Someone reading my last blog, about two insecure banking websites, wrote that their credit union seemed to also be insecure. I agreed. Online banking at the A+ Federal Credit Union in Texas is not as secure as it could be. As it should be.

A+ Federal Credit Union in Texas home page

Right off the bat, it makes a bad impression using a cheap DV certificate rather than a more expensive and trustworthy EV certificate.

Both type of certificates offer the same encryption of data as it travels between the credit union website and your computer. What they differ in, is the assurance that you are communicating with the right website. EV refers to Extended Validation. This type of certificate is proof of the legal entity controlling the website. Obtaining an EV certificate requires verification of the requesting entity's identity by a certificate authority (CA).

Since this website, michaelhorowitz.com, uses a cheap DV certificate, it could be owned and run by a guy named John Smith. To get the DV certificate, I did not have to prove that my name was Michael Horowitz. All I needed, was to be the guy maintaining the website.

Firefox displaying DV and EV certificates

If you care about security you use an EV certificate. If you are cheap (as in the case of this site) or just checking off boxes that your boss requires, then you use a DV certificate. Any and all financial websites should spend the extra $200/year (give or take) for an EV certificate. The A+ credit union did not.

In fairness, I should point out that the A+ credit union is far from the only financial website to use a cheap DV certificate. Wells Fargo bank and Equifax do too. But, of course, both companies are infamous in their own way.

Online banking is not done at aplusfcu.org, it is instead done a secure1.onlineaccess1.com. Customers are not warned that a different entity is in charge of their online banking.

Who is onlineacess1.com? None of your business.

A Whois search shows the name to be registered to PERFECT PRIVACY, LLC.

The site itself uses a cheap DV certificate, so, again, we can't tell who runs the website.

Try to access www.onlineaccess1.com to learn something about the company running the online banking and the site fails to load with a "503 Service Unavailable" error.

The full URL that A+ credit union customers go to, when enrolling in online banking, is https://secure1.onlineaccess1.com/AFCUOnline_E2E/enroll.html. If you try to access https://secure1.onlineaccess1.com without the extra stuff at the end of the URL, this too fails to load.

How secure is https://secure1.onlineaccess1.com?

It scores only a B at the Qualys SSL Server test (see below). Not good. There is no excuse for any website not to get an A. This website, running on bottom-of-the-line shared hosting for $10/month gets an A, and it's just a bunch of blogs; there is no sensitive information here at all.

SSL Server Test results for secure1.onlineaccess1.com

The big security failure is with Perfect Forward Secrecy (aka Forward Secrecy, PFS, FS). Forward Secrecy is a security feature that flies under the radar, yet is critically important. Without it, there really is no security at all. Without Perfect Forward Secrecy, all the rest is security theater, designed to fool the un-informed.

When using both TLS version 1.1 and 1.0, secure1.onlineaccess1.com does not support Forward Secrecy at all. When using TLS 1.2, it is sometimes supported.

You can read more about Perfect Forward Secrecy here and here.

Finally, the aplusfcu.org site has warnings about secure versions of web browsers. Not only are the warnings ancient, but they are also unnecessary. A website is able to determine the browser that it is talking to. Competent developers would check, on their own, if the browser meets their criteria and only issue a warning when necessary.

by Michael Horowitz