant account that posts a charge to the number becomes the only merchant account that post any more charges to that number. So even if the number does get stolen, it isn't any good to the thieves. Other than those limitations, for all intents and purposes, it is just a regular credit card. Most merchants can't even tell the difference.

I've been using ShopSafe for well over a decade now and have never had a fraudulent charge. The only problems I've had have been when the merchant is sloppy and double-charges with the intent of cancelling the first charge - Parts-express.com is the only merchant that I know which does that for all of their transactions and fixing it was simple enough - I just double the max limit on the CC#.

Not the AC, but I know Bank of America does it. I'm sure there are others.

More money into the FBI White Collar Division

And then they can fight the threat of private currencies. Or did you actually think an expanded financial crime unit would go after real criminals?

Why do you think they're called Banksters?

Yours On Wall Street,
Philboyd Studge

FWIW, this Bank of America page says that "employee theft accounts for 44 percent of all retail loss in the United States", with customer shoplifting at 32.7% and other factors making up the rest. So no, it's probably not a real statistic, but employee theft seems to do more damage.

(And yeah, most American retailers make a policy of treating their employees like crap.)

https://www1.bankofamerica.com/foundation/index.cfm?template=contact_us_here

Let them know what you think of their decision and that you'll be closing all your accounts with them.

Spot-on, Force-tls actually prevents DNS spoffing attacks and nothing more. Say you try to visit http://www.bankofamerica.com/ from starbucks, someone might spoof the dns and redirect you to their own page rather than https://www.bankofamerica.com/ . Force-tls prevents this by not requesting for the http page and directly requesting for the secure page (it knows for what pages it has to request using https, by remembering the last time you visited the site (to be more specific, whether the site had sent a X-Force-TLS when you had visited them before)).

Spot-on, Force-tls actually prevents DNS spoffing attacks and nothing more. Say you try to visit http://www.bankofamerica.com/ from starbucks, someone might spoof the dns and redirect you to their own page rather than https://www.bankofamerica.com/ . Force-tls prevents this by not requesting for the http page and directly requesting for the secure page (it knows for what pages it has to request using https, by remembering the last time you visited the site (to be more specific, whether the site had sent a X-Force-TLS when you had visited them before)).

BOA does this already if you're in the US.

Citibank, Citicard virtual account numbers.

Bank of America ShopSafe

For Bank of America customers, this service is available as well.

I've incurred overdraft fees based on merchant error a number of times, and every bank I have ever had has done everything they can to screw their customers out of as much money as possible. EA expecting banks to refund overdraft fees is like asking EA to ... I don't know ... behave like a company that cares about its customers.

http://en.wikipedia.org/wiki/Wire_transfer

http://www.bankofamerica.com/deposits/checksave/index.cfm?template=lc_faq_wire

https://www.wellsfargo.com/investing/styles/wt/com_fees/fees

https://online.citibank.com/JRS/portal/template.do?ID=MoneyXfrCompare

This is just to name a few.

Citibank, Bank of America, Discover and Paypal all offer disposable card numbers. American Express used to, but apparently stopped around 2004.

ShopSafe Bank of America and Charles Schwab credit cards both have it.

It generates a unique credit card number with a limit & expiration date you choose. And for extra safety it can only be used by one merchant.

This would stop would stop the bogus actions described in the article. And it's really the only way to do online shopping.... it doesn't matter if the merchant loses the card number because its only usable by that merchant and you've hopefully set the limit at just enough for the purchase.

Here's anonomyzed emails for online statements from two major American banks.

Bank of America
Dear [NAME]:

Your most recent [ACCOUNT TYPE] statement for [ACCOUNT TYPE] ending in [LAST FOUR DIGITS OF ACCOUNT NUMBER] is now available to view online.

To access your statement, just click on the link below.
You will be asked to enter your Online Banking ID and Passcode.

Remember: Always look for your SiteKey before you enter your Passcode.

http://www.bankofamerica.com?state= [STATE] &estatement= [LAST FOUR DIGITS OF ACCOUNT NUMBER AND RANDOM LETTERS]

Thank you,

Bank of America
Online Banking Customer Service

Email Preferences

This is a service email from Bank of America. Please note that you may receive service email in accordance with your Bank of America service agreements, whether or not you elect to receive promotional email.

