Is this bank website secure enough? No https in login page
Clash Royale CLAN TAG#URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
13
down vote
favorite
Today I opened a bank account to invest my savings. Here's the link to the login page: http://www1.directatrading.com/
I noticed it doesn't use Https protocol (neither is that page nor in the landing page where you can buy stocks etc).
Moreover your password can be at maximum 10 characters long and there's no 2 step verification...
This is the page where they explain their security (it's Italian, maybe you could translate: https://www.directa.it/pub2/it/altreinfo/sicurezza.html).
Thanks for any input.
It's a large broker company so it seems strange to me they don't care that much about security (however I'm no expert).
UPDATE
Thanks for your input guys! As some of you pointed out there is also a https login page!
I managed to enable "full https" navigation from a settings (weird they give the user the opportunity to choose, and default option is http.
Now I can get https in the login page and in all other pages of the website...
Moreove I enabled another option that as far as I know uses cookies to give access to my account only from my PC.
Is the situation better now?
passwords http web-service account-security
asked yesterday
KingBOB
276129
 |Â
show 4 more comments
up vote
13
down vote
favorite
Today I opened a bank account to invest my savings. Here's the link to the login page: http://www1.directatrading.com/
I noticed it doesn't use Https protocol (neither is that page nor in the landing page where you can buy stocks etc).
Moreover your password can be at maximum 10 characters long and there's no 2 step verification...
This is the page where they explain their security (it's Italian, maybe you could translate: https://www.directa.it/pub2/it/altreinfo/sicurezza.html).
Thanks for any input.
It's a large broker company so it seems strange to me they don't care that much about security (however I'm no expert).
UPDATE
Thanks for your input guys! As some of you pointed out there is also a https login page!
I managed to enable "full https" navigation from a settings (weird they give the user the opportunity to choose, and default option is http.
Now I can get https in the login page and in all other pages of the website...
Moreove I enabled another option that as far as I know uses cookies to give access to my account only from my PC.
Is the situation better now?
passwords http web-service account-security
asked yesterday
KingBOB
276129
1
https://www1.directatrading.comexists
– curiousguy
yesterday
7
It's an Italian website. What do you expect? It looks like you're in Italy, so I expect you already know this. The short answer is, don't use this bank, they don't know what they're doing.
– Steve Sether
yesterday
10
@SteveSether After re-reading your comment several times, I'm still struggling to understand it. Are you saying that Italian websites are known for having poor security?
– Jon Bentley
18 hours ago
4
@JonBentley Maybe it wasn't clear from context, but Italian websites are known for being poorly designed, poorly translated, and just poor in general. For example, My wife used to be a tour guide in Rome, and bought tickets to the Vatican all the time, and was often frustrated by it. It often was completely broken, and some of the translation is/was terrible broken English. For example, the Captcha instead of saying "Can't read this?" says: "You cannot read?" This kind of thing is typical in Italy, and Italian websites in general. Things don't work.
– Steve Sether
15 hours ago
1
@JonBentley Being Italian I must admit that there are significant website with awful practices. For example:trenitaliais the biggest train company yet it will email you your plaintext uppercased password when registering. Even worse: if you try to change password they will send you the same email but your password will actually not work, you must use the uppercased version (yes, when you register the password is kept as is even though it is emailed in uppercase, while when you change it they "secretely" uppercase it before saving it). At least this was the case a few months ago.
– Bakuriu
13 hours ago
 |Â
show 4 more comments
up vote
13
down vote
favorite
up vote
13
down vote
favorite
Today I opened a bank account to invest my savings. Here's the link to the login page: http://www1.directatrading.com/
I noticed it doesn't use Https protocol (neither is that page nor in the landing page where you can buy stocks etc).
Moreover your password can be at maximum 10 characters long and there's no 2 step verification...
This is the page where they explain their security (it's Italian, maybe you could translate: https://www.directa.it/pub2/it/altreinfo/sicurezza.html).
Thanks for any input.
It's a large broker company so it seems strange to me they don't care that much about security (however I'm no expert).
UPDATE
Thanks for your input guys! As some of you pointed out there is also a https login page!
I managed to enable "full https" navigation from a settings (weird they give the user the opportunity to choose, and default option is http.
Now I can get https in the login page and in all other pages of the website...
Moreove I enabled another option that as far as I know uses cookies to give access to my account only from my PC.
Is the situation better now?
passwords http web-service account-security
asked yesterday
KingBOB
276129
Today I opened a bank account to invest my savings. Here's the link to the login page: http://www1.directatrading.com/
I noticed it doesn't use Https protocol (neither is that page nor in the landing page where you can buy stocks etc).
Moreover your password can be at maximum 10 characters long and there's no 2 step verification...
This is the page where they explain their security (it's Italian, maybe you could translate: https://www.directa.it/pub2/it/altreinfo/sicurezza.html).
Thanks for any input.
It's a large broker company so it seems strange to me they don't care that much about security (however I'm no expert).
UPDATE
Thanks for your input guys! As some of you pointed out there is also a https login page!
I managed to enable "full https" navigation from a settings (weird they give the user the opportunity to choose, and default option is http.
Now I can get https in the login page and in all other pages of the website...
