I know you are saying, yeah yeah a security flaw from Microsoft, what else is new? But this flaw invites identity theft. For over ten years we have been told that if we decide to make purchases online to be sure that your purchases are run through a secure and trusted site. This is why we have sign digital certificates and SSL.
In fact, it took years of convincing my wife that ordering through a secure website online is more secure than ordering over the phone (cordless) and speaking out credit card information. I’ve finally convinced her and she is well aware of how secure things can and musts be when making purchases online.
These days people not only order products and services online, but also manage their money. More and more banks are jumping online to provide some type of bill pay service. One that takes advantage of the convenience of ACH debits directly from the user bank account. However in order for this stuff to work, the end user must entrust the company with sensitive banking information such as bank account numbers, routing numbers, social security numbers, maiden names and many other things that are like crack cocaine to a identity thief. Thankfully these companies are smart enough to know that these transaction should be run through some type of encryption…or so you thought.
Recently Yahoo bill pay closed the door on what was a very successful and secure online bill pay service. I had used them for the past 8 years with no incident…nothing lost, no checks unpaid, no strange transactions. I had to switch to my local bank’s bill pay service, which I must say is very sub-par to Yahoo (yes, I know it is hard to say anything is sup-par to Yahoo, but this is it).
A friend of mine decided that he wanted to tryout MSN Bill Pay because of the rave reviews. He too was a Yahoo Bill Pay customer who had to find a secure replacement as well.
For the past few months he said to me that the service was a little quirky but usable. The interface was certainly prettier than Yahoo but I must say, not as intuitive. However after looking at his screen, something just jumped out at me…something very disturbing:
Upon login, the user can enter username and password information over a non-secure website.
Oh, but wait, Microsoft is concerned about their security by placing a nice little padlock icon explaining why it is important to them. The flaw with this is that Microsoft is assuming that the user will read this and realize that hey, maybe I shouldn’t log in since there is no https in the url window. Never assume that users are as observant as you’d hoped they’d be.
Why is it a flaw? Well, my friend could login to his MSN Bill Pay account and add more payees to his list, which includes credit card account information, all while NOT seeing https or the cute little lock icon located at the bottom of the browser.
If Microsoft cared about our privacy they would not even allow the bill pay service to be accessed over a non-secure connection! The fix of this for my friend is to bookmark the bill pay service with https as the protocol in the url.
Ultimately Microsoft needs to address this issues immediately as this could open the floodgates of identity theft with packet sniffing, key logging and a host of other tools readily available to steal sensitive information.
Just because the form itself is on a non https site doesn’t mean it’s insecure. If the form posts to a HTTPS site, then the information is still encrypted.