Domain: wachovia.com
Stories and comments across the archive that link to wachovia.com.
Comments · 22
-
Re:Fed up
These online sites had no regulation.
Unlike these money launderers, who do.
We just don't enforce it on them, even though it involves hundreds of billions.
-
Re:Alternatives
Check to see if the URL to the site begins with http:/// before you login. If it does, and it's displaying a padlock icon (suggesting that it is 'secure'), then you're being attacked. Really, you should already be wary when a site asks you for login information over HTTP rather than HTTPS.
Try Wachovia's site: http://wachovia.com/
Lock icon: check.
Unsecured HTTP page: check.I don't have a Wachovia account, so I can only assume that the actual UID/password info goes over SSL, but that's irrelevant to this attack.
-
Re:Always.
Haven't seen a bank do it? Try Wachovia. A pretty big bank, as such things go, too.
-
Re:Always.
Here's a hint of how it can fail:
Man in the middle intercepts http://wachovia.com/ inserts a JS script in the head of the document that takes each keystroke and posts it to http://evilsite.com./
You log in normally, but evil site now has your credentials.
Note that an evil site could be:
- a fake Wireless Access Point
- a malicious ISP employee
- another site broadcasting fake routing packets
- another site that has poisoned your DNS cacheetc...
This is why you need form-to-backend HTTPS security.
-
Re:Always.
Exactly!
Go to http://www.wachovia.com/
There's a login on the front page.
Just because the login page is not secured does not mean it's not posted to a secure site.
I use to work for Wachovia; believe me when I say they are quite serious about their IT security, both internally and customer facing. -
You may be surprised who is involved
Sounds like the 4th largest bank in the U.S. exposing me to no less than 12 single pixel tracking images from the likes of doubleclick, ru4, advertising.com etc. when I want to login followed by tracking by an outside source while using the "secure" area of the site(hooray for AdBlock). I complained and complained. I finally received a response from the office of CEO Ken Thompson telling me to piss up a rope. I am no longer a customer.
-
Re:How long
Or if your bank is stupid and has something insecure on it's secure website. Wachovia's Secure Site has had a broken SSL login for ages, and I've told them about it. I also told them that the problem was probably just some insecure javascript or something to that effect, and pleaded that they'd forward it to their tech. staff who would immediately know what the problem was and how to fix it. I got a canned response and no action has been taken. Not sure what to do besides check the cert. every time I login.
-
Re:The guy's an idiot.
Discounts for cash vs credit card are a violation of the merchant's agreement with the credit card company. I prefer not doing business with retailers who can't keep their written promises.
And I prefer to listen to advice from people who know what they're talking about.
All Visa/MC agreements strictly prohibit advertising a price that reflects a cash discount, and then charging a credit card surcharge on top of it. While I can't prove that this is the case for all agreement, there is nothing in some agreements to prevent offering a cash discount, which was the case with the giant-mega-corp I bought my laptop from. Here are three article on this subject I found in only minutes of searching:
http://www.creditinfocenter.com/cards/crcd_buy.sht ml
http://www.wachovia.com/corp_inst/page/0,,44_45%5E 2111,00.html
http://www.sitepoint.com/forums/showthread.php?t=3 22415 -
Checking out BankRate and Wachovia
The idea here is that they're looking for sites that have a privacy policy expressed in XML, something that's been working since 2002 but never really caught on.
Even the few sites that use that have problems. Check out Bankrate.com. According to PrivacyFinder, their policy, from the XML, can be summarized as "BankRate.com may share your information with: Companies that help this site fulfill your requests (for example, shipping a product to you), but these companies must not use your information for any other purpose". Sounds good, and Privacy Finder gives them a high rating.
But their privacy text associated with the XML says "Bankrate uses your personally identifiable information to customize the advertising and content you see on our Web pages, to fulfill your requests for certain products and services and if you permit us, to contact you about special offers and new products. Unless you are entering one of our sweepstakes, Bankrate does not currently share, loan, rent or sell your personally identifiable information."