Moreove I enabled another option that as far as I know uses cookies to give access to my account only from my PC.
Is the situation better now?
passwords http web-service account-security
asked yesterday
KingBOB
276129
edited 2 hours ago
asked yesterday
KingBOB
276129
asked yesterday
KingBOB
276129
asked yesterday
KingBOB
276129
276129
1
https://www1.directatrading.comexists
– curiousguy
yesterday
7
It's an Italian website. What do you expect? It looks like you're in Italy, so I expect you already know this. The short answer is, don't use this bank, they don't know what they're doing.
– Steve Sether
yesterday
10
@SteveSether After re-reading your comment several times, I'm still struggling to understand it. Are you saying that Italian websites are known for having poor security?
– Jon Bentley
18 hours ago
4
@JonBentley Maybe it wasn't clear from context, but Italian websites are known for being poorly designed, poorly translated, and just poor in general. For example, My wife used to be a tour guide in Rome, and bought tickets to the Vatican all the time, and was often frustrated by it. It often was completely broken, and some of the translation is/was terrible broken English. For example, the Captcha instead of saying "Can't read this?" says: "You cannot read?" This kind of thing is typical in Italy, and Italian websites in general. Things don't work.
– Steve Sether
15 hours ago
1
@JonBentley Being Italian I must admit that there are significant website with awful practices. For example:trenitaliais the biggest train company yet it will email you your plaintext uppercased password when registering. Even worse: if you try to change password they will send you the same email but your password will actually not work, you must use the uppercased version (yes, when you register the password is kept as is even though it is emailed in uppercase, while when you change it they "secretely" uppercase it before saving it). At least this was the case a few months ago.
– Bakuriu
13 hours ago
 |Â
show 4 more comments
1
https://www1.directatrading.comexists
– curiousguy
yesterday
7
It's an Italian website. What do you expect? It looks like you're in Italy, so I expect you already know this. The short answer is, don't use this bank, they don't know what they're doing.
– Steve Sether
yesterday
10
@SteveSether After re-reading your comment several times, I'm still struggling to understand it. Are you saying that Italian websites are known for having poor security?
– Jon Bentley
18 hours ago
4
@JonBentley Maybe it wasn't clear from context, but Italian websites are known for being poorly designed, poorly translated, and just poor in general. For example, My wife used to be a tour guide in Rome, and bought tickets to the Vatican all the time, and was often frustrated by it. It often was completely broken, and some of the translation is/was terrible broken English. For example, the Captcha instead of saying "Can't read this?" says: "You cannot read?" This kind of thing is typical in Italy, and Italian websites in general. Things don't work.
– Steve Sether
15 hours ago
1
@JonBentley Being Italian I must admit that there are significant website with awful practices. For example:trenitaliais the biggest train company yet it will email you your plaintext uppercased password when registering. Even worse: if you try to change password they will send you the same email but your password will actually not work, you must use the uppercased version (yes, when you register the password is kept as is even though it is emailed in uppercase, while when you change it they "secretely" uppercase it before saving it). At least this was the case a few months ago.
– Bakuriu
13 hours ago
1
1
https://www1.directatrading.com exists– curiousguy
yesterday
https://www1.directatrading.com exists– curiousguy
yesterday
7
7
It's an Italian website. What do you expect? It looks like you're in Italy, so I expect you already know this. The short answer is, don't use this bank, they don't know what they're doing.
– Steve Sether
yesterday
It's an Italian website. What do you expect? It looks like you're in Italy, so I expect you already know this. The short answer is, don't use this bank, they don't know what they're doing.
– Steve Sether
yesterday
10
10
@SteveSether After re-reading your comment several times, I'm still struggling to understand it. Are you saying that Italian websites are known for having poor security?
– Jon Bentley
18 hours ago
@SteveSether After re-reading your comment several times, I'm still struggling to understand it. Are you saying that Italian websites are known for having poor security?
– Jon Bentley
18 hours ago
4
4
@JonBentley Maybe it wasn't clear from context, but Italian websites are known for being poorly designed, poorly translated, and just poor in general. For example, My wife used to be a tour guide in Rome, and bought tickets to the Vatican all the time, and was often frustrated by it. It often was completely broken, and some of the translation is/was terrible broken English. For example, the Captcha instead of saying "Can't read this?" says: "You cannot read?" This kind of thing is typical in Italy, and Italian websites in general. Things don't work.
– Steve Sether
15 hours ago
@JonBentley Maybe it wasn't clear from context, but Italian websites are known for being poorly designed, poorly translated, and just poor in general. For example, My wife used to be a tour guide in Rome, and bought tickets to the Vatican all the time, and was often frustrated by it. It often was completely broken, and some of the translation is/was terrible broken English. For example, the Captcha instead of saying "Can't read this?" says: "You cannot read?" This kind of thing is typical in Italy, and Italian websites in general. Things don't work.
