Domain: wamu.com
Stories and comments across the archive that link to wamu.com.
Comments · 20
-
Re:After reciving an e-mail that appeared...
Here's anonomyzed emails for online statements from two major American banks.
Bank of America
Dear [NAME]:Your most recent [ACCOUNT TYPE] statement for [ACCOUNT TYPE] ending in [LAST FOUR DIGITS OF ACCOUNT NUMBER] is now available to view online.
To access your statement, just click on the link below.
You will be asked to enter your Online Banking ID and Passcode.Remember: Always look for your SiteKey before you enter your Passcode.
http://www.bankofamerica.com?state= [STATE] &estatement= [LAST FOUR DIGITS OF ACCOUNT NUMBER AND RANDOM LETTERS]
Thank you,
Bank of America
Online Banking Customer ServiceEmail Preferences
This is a service email from Bank of America. Please note that you may receive service email in accordance with your Bank of America service agreements, whether or not you elect to receive promotional email.
Contact us about this email
Please do not reply to this email with sensitive information, such as an account number, PIN, password, or Online ID. The security and confidentiality of your personal information is important to us. If you have any questions, please either call the phone number on your account statement or go to the Contact Us page below, so we can properly verify your identity:
http://www.bankofamerica.com/contact/Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy:
http://www.bankofamerica.com/privacyYou can also learn how Bank of America keeps your personal information secure and how you can help protect yourself:
http://www.bankofamerica.com/privacy/index.cfm?template=privacysecur_prevent_fraudBank of America Email, 8th Floor, 101 South Tryon St., Charlotte, NC 28255-0001
Bank of America, N.A. Member FDIC. Equal Housing Lender:
http://www.bankofamerica.com/help/equalhousing.cfm(C) 2008 Bank of America Corporation. All rights reserved.
This email was sent to: [EMAIL ADDRESS]
Washington Mutual / Chase
To ensure that messages from WaMu are delivered to your inbox, please set your personal email filter to accept email from wamu.com.
Washington Mutual, a division of JPMorgan Chase Bank, N.A.
Email for [NAME] with account ending in [LAST FOUR DIGITS OF ACCOUNT NUMBER]
Hi [NAME], We want to let you know that the statement for the account [ACCOUNT TYPE] / ******[LAST FOUR DIGITS OF ACCOUNT NUMBER] is available for the statement period ending [DATE]. If you would like to view your statement:
1. Log on to wamu.com
2. Go to the Statements page.
Please make sure to review all important notices and attachments and share the statement and any accompanying information with any joint owner of your account. Thanks again for choosing WaMu! Sincerely, WaMu JPMorgan Chase Bank, N.A. Member FDIC, Equal Opportunity Lender For phone number and email information, please visit the Contact Us section of wamu.com.Privacy & Security: to access the Washington Mutual privacy policy go to
http://www.wamu.com/customer_service/questions_answers/security_privacy/default.asp Please note that you are unable to respond directly to this message. If you have any questions about your account or if you need further assistance, please contact Washington Mutual Customer Service. JPMorgan Chase Bank, N.A. and its affiliates are not responsible for and do not endorse any information, advice, opinions and services from third-party news information or service providers. JP -
Re: Homestarrunner!
SB: Clicking on the Icky Sticky Clicky Wiki's...
SB: "Dear StrongBad. This website says that if I click on a link I could get my browser taken over!! What do I do? P.S. I want the Tire."
SB: Easy IWTT. Click Here to open a nice juicy SubPrime Mortage on that tire. https://www.wamu.com/personal/default.asp
SB: Gotcha! That's Washington Mutual! They got hosed so The Government said, "You have no chance to survive make your time." JP Morgan stepped in and said "All Your Mortgage Are Belong To Us."
-
Re:SSH and SSL protected
Actually, no. I was thinking of Washington Mutual, where even if you type in https://wamu.com/, it redirects to http://www.wamu.com/personal/default.asp. Argh. https://online.wamu.com/IdentityManagement/Logon.aspx works though. I guess there's a lot of banks like this.
-
Re:SSH and SSL protected
Actually, no. I was thinking of Washington Mutual, where even if you type in https://wamu.com/, it redirects to http://www.wamu.com/personal/default.asp. Argh. https://online.wamu.com/IdentityManagement/Logon.aspx works though. I guess there's a lot of banks like this.
-
Re:SSH and SSL protected
Actually, no. I was thinking of Washington Mutual, where even if you type in https://wamu.com/, it redirects to http://www.wamu.com/personal/default.asp. Argh. https://online.wamu.com/IdentityManagement/Logon.aspx works though. I guess there's a lot of banks like this.
-
Re:Great article, but
Step 1) Go to your bank's website.
Step 2) Look for the pretty little lock picture in your browser that tells you that the website is SSL encrypted.
Without the lock, there is no guarantee you're even on your bank's website when you click the login button that takes you to who knows where. ESPECIALLY when the bank helpfully puts a username/password form on the front page (see http://www.wamu.com/ ) for you to fill out and hit submit and hope that the page it's submitting to actually IS encrypted. -
Re:Credit Unions
USAA's site is all https and provides an immediate redirect if you type http://www.usaa.com/ for example.
Right this second, Washington Mutual's site https://www.wamu.com/ does the exact opposite, it redirects me back to http:///
It annoys me, but not enough to withdraw my cash. I just hit log in with the fields blank to get to the SSL page and then actually log in. -
Re:We'll see about that.
But for the average user even a relatively simple url such as http://www.wamu.com/personal/default.asp will cause their eyes to glaze over when all they typed in was www.wamu.com.
Yup. And worse yet, that sort of thing allows the baddies to do something like www.blah blah/wamu.bank. So the ambiguousness of the period in the URL - used for both file and domain delimiters - will further obfuscate things.
-
Re:We'll see about that.
My thoughts exactly. Currently, most phishing attacks my users have asked about have been for domains such as www.amazon.com.evildomain.com
In the rare event that a user does look at the url they see that first .com and don't bother with the rest of address. I don't see how a .bank would help at all.
Now, perhaps if bank sites didn't do immediate redirects when you visited them and kept the url in the address bar simple, then that may help. That way, if a user sees anything other than www.bank.com it should raise suspicion. But for the average user even a relatively simple url such as http://www.wamu.com/personal/default.asp will cause their eyes to glaze over when all they typed in was www.wamu.com. So why should they look past the .com and try to make any sense of the rest. Like I said, this is a simple example, some of my banksites have long strings of numbers after the .com, change the alias in the address from www to something else, etc. -
Re:Relay?
Most banks offer a SSL encrypted login page but don't explicitly encourage people to use it. For example, if you go Washington Mutual's homepage, you can login, although the login page is not encrypted. With a little bit of digging, however, you can find the SSL encrypted login page. I assume they make you work for the encrypted page to avoid the overhead of creating an SSL connection with every person that happens to visit the WaMu homepage. I am not a web developer, but I think that if a form posts to an HTTPS site, then the form data is encrypted before being sent. However, there is no way to know whether a form intends to post to an HTTPS site except by digging through the page source. Perhaps this is why a lot of banking sites are now using the two page login sequence.
Gmail has a secure login page as well but you have to explicitly type in https in order to get to it.
These open WiFi networks are really scary. A criminal could park his car next to Starbucks with a laptop and an AP in the trunk. The AP would broadcast an SSID with the name "Starbucks" and forward almost all packets transparently. However, for banking websites, the laptop would form an SSL connection to the bank and forward an unencrypted page to the user. A lot of people wouldn't notice that the connection wasn't secure, especially if all other websites seemed to be working fine. I don't know if a hacker would really want to read your Gmail, but he would be thrilled to get the login info for your bank!
It is too easy to get screwed (and not even realize it) using an open WiFi network. At least if you physically lose your credit card or know that a hacker has gotten your information, you can cancel or freeze your accounts. But if you don't know your account has been compromised, it could be totally drained by the time you realize it. My advice is don't do anything requiring a login on an open WiFi network unless you use a secure VPN tunnel to a machine that you trust. Also, don't keep very much money in your checking/ATM account; invest it or put it in a savings account where it is not as easy to clean you out in one shot.
I switched away from Bank of America partially because they required me to enter my card number and PIN as part of the login process. They claimed it was secure because you entered the two pieces of data on two consecutive web pages. But I might not notice if that second page was not SSL encrypted but was otherwise identical to the real page. WaMu requires an Internet-only login and password. If a hacker somehow got my online banking login info, he/she would not be able to clean me out through an ATM. But if my BofA info had been stolen online, they would have been able to make a fake ATM card and withdraw everything in the account.
Another scary thing that I just realized is that phishers could use the same trick that I mentioned above. They could set up a similar sounding banking website except forming an HTTP connection rather than an HTTPS connection. However, they would forward the data so that it would seem to the end user that everything is fine. They could even create an unsigned certificate and use SSL between the phishing server and the user. Of course, the user would have to accept the certificate, but most people just blindly click "Accept", don't they? I don't know if phishers are using this technique yet, but I would definitely watch out for it in the future. -
Re:Relay?
Most banks offer a SSL encrypted login page but don't explicitly encourage people to use it. For example, if you go Washington Mutual's homepage, you can login, although the login page is not encrypted. With a little bit of digging, however, you can find the SSL encrypted login page. I assume they make you work for the encrypted page to avoid the overhead of creating an SSL connection with every person that happens to visit the WaMu homepage. I am not a web developer, but I think that if a form posts to an HTTPS site, then the form data is encrypted before being sent. However, there is no way to know whether a form intends to post to an HTTPS site except by digging through the page source. Perhaps this is why a lot of banking sites are now using the two page login sequence.
Gmail has a secure login page as well but you have to explicitly type in https in order to get to it.
These open WiFi networks are really scary. A criminal could park his car next to Starbucks with a laptop and an AP in the trunk. The AP would broadcast an SSID with the name "Starbucks" and forward almost all packets transparently. However, for banking websites, the laptop would form an SSL connection to the bank and forward an unencrypted page to the user. A lot of people wouldn't notice that the connection wasn't secure, especially if all other websites seemed to be working fine. I don't know if a hacker would really want to read your Gmail, but he would be thrilled to get the login info for your bank!
It is too easy to get screwed (and not even realize it) using an open WiFi network. At least if you physically lose your credit card or know that a hacker has gotten your information, you can cancel or freeze your accounts. But if you don't know your account has been compromised, it could be totally drained by the time you realize it. My advice is don't do anything requiring a login on an open WiFi network unless you use a secure VPN tunnel to a machine that you trust. Also, don't keep very much money in your checking/ATM account; invest it or put it in a savings account where it is not as easy to clean you out in one shot.
I switched away from Bank of America partially because they required me to enter my card number and PIN as part of the login process. They claimed it was secure because you entered the two pieces of data on two consecutive web pages. But I might not notice if that second page was not SSL encrypted but was otherwise identical to the real page. WaMu requires an Internet-only login and password. If a hacker somehow got my online banking login info, he/she would not be able to clean me out through an ATM. But if my BofA info had been stolen online, they would have been able to make a fake ATM card and withdraw everything in the account.
Another scary thing that I just realized is that phishers could use the same trick that I mentioned above. They could set up a similar sounding banking website except forming an HTTP connection rather than an HTTPS connection. However, they would forward the data so that it would seem to the end user that everything is fine. They could even create an unsigned certificate and use SSL between the phishing server and the user. Of course, the user would have to accept the certificate, but most people just blindly click "Accept", don't they? I don't know if phishers are using this technique yet, but I would definitely watch out for it in the future. -
Re:Not much further to go
I'll just add on the list of "good" banks and mention Washington Mutual. I'm sticking with them, despite a lack of local branches on the East Coast, because they have had good service, and their online banking runs just fine with Firefox.
-
Re:Didn't work well for me.What exactly does that do when I set domain.tld=5? I did as you suggested and sure enough it fixed the problem! Thanks! Now, I'm having some trouble with my bank's website. When I'm viewing my account, there's supposed to be a link to log out of their system. Instead of being a link, it's just plain text. I tried doing the same thing to the UA.ini file for Washington Mutual's Website but it still doesn't fix the problem (though it did fix some menu alignment issues).
Why is this happening? Firefox and IE don't require any special configuration settings. I don't want to bash Opera as I like what I see so far, but it seems troublesome at the moment.
-
Re:Dictionary Security DefinitionTrue. However, I would contend that the majority of the -interesting- breaches (as opposed to relatively harmless things like site tracking software that does targetted pop-ups) are not technological at all, but sociological.
IMHO, the biggest security threat on the web today is the prevalence of phishing expeditions, intentional spyware downloads, and the general naiveté of the users. When is the last time somebody's SSN was stolen through cross-site scripting or other browser holes? Probably just about never. When is the last time somebody's SSN was stolen through somebody emailing them an official-looking email message asking them to verify their information? I'm guessing some time in the last minute. An identity theft occurs every 60 seconds in the U.S. alone.
That said, I still blame a Microsoft product for all of this... just not MSIE. Their zeal in getting us hooked on "pretty" email with HTML content all those years ago is the root cause for almost every phishing expedition ever conceived. If the user had to hand-type the URL from a text screen like they used to, there's no way that most of them would mistake http://gophish.ru/skankyurl?setmenubarname=www.wa
s hingtonmutual.com for https://www.wamu.com./Now, I'll admit that there are exceptions---phishing expeditions in which somebody registers a URL that really looks like a legit site, e.g. ebay-secure.com. That said, those sites are more likely to get busted, since they're easier to track back to a real person.
Just my $0.02.
-
No banking problems here
I bank with Washington Mutual, have a CapitolOne VISA card, and have my investments at E*Trade. I used Firefox exclusively and all above sites work flawlessly.
I remember a discussion here on Slashdot a couple of years ago about Mozilla, around the time of ver 0.9.2 or so. At the time CapitolOne didn't work in Mozilla and I had to use IE. A Mozilla developer posted a reply to my question about that, saying that it probably would never get fixed. Then, out of the blue, it started working. Probably around Mozilla 1.2 or so.
That's the only problem I've ever had with a financial institution with any Mozilla products. -
Re:Public needs to change to make the change...
Why not tell us who the bank is? I use Washington Mutual and except for a stupid AUTOCOMPLETE=off it works fine. And my CitiBank credit cards through Accountonline.com work find in FireFox, too.
-
Re:who uses IE anymore?
Really? You mean this site, that I use all the time with Firefox?
-
Re:the needed patch
Just pointing out that My Bank also works just fine with mozilla and Opera.
-
Hasn't been my experience
After seeing this story I promptly downloaded 1.2. A minute ago I logged on to Washington Mutual to check up on my accounts, and everything worked without a flaw.
-
CitiBank / Washington Mutual
Yes, the CitiBank site works with Mozilla. Washington Mutual uses it for online credit-card management.