Contact us about this email

Please do not reply to this email with sensitive information, such as an account number, PIN, password, or Online ID. The security and confidentiality of your personal information is important to us. If you have any questions, please either call the phone number on your account statement or go to the Contact Us page below, so we can properly verify your identity:
http://www.bankofamerica.com/contact/

Privacy and Security

Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy:
http://www.bankofamerica.com/privacy

You can also learn how Bank of America keeps your personal information secure and how you can help protect yourself:
http://www.bankofamerica.com/privacy/index.cfm?template=privacysecur_prevent_fraud

Bank of America Email, 8th Floor, 101 South Tryon St., Charlotte, NC 28255-0001

Bank of America, N.A. Member FDIC. Equal Housing Lender:
http://www.bankofamerica.com/help/equalhousing.cfm

(C) 2008 Bank of America Corporation. All rights reserved.

This email was sent to: [EMAIL ADDRESS]

Washington Mutual / Chase

To ensure that messages from WaMu are delivered to your inbox, please set your personal email filter to accept email from wamu.com.

Washington Mutual, a division of JPMorgan Chase Bank, N.A.

Email for [NAME] with account ending in [LAST FOUR DIGITS OF ACCOUNT NUMBER]

Hi [NAME], We want to let you know that the statement for the account [ACCOUNT TYPE] / ******[LAST FOUR DIGITS OF ACCOUNT NUMBER] is available for the statement period ending [DATE]. If you would like to view your statement:
1. Log on to wamu.com
2. Go to the Statements page.
Please make sure to review all important notices and attachments and share the statement and any accompanying information with any joint owner of your account. Thanks again for choosing WaMu! Sincerely, WaMu JPMorgan Chase Bank, N.A. Member FDIC, Equal Opportunity Lender For phone number and email information, please visit the Contact Us section of wamu.com.

Privacy & Security: to access the Washington Mutual privacy policy go to
http://www.wamu.com/customer_service/questions_answers/security_privacy/default.asp Please note that you are unable to respond directly to this message. If you have any questions about your account or if you need further assistance, please contact Washington Mutual Customer Service. JPMorgan Chase Bank, N.A. and its affiliates are not responsible for and do not endorse any information, advice, opinions and services from third-party news information or service providers. JP

Here's anonomyzed emails for online statements from two major American banks.

Bank of America
Dear [NAME]:

Your most recent [ACCOUNT TYPE] statement for [ACCOUNT TYPE] ending in [LAST FOUR DIGITS OF ACCOUNT NUMBER] is now available to view online.

To access your statement, just click on the link below.
You will be asked to enter your Online Banking ID and Passcode.

Remember: Always look for your SiteKey before you enter your Passcode.

http://www.bankofamerica.com?state= [STATE] &estatement= [LAST FOUR DIGITS OF ACCOUNT NUMBER AND RANDOM LETTERS]

Thank you,

Bank of America
Online Banking Customer Service

Email Preferences

This is a service email from Bank of America. Please note that you may receive service email in accordance with your Bank of America service agreements, whether or not you elect to receive promotional email.

Contact us about this email

Please do not reply to this email with sensitive information, such as an account number, PIN, password, or Online ID. The security and confidentiality of your personal information is important to us. If you have any questions, please either call the phone number on your account statement or go to the Contact Us page below, so we can properly verify your identity:
http://www.bankofamerica.com/contact/

Privacy and Security

Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy:
http://www.bankofamerica.com/privacy

You can also learn how Bank of America keeps your personal information secure and how you can help protect yourself:
http://www.bankofamerica.com/privacy/index.cfm?template=privacysecur_prevent_fraud

Bank of America Email, 8th Floor, 101 South Tryon St., Charlotte, NC 28255-0001

Bank of America, N.A. Member FDIC. Equal Housing Lender:
http://www.bankofamerica.com/help/equalhousing.cfm

(C) 2008 Bank of America Corporation. All rights reserved.

This email was sent to: [EMAIL ADDRESS]

Washington Mutual / Chase

To ensure that messages from WaMu are delivered to your inbox, please set your personal email filter to accept email from wamu.com.

Washington Mutual, a division of JPMorgan Chase Bank, N.A.

Email for [NAME] with account ending in [LAST FOUR DIGITS OF ACCOUNT NUMBER]

Hi [NAME], We want to let you know that the statement for the account [ACCOUNT TYPE] / ******[LAST FOUR DIGITS OF ACCOUNT NUMBER] is available for the statement period ending [DATE]. If you would like to view your statement:
1. Log on to wamu.com
2. Go to the Statements page.
Please make sure to review all important notices and attachments and share the statement and any accompanying information with any joint owner of your account. Thanks again for choosing WaMu! Sincerely, WaMu JPMorgan Chase Bank, N.A. Member FDIC, Equal Opportunity Lender For phone number and email information, please visit the Contact Us section of wamu.com.

Privacy & Security: to access the Washington Mutual privacy policy go to
http://www.wamu.com/customer_service/questions_answers/security_privacy/default.asp Please note that you are unable to respond directly to this message. If you have any questions about your account or if you need further assistance, please contact Washington Mutual Customer Service. JPMorgan Chase Bank, N.A. and its affiliates are not responsible for and do not endorse any information, advice, opinions and services from third-party news information or service providers. JP

Here's anonomyzed emails for online statements from two major American banks.

Bank of America
Dear [NAME]:

Your most recent [ACCOUNT TYPE] statement for [ACCOUNT TYPE] ending in [LAST FOUR DIGITS OF ACCOUNT NUMBER] is now available to view online.

To access your statement, just click on the link below.
You will be asked to enter your Online Banking ID and Passcode.

Remember: Always look for your SiteKey before you enter your Passcode.

http://www.bankofamerica.com?state= [STATE] &estatement= [LAST FOUR DIGITS OF ACCOUNT NUMBER AND RANDOM LETTERS]

Thank you,

Bank of America
Online Banking Customer Service

Email Preferences

This is a service email from Bank of America. Please note that you may receive service email in accordance with your Bank of America service agreements, whether or not you elect to receive promotional email.

Contact us about this email

Please do not reply to this email with sensitive information, such as an account number, PIN, password, or Online ID. The security and confidentiality of your personal information is important to us. If you have any questions, please either call the phone number on your account statement or go to the Contact Us page below, so we can properly verify your identity:
http://www.bankofamerica.com/contact/

Privacy and Security

Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy:
http://www.bankofamerica.com/privacy

You can also learn how Bank of America keeps your personal information secure and how you can help protect yourself:
http://www.bankofamerica.com/privacy/index.cfm?template=privacysecur_prevent_fraud

Bank of America Email, 8th Floor, 101 South Tryon St., Charlotte, NC 28255-0001

Bank of America, N.A. Member FDIC. Equal Housing Lender:
http://www.bankofamerica.com/help/equalhousing.cfm

(C) 2008 Bank of America Corporation. All rights reserved.

This email was sent to: [EMAIL ADDRESS]

Washington Mutual / Chase

To ensure that messages from WaMu are delivered to your inbox, please set your personal email filter to accept email from wamu.com.

Washington Mutual, a division of JPMorgan Chase Bank, N.A.

Email for [NAME] with account ending in [LAST FOUR DIGITS OF ACCOUNT NUMBER]

Hi [NAME], We want to let you know that the statement for the account [ACCOUNT TYPE] / ******[LAST FOUR DIGITS OF ACCOUNT NUMBER] is available for the statement period ending [DATE]. If you would like to view your statement:
1. Log on to wamu.com
2. Go to the Statements page.
Please make sure to review all important notices and attachments and share the statement and any accompanying information with any joint owner of your account. Thanks again for choosing WaMu! Sincerely, WaMu JPMorgan Chase Bank, N.A. Member FDIC, Equal Opportunity Lender For phone number and email information, please visit the Contact Us section of wamu.com.

Privacy & Security: to access the Washington Mutual privacy policy go to
http://www.wamu.com/customer_service/questions_answers/security_privacy/default.asp Please note that you are unable to respond directly to this message. If you have any questions about your account or if you need further assistance, please contact Washington Mutual Customer Service. JPMorgan Chase Bank, N.A. and its affiliates are not responsible for and do not endorse any information, advice, opinions and services from third-party news information or service providers. JP

Here's anonomyzed emails for online statements from two major American banks.

Bank of America
Dear [NAME]:

Your most recent [ACCOUNT TYPE] statement for [ACCOUNT TYPE] ending in [LAST FOUR DIGITS OF ACCOUNT NUMBER] is now available to view online.

To access your statement, just click on the link below.
You will be asked to enter your Online Banking ID and Passcode.

Remember: Always look for your SiteKey before you enter your Passcode.

http://www.bankofamerica.com?state= [STATE] &estatement= [LAST FOUR DIGITS OF ACCOUNT NUMBER AND RANDOM LETTERS]

Thank you,

Bank of America
Online Banking Customer Service

Email Preferences

This is a service email from Bank of America. Please note that you may receive service email in accordance with your Bank of America service agreements, whether or not you elect to receive promotional email.