– Steve Sether
15 hours ago
1
1
@JonBentley Being Italian I must admit that there are significant website with awful practices. For example:
trenitalia is the biggest train company yet it will email you your plaintext uppercased password when registering. Even worse: if you try to change password they will send you the same email but your password will actually not work, you must use the uppercased version (yes, when you register the password is kept as is even though it is emailed in uppercase, while when you change it they "secretely" uppercase it before saving it). At least this was the case a few months ago.– Bakuriu
13 hours ago
@JonBentley Being Italian I must admit that there are significant website with awful practices. For example:
trenitalia is the biggest train company yet it will email you your plaintext uppercased password when registering. Even worse: if you try to change password they will send you the same email but your password will actually not work, you must use the uppercased version (yes, when you register the password is kept as is even though it is emailed in uppercase, while when you change it they "secretely" uppercase it before saving it). At least this was the case a few months ago.– Bakuriu
13 hours ago
 |Â
show 4 more comments
3 Answers
3
active
oldest
votes
up vote
18
down vote
doesn't use Https protocol
The website you provided does support HTTPS, but not HSTS or HTTP to HTTPS redirect. That is why you could be directed to an unsecured HTTP site. SSL Labs analysis.
Moreover your password can be at maximum 10 characters
Oddly this is common of online banking. I have experienced a bank which defined the following rules for a password az-AZ-09 with a character limit less or equal to 10.
there's no 2 step verification...
Despite this becoming a norm in security. Some still have configured their infrastructure with primitive security, given modern attack vectors. 2FA should be a must. Most banks will either provide a "secure key" or access to a one-time password from their mobile banking app.
My personal advice. Avoid online banking with this bank, and look for an alternative which can satisfy your security (OpSec) needs.
answered yesterday
safesploit
588211
3
Ah, I didn't catch that they support HTTPS but don't force redirect HTTP to HTTPS. I'm so used to doing both in combination that I forgot you can leave out the last step! To be clear (and you could always mention this yourself), allowing HTTPS but not automatically redirecting HTTP is a big security hole because a malicious attacker could easily use it to redirect the user and steal credentials.
– Conor Mancone
yesterday
3
SSL Strip: For downgrading HTTPS request to HTTP (unsecure) SSL Strip for Newbies - avicoder.me/2016/02/22/SSLstrip-for-newbies Kali Linux MITM Attack Tutorial: hacking-tutorial.com/hacking-tutorial/…
– safesploit
yesterday
2
The restrictive password limits translate to the bank having a legacy COBOL system (virtually all banks do), using it for authentication (common), and it being sufficiently brittle that the risk of making any major changes to it is too high to be acceptable (depressingly common).
– Dan Neely
23 hours ago
8
"allowing HTTPS but not automatically redirecting HTTP is a big security hole" - No, it's virtually meaningless. If an attacker can redirect the user (to plain HTTP), he can also mitm with SSL stripping (against which the redirect does NOT protect). The only fail-safe way to force HTTPS is HSTS preloading. HSTS without preload is basically trust-on-first-use, with all the problems that includes. An HTTPS redirect protects against nothing (but is more or less necessary to make HSTS without preloading work).
– marcelm
23 hours ago
2
@marcelm by itself it's not enough to make a site secure against a hostile entity manipulating traffic, it does protect against the far more common case where a user didn't explicitly specify https. For a financial institution not having HSTS is facepalm bad, even if everything else was done right; but also failing to handle the most common failure case - user error - is worthy of a second facepalm.
– Dan Neely
23 hours ago
 |Â
show 4 more comments
up vote
10
down vote
Presuming that is the actual login page:
Yes, this is very insecure by modern standards, and even more so for anything involving actual monetary transactions.
There is always the slim possibility that the page loads on HTTP but then submits to a server protected by HTTPS. That would still be bad but would at least be "better". However, I confirmed that this doesn't happen. As I'm sure you know this would allow anyone on your local network (or anywhere between you and their server) to read your username and password.
There is also no CSRF protection on the login endpoint - this can introduce a lot of other more subtle security weaknesses (although not anywhere near as severe as failing to encrypt your login credentials).
The best-case scenario here is that the page you are on isn't supposed to be the primary login page, but you ended up there by accident and they forgot to remove it and direct people to the login page which is actually secure.
I ran the website describing their security through google translate. Obviously it won't be perfect, but it certainly gives the highlights:
- We've never had a breach before - nothing to worry about!
- We have a super secure firewall
- We use SSL encryption!
- You can change your password!
- You can deny access to your account from all but one device
- You can see when/where you last logged in
- You can get a text message everytime someone logs in
- Even if someone were to login your money would be safe because we don't allow transfers to any accounts not specified by you and indicated in your contract
I wouldn't take any of that very seriously, especially in light of their inability to provide SSL encryption on the login page, which is probably the most important page of all to secure. Given their lax practices here I would assume that they have security holes elsewhere in their system. Whether or not they have ever had a breach is something no one will ever know - what should say is:
If we've ever had a breach we at least don't know about it! We promise we're not lying!
If they really haven't ever had a breach it is probably because no one has ever bothered trying to target them, and not because of good security practices. I wouldn't even take point #8 seriously. You'd be surprised what people talk account support technicians into doing, and even if an attacker can't actively steal your money, this doesn't mean that they can't cause you severe harm if they get into your account.
answered yesterday
Conor Mancone
6,35121435
2
"at least don't know about it" naturally, because they probably don't have adequate monitoring in place either...
– msanford
yesterday
As other posters noted, they do have SSL encryption on the login page if you type https:// to get to the bank page. But you've got a lot of other good points.
– Joshua
22 hours ago
@Joshua yeah, I didn't notice that myself until the other answers came in, but it was covered well enough in other answers that I figured there was no point in adding it to my answer.
– Conor Mancone
22 hours ago
Even without social engineering #8 doesn't make much sense. If it's a brokerage account, an attacker would still be able to trade -- say, to buy some illiquid assets that the attacker's twin brother just happens to have for sale at a high asking price.
– Henning Makholm
38 mins ago
add a comment |Â
up vote
7
down vote
Whomever designed the website appears to have a lack of security knowledge. As others have pointed out, they do support HTTPS, but at the very least you should be redirected from the HTTP to HTTPS when you go to the login site. That was standard for secure websites more than 10 years ago. It's extremely trivial to implement this, offers real protection from real attacks, and not having it is a red flag.
Even better would be supporting HSTS (also not supported), which is a way of publishing information on how the website should only be available via HTTPS. This standard is now almost 6 years old, and widely implemented. A bank not having this simple security measure is another red flag.
It should come as no surprise to you that Italian websites... aren't really the best. I've spent considerable time in Italy using Italian websites, and many are shockingly bad and about 15 years behind the times. This site is no exception.
The password length limits are sadly the norm for many banks. This is because much of the banking industry is itself far behind the times with an enormous amount of legacy systems still in place. The lack of 2-Factor authentication is also relatively common. Both these are indications the institution isn't focused on security, but it's far too common for these to be red flags.
I ran a test of their SSL configuration against SSL Labs:
https://www.ssllabs.com/ssltest/analyze.html?d=www1.directatrading.com
It's actually not terrible (They get a B), which isn't a red flag, but is another indicator of not keeping up with security standards.
I wouldn't recommend using this financial institution since they seem to have a severe disregard for modern security practices going back at least 10-15 years. The visible problems are often just the tip of the iceberg.
answered yesterday
Steve Sether
15.9k53364
add a comment |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
18
down vote
doesn't use Https protocol
The website you provided does support HTTPS, but not HSTS or HTTP to HTTPS redirect. That is why you could be directed to an unsecured HTTP site. SSL Labs analysis.
Moreover your password can be at maximum 10 characters
Oddly this is common of online banking. I have experienced a bank which defined the following rules for a password az-AZ-09 with a character limit less or equal to 10.
there's no 2 step verification...
Despite this becoming a norm in security. Some still have configured their infrastructure with primitive security, given modern attack vectors. 2FA should be a must. Most banks will either provide a "secure key" or access to a one-time password from their mobile banking app.
My personal advice. Avoid online banking with this bank, and look for an alternative which can satisfy your security (OpSec) needs.
answered yesterday
safesploit
588211
3
Ah, I didn't catch that they support HTTPS but don't force redirect HTTP to HTTPS. I'm so used to doing both in combination that I forgot you can leave out the last step! To be clear (and you could always mention this yourself), allowing HTTPS but not automatically redirecting HTTP is a big security hole because a malicious attacker could easily use it to redirect the user and steal credentials.
– Conor Mancone
yesterday
3
SSL Strip: For downgrading HTTPS request to HTTP (unsecure) SSL Strip for Newbies - avicoder.me/2016/02/22/SSLstrip-for-newbies Kali Linux MITM Attack Tutorial: hacking-tutorial.com/hacking-tutorial/…
– safesploit
yesterday
2
The restrictive password limits translate to the bank having a legacy COBOL system (virtually all banks do), using it for authentication (common), and it being sufficiently brittle that the risk of making any major changes to it is too high to be acceptable (depressingly common).
– Dan Neely
23 hours ago
8
"allowing HTTPS but not automatically redirecting HTTP is a big security hole" - No, it's virtually meaningless. If an attacker can redirect the user (to plain HTTP), he can also mitm with SSL stripping (against which the redirect does NOT protect). The only fail-safe way to force HTTPS is HSTS preloading. HSTS without preload is basically trust-on-first-use, with all the problems that includes. An HTTPS redirect protects against nothing (but is more or less necessary to make HSTS without preloading work).
– marcelm
23 hours ago
2
@marcelm by itself it's not enough to make a site secure against a hostile entity manipulating traffic, it does protect against the far more common case where a user didn't explicitly specify https. For a financial institution not having HSTS is facepalm bad, even if everything else was done right; but also failing to handle the most common failure case - user error - is worthy of a second facepalm.
– Dan Neely
23 hours ago
 |Â
show 4 more comments
up vote
18
down vote
doesn't use Https protocol
The website you provided does support HTTPS, but not HSTS or HTTP to HTTPS redirect. That is why you could be directed to an unsecured HTTP site. SSL Labs analysis.
Moreover your password can be at maximum 10 characters
Oddly this is common of online banking. I have experienced a bank which defined the following rules for a password az-AZ-09 with a character limit less or equal to 10.
there's no 2 step verification...
Despite this becoming a norm in security. Some still have configured their infrastructure with primitive security, given modern attack vectors. 2FA should be a must. Most banks will either provide a "secure key" or access to a one-time password from their mobile banking app.
My personal advice. Avoid online banking with this bank, and look for an alternative which can satisfy your security (OpSec) needs.
answered yesterday
safesploit
588211
3
Ah, I didn't catch that they support HTTPS but don't force redirect HTTP to HTTPS. I'm so used to doing both in combination that I forgot you can leave out the last step! To be clear (and you could always mention this yourself), allowing HTTPS but not automatically redirecting HTTP is a big security hole because a malicious attacker could easily use it to redirect the user and steal credentials.
– Conor Mancone
yesterday
3
SSL Strip: For downgrading HTTPS request to HTTP (unsecure) SSL Strip for Newbies - avicoder.me/2016/02/22/SSLstrip-for-newbies Kali Linux MITM Attack Tutorial: hacking-tutorial.com/hacking-tutorial/…
– safesploit
yesterday
2
The restrictive password limits translate to the bank having a legacy COBOL system (virtually all banks do), using it for authentication (common), and it being sufficiently brittle that the risk of making any major changes to it is too high to be acceptable (depressingly common).
– Dan Neely
23 hours ago
8
"allowing HTTPS but not automatically redirecting HTTP is a big security hole" - No, it's virtually meaningless. If an attacker can redirect the user (to plain HTTP), he can also mitm with SSL stripping (against which the redirect does NOT protect). The only fail-safe way to force HTTPS is HSTS preloading. HSTS without preload is basically trust-on-first-use, with all the problems that includes. An HTTPS redirect protects against nothing (but is more or less necessary to make HSTS without preloading work).
– marcelm
23 hours ago
2
@marcelm by itself it's not enough to make a site secure against a hostile entity manipulating traffic, it does protect against the far more common case where a user didn't explicitly specify https. For a financial institution not having HSTS is facepalm bad, even if everything else was done right; but also failing to handle the most common failure case - user error - is worthy of a second facepalm.
– Dan Neely
23 hours ago
 |Â
show 4 more comments
up vote
18
down vote
up vote
18
down vote
doesn't use Https protocol
The website you provided does support HTTPS, but not HSTS or HTTP to HTTPS redirect. That is why you could be directed to an unsecured HTTP site. SSL Labs analysis.
Moreover your password can be at maximum 10 characters
Oddly this is common of online banking. I have experienced a bank which defined the following rules for a password az-AZ-09 with a character limit less or equal to 10.
there's no 2 step verification...
Despite this becoming a norm in security. Some still have configured their infrastructure with primitive security, given modern attack vectors. 2FA should be a must. Most banks will either provide a "secure key" or access to a one-time password from their mobile banking app.
My personal advice. Avoid online banking with this bank, and look for an alternative which can satisfy your security (OpSec) needs.
answered yesterday
safesploit
588211
doesn't use Https protocol
The website you provided does support HTTPS, but not HSTS or HTTP to HTTPS redirect. That is why you could be directed to an unsecured HTTP site. SSL Labs analysis.
Moreover your password can be at maximum 10 characters
Oddly this is common of online banking. I have experienced a bank which defined the following rules for a password az-AZ-09 with a character limit less or equal to 10.
there's no 2 step verification...
Despite this becoming a norm in security. Some still have configured their infrastructure with primitive security, given modern attack vectors. 2FA should be a must. Most banks will either provide a "secure key" or access to a one-time password from their mobile banking app.
My personal advice. Avoid online banking with this bank, and look for an alternative which can satisfy your security (OpSec) needs.
answered yesterday
safesploit
588211
answered yesterday
safesploit
588211
answered yesterday
safesploit
588211
answered yesterday
safesploit
588211
588211
3
Ah, I didn't catch that they support HTTPS but don't force redirect HTTP to HTTPS. I'm so used to doing both in combination that I forgot you can leave out the last step! To be clear (and you could always mention this yourself), allowing HTTPS but not automatically redirecting HTTP is a big security hole because a malicious attacker could easily use it to redirect the user and steal credentials.
– Conor Mancone
yesterday
3
SSL Strip: For downgrading HTTPS request to HTTP (unsecure) SSL Strip for Newbies - avicoder.me/2016/02/22/SSLstrip-for-newbies Kali Linux MITM Attack Tutorial: hacking-tutorial.com/hacking-tutorial/…
– safesploit
yesterday
2
The restrictive password limits translate to the bank having a legacy COBOL system (virtually all banks do), using it for authentication (common), and it being sufficiently brittle that the risk of making any major changes to it is too high to be acceptable (depressingly common).
– Dan Neely
23 hours ago
8
"allowing HTTPS but not automatically redirecting HTTP is a big security hole" - No, it's virtually meaningless. If an attacker can redirect the user (to plain HTTP), he can also mitm with SSL stripping (against which the redirect does NOT protect). The only fail-safe way to force HTTPS is HSTS preloading. HSTS without preload is basically trust-on-first-use, with all the problems that includes. An HTTPS redirect protects against nothing (but is more or less necessary to make HSTS without preloading work).
– marcelm
23 hours ago
2
@marcelm by itself it's not enough to make a site secure against a hostile entity manipulating traffic, it does protect against the far more common case where a user didn't explicitly specify https. For a financial institution not having HSTS is facepalm bad, even if everything else was done right; but also failing to handle the most common failure case - user error - is worthy of a second facepalm.
– Dan Neely
23 hours ago
 |Â
show 4 more comments
3
Ah, I didn't catch that they support HTTPS but don't force redirect HTTP to HTTPS. I'm so used to doing both in combination that I forgot you can leave out the last step! To be clear (and you could always mention this yourself), allowing HTTPS but not automatically redirecting HTTP is a big security hole because a malicious attacker could easily use it to redirect the user and steal credentials.
– Conor Mancone
yesterday
3
SSL Strip: For downgrading HTTPS request to HTTP (unsecure) SSL Strip for Newbies - avicoder.me/2016/02/22/SSLstrip-for-newbies Kali Linux MITM Attack Tutorial: hacking-tutorial.com/hacking-tutorial/…
– safesploit
yesterday
2
The restrictive password limits translate to the bank having a legacy COBOL system (virtually all banks do), using it for authentication (common), and it being sufficiently brittle that the risk of making any major changes to it is too high to be acceptable (depressingly common).
– Dan Neely
23 hours ago
8
"allowing HTTPS but not automatically redirecting HTTP is a big security hole" - No, it's virtually meaningless. If an attacker can redirect the user (to plain HTTP), he can also mitm with SSL stripping (against which the redirect does NOT protect). The only fail-safe way to force HTTPS is HSTS preloading. HSTS without preload is basically trust-on-first-use, with all the problems that includes. An HTTPS redirect protects against nothing (but is more or less necessary to make HSTS without preloading work).
– marcelm
23 hours ago
2
@marcelm by itself it's not enough to make a site secure against a hostile entity manipulating traffic, it does protect against the far more common case where a user didn't explicitly specify https. For a financial institution not having HSTS is facepalm bad, even if everything else was done right; but also failing to handle the most common failure case - user error - is worthy of a second facepalm.
– Dan Neely
23 hours ago
3
3
Ah, I didn't catch that they support HTTPS but don't force redirect HTTP to HTTPS. I'm so used to doing both in combination that I forgot you can leave out the last step! To be clear (and you could always mention this yourself), allowing HTTPS but not automatically redirecting HTTP is a big security hole because a malicious attacker could easily use it to redirect the user and steal credentials.
– Conor Mancone
yesterday
Ah, I didn't catch that they support HTTPS but don't force redirect HTTP to HTTPS. I'm so used to doing both in combination that I forgot you can leave out the last step! To be clear (and you could always mention this yourself), allowing HTTPS but not automatically redirecting HTTP is a big security hole because a malicious attacker could easily use it to redirect the user and steal credentials.
– Conor Mancone
yesterday
3
3
SSL Strip: For downgrading HTTPS request to HTTP (unsecure) SSL Strip for Newbies - avicoder.me/2016/02/22/SSLstrip-for-newbies Kali Linux MITM Attack Tutorial: hacking-tutorial.com/hacking-tutorial/…
– safesploit
yesterday
SSL Strip: For downgrading HTTPS request to HTTP (unsecure) SSL Strip for Newbies - avicoder.me/2016/02/22/SSLstrip-for-newbies Kali Linux MITM Attack Tutorial: hacking-tutorial.com/hacking-tutorial/…
– safesploit
yesterday
2
2
The restrictive password limits translate to the bank having a legacy COBOL system (virtually all banks do), using it for authentication (common), and it being sufficiently brittle that the risk of making any major changes to it is too high to be acceptable (depressingly common).
– Dan Neely
23 hours ago
The restrictive password limits translate to the bank having a legacy COBOL system (virtually all banks do), using it for authentication (common), and it being sufficiently brittle that the risk of making any major changes to it is too high to be acceptable (depressingly common).
– Dan Neely
23 hours ago
8
8
"allowing HTTPS but not automatically redirecting HTTP is a big security hole" - No, it's virtually meaningless. If an attacker can redirect the user (to plain HTTP), he can also mitm with SSL stripping (against which the redirect does NOT protect). The only fail-safe way to force HTTPS is HSTS preloading. HSTS without preload is basically trust-on-first-use, with all the problems that includes. An HTTPS redirect protects against nothing (but is more or less necessary to make HSTS without preloading work).
– marcelm
23 hours ago
"allowing HTTPS but not automatically redirecting HTTP is a big security hole" - No, it's virtually meaningless. If an attacker can redirect the user (to plain HTTP), he can also mitm with SSL stripping (against which the redirect does NOT protect). The only fail-safe way to force HTTPS is HSTS preloading. HSTS without preload is basically trust-on-first-use, with all the problems that includes. An HTTPS redirect protects against nothing (but is more or less necessary to make HSTS without preloading work).
– marcelm
23 hours ago
2
2
@marcelm by itself it's not enough to make a site secure against a hostile entity manipulating traffic, it does protect against the far more common case where a user didn't explicitly specify https. For a financial institution not having HSTS is facepalm bad, even if everything else was done right; but also failing to handle the most common failure case - user error - is worthy of a second facepalm.
– Dan Neely
23 hours ago
@marcelm by itself it's not enough to make a site secure against a hostile entity manipulating traffic, it does protect against the far more common case where a user didn't explicitly specify https. For a financial institution not having HSTS is facepalm bad, even if everything else was done right; but also failing to handle the most common failure case - user error - is worthy of a second facepalm.
– Dan Neely
23 hours ago
 |Â
show 4 more comments
up vote
10
down vote
Presuming that is the actual login page:
Yes, this is very insecure by modern standards, and even more so for anything involving actual monetary transactions.
There is always the slim possibility that the page loads on HTTP but then submits to a server protected by HTTPS. That would still be bad but would at least be "better". However, I confirmed that this doesn't happen. As I'm sure you know this would allow anyone on your local network (or anywhere between you and their server) to read your username and password.
There is also no CSRF protection on the login endpoint - this can introduce a lot of other more subtle security weaknesses (although not anywhere near as severe as failing to encrypt your login credentials).
The best-case scenario here is that the page you are on isn't supposed to be the primary login page, but you ended up there by accident and they forgot to remove it and direct people to the login page which is actually secure.
I ran the website describing their security through google translate. Obviously it won't be perfect, but it certainly gives the highlights:
- We've never had a breach before - nothing to worry about!
- We have a super secure firewall
- We use SSL encryption!
- You can change your password!
- You can deny access to your account from all but one device
- You can see when/where you last logged in
- You can get a text message everytime someone logs in
- Even if someone were to login your money would be safe because we don't allow transfers to any accounts not specified by you and indicated in your contract
I wouldn't take any of that very seriously, especially in light of their inability to provide SSL encryption on the login page, which is probably the most important page of all to secure. Given their lax practices here I would assume that they have security holes elsewhere in their system. Whether or not they have ever had a breach is something no one will ever know - what should say is:
If we've ever had a breach we at least don't know about it! We promise we're not lying!
If they really haven't ever had a breach it is probably because no one has ever bothered trying to target them, and not because of good security practices. I wouldn't even take point #8 seriously. You'd be surprised what people talk account support technicians into doing, and even if an attacker can't actively steal your money, this doesn't mean that they can't cause you severe harm if they get into your account.
answered yesterday
Conor Mancone
6,35121435
2
"at least don't know about it" naturally, because they probably don't have adequate monitoring in place either...
– msanford
yesterday
As other posters noted, they do have SSL encryption on the login page if you type https:// to get to the bank page. But you've got a lot of other good points.
– Joshua
22 hours ago
@Joshua yeah, I didn't notice that myself until the other answers came in, but it was covered well enough in other answers that I figured there was no point in adding it to my answer.
– Conor Mancone
22 hours ago
Even without social engineering #8 doesn't make much sense. If it's a brokerage account, an attacker would still be able to trade -- say, to buy some illiquid assets that the attacker's twin brother just happens to have for sale at a high asking price.
– Henning Makholm
38 mins ago
add a comment |Â
up vote
10
down vote
Presuming that is the actual login page:
Yes, this is very insecure by modern standards, and even more so for anything involving actual monetary transactions.
There is always the slim possibility that the page loads on HTTP but then submits to a server protected by HTTPS. That would still be bad but would at least be "better". However, I confirmed that this doesn't happen. As I'm sure you know this would allow anyone on your local network (or anywhere between you and their server) to read your username and password.
There is also no CSRF protection on the login endpoint - this can introduce a lot of other more subtle security weaknesses (although not anywhere near as severe as failing to encrypt your login credentials).
The best-case scenario here is that the page you are on isn't supposed to be the primary login page, but you ended up there by accident and they forgot to remove it and direct people to the login page which is actually secure.
I ran the website describing their security through google translate. Obviously it won't be perfect, but it certainly gives the highlights:
- We've never had a breach before - nothing to worry about!
- We have a super secure firewall
- We use SSL encryption!
- You can change your password!
- You can deny access to your account from all but one device
- You can see when/where you last logged in
- You can get a text message everytime someone logs in
- Even if someone were to login your money would be safe because we don't allow transfers to any accounts not specified by you and indicated in your contract
I wouldn't take any of that very seriously, especially in light of their inability to provide SSL encryption on the login page, which is probably the most important page of all to secure. Given their lax practices here I would assume that they have security holes elsewhere in their system. Whether or not they have ever had a breach is something no one will ever know - what should say is:
If we've ever had a breach we at least don't know about it! We promise we're not lying!
If they really haven't ever had a breach it is probably because no one has ever bothered trying to target them, and not because of good security practices. I wouldn't even take point #8 seriously. You'd be surprised what people talk account support technicians into doing, and even if an attacker can't actively steal your money, this doesn't mean that they can't cause you severe harm if they get into your account.
answered yesterday
Conor Mancone
6,35121435
2
"at least don't know about it" naturally, because they probably don't have adequate monitoring in place either...
– msanford
yesterday
As other posters noted, they do have SSL encryption on the login page if you type https:// to get to the bank page. But you've got a lot of other good points.
– Joshua
22 hours ago
@Joshua yeah, I didn't notice that myself until the other answers came in, but it was covered well enough in other answers that I figured there was no point in adding it to my answer.
– Conor Mancone
22 hours ago
Even without social engineering #8 doesn't make much sense. If it's a brokerage account, an attacker would still be able to trade -- say, to buy some illiquid assets that the attacker's twin brother just happens to have for sale at a high asking price.
– Henning Makholm
38 mins ago
add a comment |Â
up vote
10
down vote
up vote
10
down vote
Presuming that is the actual login page:
Yes, this is very insecure by modern standards, and even more so for anything involving actual monetary transactions.
There is always the slim possibility that the page loads on HTTP but then submits to a server protected by HTTPS. That would still be bad but would at least be "better". However, I confirmed that this doesn't happen. As I'm sure you know this would allow anyone on your local network (or anywhere between you and their server) to read your username and password.
There is also no CSRF protection on the login endpoint - this can introduce a lot of other more subtle security weaknesses (although not anywhere near as severe as failing to encrypt your login credentials).
The best-case scenario here is that the page you are on isn't supposed to be the primary login page, but you ended up there by accident and they forgot to remove it and direct people to the login page which is actually secure.
I ran the website describing their security through google translate. Obviously it won't be perfect, but it certainly gives the highlights:
- We've never had a breach before - nothing to worry about!
- We have a super secure firewall
- We use SSL encryption!
- You can change your password!
- You can deny access to your account from all but one device
- You can see when/where you last logged in
- You can get a text message everytime someone logs in
- Even if someone were to login your money would be safe because we don't allow transfers to any accounts not specified by you and indicated in your contract
I wouldn't take any of that very seriously, especially in light of their inability to provide SSL encryption on the login page, which is probably the most important page of all to secure. Given their lax practices here I would assume that they have security holes elsewhere in their system. Whether or not they have ever had a breach is something no one will ever know - what should say is:
If we've ever had a breach we at least don't know about it! We promise we're not lying!
If they really haven't ever had a breach it is probably because no one has ever bothered trying to target them, and not because of good security practices. I wouldn't even take point #8 seriously. You'd be surprised what people talk account support technicians into doing, and even if an attacker can't actively steal your money, this doesn't mean that they can't cause you severe harm if they get into your account.
answered yesterday
Conor Mancone
6,35121435
Presuming that is the actual login page:
Yes, this is very insecure by modern standards, and even more so for anything involving actual monetary transactions.
There is always the slim possibility that the page loads on HTTP but then submits to a server protected by HTTPS. That would still be bad but would at least be "better". However, I confirmed that this doesn't happen. As I'm sure you know this would allow anyone on your local network (or anywhere between you and their server) to read your username and password.
There is also no CSRF protection on the login endpoint - this can introduce a lot of other more subtle security weaknesses (although not anywhere near as severe as failing to encrypt your login credentials).
The best-case scenario here is that the page you are on isn't supposed to be the primary login page, but you ended up there by accident and they forgot to remove it and direct people to the login page which is actually secure.
I ran the website describing their security through google translate. Obviously it won't be perfect, but it certainly gives the highlights:
- We've never had a breach before - nothing to worry about!
- We have a super secure firewall
- We use SSL encryption!
- You can change your password!
- You can deny access to your account from all but one device
- You can see when/where you last logged in
- You can get a text message everytime someone logs in
- Even if someone were to login your money would be safe because we don't allow transfers to any accounts not specified by you and indicated in your contract
I wouldn't take any of that very seriously, especially in light of their inability to provide SSL encryption on the login page, which is probably the most important page of all to secure. Given their lax practices here I would assume that they have security holes elsewhere in their system. Whether or not they have ever had a breach is something no one will ever know - what should say is:
If we've ever had a breach we at least don't know about it! We promise we're not lying!
If they really haven't ever had a breach it is probably because no one has ever bothered trying to target them, and not because of good security practices. I wouldn't even take point #8 seriously. You'd be surprised what people talk account support technicians into doing, and even if an attacker can't actively steal your money, this doesn't mean that they can't cause you severe harm if they get into your account.
answered yesterday
Conor Mancone
6,35121435
answered yesterday
Conor Mancone
6,35121435
answered yesterday
Conor Mancone
6,35121435
answered yesterday
Conor Mancone
6,35121435
6,35121435
2
"at least don't know about it" naturally, because they probably don't have adequate monitoring in place either...
– msanford
yesterday
As other posters noted, they do have SSL encryption on the login page if you type https:// to get to the bank page. But you've got a lot of other good points.
– Joshua
22 hours ago
@Joshua yeah, I didn't notice that myself until the other answers came in, but it was covered well enough in other answers that I figured there was no point in adding it to my answer.
– Conor Mancone
22 hours ago
Even without social engineering #8 doesn't make much sense. If it's a brokerage account, an attacker would still be able to trade -- say, to buy some illiquid assets that the attacker's twin brother just happens to have for sale at a high asking price.
– Henning Makholm
38 mins ago
add a comment |Â
2
"at least don't know about it" naturally, because they probably don't have adequate monitoring in place either...
– msanford
yesterday
As other posters noted, they do have SSL encryption on the login page if you type https:// to get to the bank page. But you've got a lot of other good points.
– Joshua
22 hours ago
@Joshua yeah, I didn't notice that myself until the other answers came in, but it was covered well enough in other answers that I figured there was no point in adding it to my answer.
– Conor Mancone
22 hours ago
Even without social engineering #8 doesn't make much sense. If it's a brokerage account, an attacker would still be able to trade -- say, to buy some illiquid assets that the attacker's twin brother just happens to have for sale at a high asking price.
– