I have a credit card with Bank of America, and I like to do my payments and such online. You can sign in at the home page (http://www.bankofamerica.com) to get into your account. Unfortunately, this page does not have all the usual signs of being properly encrypted: “https” in the URL and the lock symbol in the browser (I’ve tried it in IE, Netscape, Opera, and my default, Firefox, all with the same result).
I e-mailed their customer service about this, and the answer I got was basically, “Oh, but it IS secure. Really. Don’t worry about it.” Oh thank you, nameless CS drone with unknown Web authoring knowledge, for easing my mind with that comforting and detailed explanation. It doesn’t help that their recently implemented default user ID is your social security number. Hello?? I finally found the place to change THAT particular piece of info. And up until then, I had been just entering a fake ID number, whcih took me to the “Error, please try again” page, which IS secure according to the usual indications. :rolleyes:
Is there some type of secure Web protocol that doesn’t use the “https” and the lock symbol in the browser? If so, how am I supposed to know that I’m at a secure page? THey mention SSL and encryption in their “How we protect your account” information, but their pages don’t seem to show it. Every other “secure” site I go to shows the “https” and the lock, and that’s what I’ve always understood to look for. What am I missing?
I have Bank of America and they recently switched me to a new system where you pick out a picture of a rather unique image and then you see that image whenever you log into your account. I use an entry site that looks like it is for the whole U.S. I know that their site I see operates securely but I don’t think it uses the https: protocol.
P.S. I just looked at your link and that was the old one I used. At some point in the last two weeks, it made me sign up for a more secure version with security pictures.
For anyone who wants to check, I think you have to sign in in the top right, then select a state/country before the input boxes Scarlett67 mentions show up.
Long story short, it really is secure. Some places will feed you the form secure-http (makes the lock icon show up, title bar turn yellow, etc), and then have the form pointed to a plain http form. That does nothing.
What you want is for the main page to be served in regular http (saves CPU), and have just the input form target be secure http.
If you use Firefox, you can type “Scarlett67” in the user box, and then right-click on the page somewhere and select “Page Info”. Click the “Forms” tab, and check out “frmSignIn”. From the data in the “id” field (should say “Scarlett67”), you see that that’s the form in question, and from the form action at the top you can see that the target uses the https protocol.
Yeah, I have that too. I thought it seemed weird, kind of like the myth about mailing something in a sealed envelope to yourself to prove copyright.
Is the link I gave the same one that you use to log in and see the SiteKey (image), or do you use a different login page? I use that link to get the assigned image, and it’s the same link I used before they started using the image.
Hm, for me they show up plain as day on the home page, upper left. You enter your Online ID (the aforementioned SSN by default) and then click “Show Me My SiteKey,” which is the image that Shagnasty mentioned. Then you can enter your password (they call it a passcode) on that page and you’re in.
I was only asked for my state (and some other things) when I went in to change the Online ID.
I just tried this and you are absolutely right. Neato! Thanks much. I had no idea that just the form could be made secure.
Now why couldn’t the BoA CS person have explained it so clearly? :dubious:
[QUOTE=Scarlett67]
Yeah, I have that too. I thought it seemed weird, kind of like the myth about mailing something in a sealed envelope to yourself to prove copyright.
Is the link I gave the same one that you use to log in and see the SiteKey (image), or do you use a different login page? I use that link to get the assigned image, and it’s the same link I used before they started using the image.[/QUOTE
It is the same one. I have worked in corporate IT for a long while and I appears that they have invested a lot of money into very secure proprietary security features. That is what the site keys are for. As long as those are like you expect them, it should be among the safest sites available.