Contact us about this email

Please do not reply to this email with sensitive information, such as an account number, PIN, password, or Online ID. The security and confidentiality of your personal information is important to us. If you have any questions, please either call the phone number on your account statement or go to the Contact Us page below, so we can properly verify your identity:
http://www.bankofamerica.com/contact/

Privacy and Security

Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy:
http://www.bankofamerica.com/privacy

You can also learn how Bank of America keeps your personal information secure and how you can help protect yourself:
http://www.bankofamerica.com/privacy/index.cfm?template=privacysecur_prevent_fraud

Bank of America Email, 8th Floor, 101 South Tryon St., Charlotte, NC 28255-0001

Bank of America, N.A. Member FDIC. Equal Housing Lender:
http://www.bankofamerica.com/help/equalhousing.cfm

(C) 2008 Bank of America Corporation. All rights reserved.

This email was sent to: [EMAIL ADDRESS]

Washington Mutual / Chase

To ensure that messages from WaMu are delivered to your inbox, please set your personal email filter to accept email from wamu.com.

Washington Mutual, a division of JPMorgan Chase Bank, N.A.

Email for [NAME] with account ending in [LAST FOUR DIGITS OF ACCOUNT NUMBER]

Hi [NAME], We want to let you know that the statement for the account [ACCOUNT TYPE] / ******[LAST FOUR DIGITS OF ACCOUNT NUMBER] is available for the statement period ending [DATE]. If you would like to view your statement:
1. Log on to wamu.com
2. Go to the Statements page.
Please make sure to review all important notices and attachments and share the statement and any accompanying information with any joint owner of your account. Thanks again for choosing WaMu! Sincerely, WaMu JPMorgan Chase Bank, N.A. Member FDIC, Equal Opportunity Lender For phone number and email information, please visit the Contact Us section of wamu.com.

Privacy & Security: to access the Washington Mutual privacy policy go to
http://www.wamu.com/customer_service/questions_answers/security_privacy/default.asp Please note that you are unable to respond directly to this message. If you have any questions about your account or if you need further assistance, please contact Washington Mutual Customer Service. JPMorgan Chase Bank, N.A. and its affiliates are not responsible for and do not endorse any information, advice, opinions and services from third-party news information or service providers. JP

Here's anonomyzed emails for online statements from two major American banks.

Bank of America
Dear [NAME]:

Your most recent [ACCOUNT TYPE] statement for [ACCOUNT TYPE] ending in [LAST FOUR DIGITS OF ACCOUNT NUMBER] is now available to view online.

To access your statement, just click on the link below.
You will be asked to enter your Online Banking ID and Passcode.

Remember: Always look for your SiteKey before you enter your Passcode.

http://www.bankofamerica.com?state= [STATE] &estatement= [LAST FOUR DIGITS OF ACCOUNT NUMBER AND RANDOM LETTERS]

Thank you,

Bank of America
Online Banking Customer Service

Email Preferences

This is a service email from Bank of America. Please note that you may receive service email in accordance with your Bank of America service agreements, whether or not you elect to receive promotional email.

Contact us about this email

Please do not reply to this email with sensitive information, such as an account number, PIN, password, or Online ID. The security and confidentiality of your personal information is important to us. If you have any questions, please either call the phone number on your account statement or go to the Contact Us page below, so we can properly verify your identity:
http://www.bankofamerica.com/contact/

Privacy and Security

Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy:
http://www.bankofamerica.com/privacy

You can also learn how Bank of America keeps your personal information secure and how you can help protect yourself:
http://www.bankofamerica.com/privacy/index.cfm?template=privacysecur_prevent_fraud

Bank of America Email, 8th Floor, 101 South Tryon St., Charlotte, NC 28255-0001

Bank of America, N.A. Member FDIC. Equal Housing Lender:
http://www.bankofamerica.com/help/equalhousing.cfm

(C) 2008 Bank of America Corporation. All rights reserved.

This email was sent to: [EMAIL ADDRESS]

Washington Mutual / Chase

To ensure that messages from WaMu are delivered to your inbox, please set your personal email filter to accept email from wamu.com.

Washington Mutual, a division of JPMorgan Chase Bank, N.A.

Email for [NAME] with account ending in [LAST FOUR DIGITS OF ACCOUNT NUMBER]

Hi [NAME], We want to let you know that the statement for the account [ACCOUNT TYPE] / ******[LAST FOUR DIGITS OF ACCOUNT NUMBER] is available for the statement period ending [DATE]. If you would like to view your statement:
1. Log on to wamu.com
2. Go to the Statements page.
Please make sure to review all important notices and attachments and share the statement and any accompanying information with any joint owner of your account. Thanks again for choosing WaMu! Sincerely, WaMu JPMorgan Chase Bank, N.A. Member FDIC, Equal Opportunity Lender For phone number and email information, please visit the Contact Us section of wamu.com.

Privacy & Security: to access the Washington Mutual privacy policy go to
http://www.wamu.com/customer_service/questions_answers/security_privacy/default.asp Please note that you are unable to respond directly to this message. If you have any questions about your account or if you need further assistance, please contact Washington Mutual Customer Service. JPMorgan Chase Bank, N.A. and its affiliates are not responsible for and do not endorse any information, advice, opinions and services from third-party news information or service providers. JP

This is a great point. Although educating online banking users might not be the answer. Why don't banks have a 2-phased authorization type system (i.e. What you have and What you know)? I would gladly pay $5-$20 to have a PRNG pass-key (What I have) used in conjunction with a PIN (What I know) and have a more secure online banking system.

Bank of America offers that. You can either have them send an SMS to your phone with a number that you have to enter on the website; or you can buy a hardware token for $20.

Using google prevents mistakes, such as the typo http://www.bankofamerica.cm/ for Bank of America instead of http://www.bankofamerica.com/ or the wrong tld http://www.whitehouse.com/ (NSFW) for the White House instead of http://www.whitehouse.gov/. I have made both type of mistakes before, and Google prevents them.

These private non-bank lenders enjoyed a regulatory gap, allowing them to be regulated by 50 different state banking supervisors instead of the federal government. And mortgage brokers, who also weren't subject to federal regulation or the CRA, originated most of the subprime loans.

And why did those loans cause a contraction in the money supply when they weren't paid? That only happens because of government backed fractional reserve lending. The situation has been entirely initiated by government intervention. Unconstitutional government intervention at that, being the formation of the fed. By the way: http://www.google.com/search?hl=en&q=Barack+Obama+Citibank+CRA

Since the vast majority of loans that created this crisis were not CRA related, I'm at a loss to understand why you continue to focus on CRA loans. CRA loans do not have an excessive default rate, unlike the very creative sub prime mortgages created by non-CRA financial institutions, like Countrywide. Here's what the president of the Bank of America had to say on the subject.

"I've seen a disturbing trend among some market observers, who are trying to lay primary blame for our current troubles on CRA. I think itâ(TM)s fair to say that in many cases CRA lending standards fell victim to the same market pressures and overconfidence we saw in other sectors of the mortgage markets. In that regard, political pressure to expand homeownership did become one of many contributing factors as the housing bubble grew. But the charge that CRA lending was the primary or foundational cause of our housing crisis is not only unfair, it's not true."

"Some quick history. CRA was passed in 1977 to require banks to make loans in the same neighborhoods where they collected deposits, including low-to-moderate income neighborhoods. There's no mandate to make risky loans, or to abandon sound lending principles."

"Many reports and investigations, including a Fed report in 2000 and our own experience over the past 30 years, have found that CRA lending can be profitable, and need not be overly risky. The riskiest subprime lending of the past ten years didn't have anything to do with CRA, in fact, 75% of high-priced loans made by mortgage companies and bank affiliates in recent years were not covered by CRA."

Other than as a historical footnote, I fail to see what the link to Obama's involvement with an anti-discrimination lawsuit has to do with today's financial crisis. The court case says absolutely nothing about the CRA. It is a suit against Citibank for discrimination in loan practices. Did that lawsuit lead to people who could not afford a mortgage getting mortgages? Or did it lead to Citibank offering mortgages to people who weren't as profitable to loan to but were capable of handling a mortgage? None of the links offer any evidence that bad mortgages were made as a result of the lawsuit.

This is a direct result of the 2004 loosening of regulations that restricted their debt-to-net-capital ratio to 15 to 1. After 2004 this became 30 to 1, setting these institutions up for the economic meltdown in 2007 and 2008.

... and yet for any private citizen, a debt-to-net-capital ratio of more than 1:1 is called bankruptcy, which you may avoid if you manage to keep making your payments. What is it that allows lending institutions such ratios? Regulation, that's what. Without law on their side to make their loan created money acceptable as payment of debt and taxes, without laws that allow them to operate with levels of debt that we all know are foolish and irresponsible if taken on by an individual, none of this financial collapse could have happened.

Good regulation is what prevents financial organizations from becoming too leveraged. Banks push

the real disgusting kid stuff)because if they are able to see it, they begin to imagine it, and if they imagine it, they want to go do it

That's why sites like this one should be illegal, because when people see it they begin to imagine it and they want to commit theft. Also, sites like this one give away information that may be used by criminals, so they should be illegal too.

All I need is your routing number and checking acct number. Even the routing number can be obtained by calling the bank and asking for it. It's nearly public knowledge.

That's too much trouble.

Bank of America.

Wells Fargo Bank.

Search by name. See Wikipedia.