Their privacy policy text page lets them do even more: " Bankrate uses your personally identifiable information as follows:
... to contact you and deliver information to you that, in some cases, is targeted to your interests, such as targeted banner advertisements, administrative notices, product offerings, and communications relevant to your use of www.bankrate.com." The text policy is far less restrictive than the one associated with the XML.Similarly, check out Wachovia Financial Services. The XML says they don't share your personal information, but their text privacy page says they can share, say, your loan information with their brokerage, insurance, and credit card units for marketing purposes.
This isn't looking good. And those are major legitimate companies. Further down the food chain, it looks much worse.
-
Checking out BankRate and Wachovia
The idea here is that they're looking for sites that have a privacy policy expressed in XML, something that's been working since 2002 but never really caught on.
Even the few sites that use that have problems. Check out Bankrate.com. According to PrivacyFinder, their policy, from the XML, can be summarized as "BankRate.com may share your information with: Companies that help this site fulfill your requests (for example, shipping a product to you), but these companies must not use your information for any other purpose". Sounds good, and Privacy Finder gives them a high rating.
But their privacy text associated with the XML says "Bankrate uses your personally identifiable information to customize the advertising and content you see on our Web pages, to fulfill your requests for certain products and services and if you permit us, to contact you about special offers and new products. Unless you are entering one of our sweepstakes, Bankrate does not currently share, loan, rent or sell your personally identifiable information."
Their privacy policy text page lets them do even more: " Bankrate uses your personally identifiable information as follows:
... to contact you and deliver information to you that, in some cases, is targeted to your interests, such as targeted banner advertisements, administrative notices, product offerings, and communications relevant to your use of www.bankrate.com." The text policy is far less restrictive than the one associated with the XML.Similarly, check out Wachovia Financial Services. The XML says they don't share your personal information, but their text privacy page says they can share, say, your loan information with their brokerage, insurance, and credit card units for marketing purposes.
This isn't looking good. And those are major legitimate companies. Further down the food chain, it looks much worse.
-
From Wachovia's Security Plus pagehttp://www.wachovia.com/securityplus/page/0,,1095
7 _10970,00.html Secure home page login
Ensuring the security of your personal information online is important to us. When you log in to Online Services on our home page, your User ID and Password are secure.
The moment you select "Login," we encrypt your User ID and Password using Secure Sockets Layer (SSL) technology. I don't understand. If the login page isn't SSL, how can the password be encrypted with SSL? -
Re:Credit Unions
USAA's site is all https and provides an immediate redirect if you type http://www.usaa.com/ for example.
Wachovia's site is as the article describes and only gives you https after login. I wondered about it myself and so began going to the site by manually specifying https://www.wachovia.com/ -- this works and gives you SSL for the entire browsing session. You may want to type it manually every time, though it would be nice if all banks made their sites HTTPS only. -
A Foolproof Way To End Bank Account Phishing?
Sure, let me know when you figure out how to force people to pay attention and educate themselves.
Seriously, though, as I'm sure everyone here knows (but I enjoy preaching to the choir) this is useless. The problem isn't that people can't tell they're not at the actual bank website because it's hard, they can't tell because they don't fucking look and/or don't understand. If after clicking the link (which they shouldn't have clicked to start with) they are incapable of looking at the address bar and thinking to themselves "hey, that doesn't say http://www.wachovia.com/ like the e-mail said" then why would they look at it and think "hey, that doesn't say http://www.wachovia.bank/ like the e-mail said"? -
Re:Competition is nice, but . . .
(Hint: do you trust your bank's authorization scheme on their website?...
Riddle me this. Could you create a page that looks just like this? http://www.wachovia.com/ that is a typosquatted site. Via my querty keyboard typo generator, here are some suggestions: wacgovia wavhovia wschovia wachpvia qachovia wachovis wachocia wachivia wachobia eachovia wachovoa wacjovia wachovua waxhovia Just go and register some of the good ones, and pay the $7.95 fee to your non-local sleezy registrar, and make every login merely redirect them to the login page at Wachovia, but feel free to collect the username/password.
Now, if I (or you, or someone you love) typed any of those combinations by accident, how do you trust a non SSL page to ever be your bank, and not a typosquatter, or someone that DNS poisoned, or whatever? Remember, SSL certs require the name of the server to match the cert, and they are able to be validated by the user. No, its not perfect, but a little better than a plaintext http login eh?
When I ssh to an unknown machine, it asks me, "Do you wanna talk to them? You have never talked to them before" And if the cert has changed on the machine, it asks me "DO YOU WANT TO TALK TO THESE PEOPLE AT ALL???? SOMETHING IS VERY WRONG HERE!"
http/https does none of these things.
I can't wait until I can do brick and mortar banking with a username/password like the computer logins. I can't wait until I can purchase things without a credit card, but rather just give them a username/password. Its good enough right? -
Re:An opportunity, a threat...
Keys and tokens are nice, but you have to realize that the trojan dictates which info goes from bank to user and from user to bank. It can block, forge or manipulate anything supposed to go from either end to the other.
I have one piece of software that requires 2 hardware dongles attached to my machine to ensure that I paid enough money for the software.
I'm not suggesting anything that difficult, but how difficult would it be for a standard much like the magstrip cards and private network that exists for credit cards for having a "card" or something for the computer that adds a level of security.
Imagine if it was something that could be plugged into any USB or Firewire port, that would do a challenge response with the bank's site and both you and the bank are authenticated?
No. Online banks are not secure. They look like any other website, and I don't consider every website secure enough to do money with.
Take a look at: http://www.wachovia.com/ and before a month or so, here: http://www.bankofamerica.com/index.cfm The BOA site used to have a password on their plaintext unsecured front page. Wachovia and others still do.
Without at least a https login url, I have no reason to expect that the page I am at is my bank. Could a nasty guy at my ISP give me a false IP address for the name and I'm on a website overseas without any FDIC or whatever kind of legal assurance? NO. I however, am much more informed of these things. Most people would just assume that anything with their banks name on it would be OK. If the site looked different, they would assume it was a design change.
A dongle issued from my bank that verifies both my identity and that of the website would be welcome in my book. I don't just type in a username and password to buy something at the store where I can see a human being. I have to show a stamped card with a hologram over the last 4 digits. They are relatively easy to reproduce, but its very uncommon for their to be phony credit cards out there. Stolen ones are often recognized quickly.
With a dongle, access to my account could be tracked, because it is tied to a piece of hardware that supposedly can't be in more than one place at a time, and certainly not likely for it to be used all over the world in a days time. It could be revoked, and I have to show up in person to get a new one issued, just like I do with my check card when it expires. It also has my picture on it. I don't mind having my face in public and a picture on my bank card at the same kind. -
Re:slows? Webstat data collection is flawed.
For both my banks (http://wachovia.com/ http://affinityfcu.org/) https links don't work in Firefox or Opera for that matter. The most annoying thing in the wachovia case is that you can do all but the last step while paying bills; and then hitting submit simply doesn't work. No extension conflict either as this is true even with no extensions installed. All the way from 0.7 to 1.5 beta.
-
Re:A real person phished
Somewhat off-topic, but Wachovia doesn't help things by having a NON-SECURE sign-on page -- Wachovia's home page.
-
Does this mean...
I guess the hackers (or crackers if you'd rather) dared to dream?
-
Re:Not as bad as you think
That guy claims you have no chargeback rights with a "debit card" (I've always heard them referred to as check cards when used as a credit card, and only debit cards when used as an ATM card, but he seems to have his own convention)
This claim goes against everything I've ever heard, though admittedly I've only heard it from check card issuing companies.
So is this guy a crank, or is there some big conspiracy and the banks are all lying to us? Without further info, I know which one I'm assuming is correct. -
Re:If this won't get people to switch, what will?
-
Re:eCommerce Failure
True, but just how difficult is it to set up a new account?
In fact, there are a lot of banks that support small businesses and have no minimum balance requirements (Wachovia, for one) for checking accounts. And there is almost no fee for maintaining the accounts, either.
I know that its not a "cool" idea but the point is that its simple and it works! I think once people are convinced of the after-effects of identity thefts, it would not be too hard.
Its almost like having multiple slashdot ids ;-) -
Alternatives to IE
I can't say much about Opera since I have not personally used it, but MOZILLA is a quite suitable alternative to IE, and free. The newest versions of MOZILLA are at least as stable and work just as well. I have no problems using Mozilla on all the sites which Konqueror chokes on such as my bank and other favorite sites that make heavy use of java and javascript. I dont use IE because I am on Linux.
siri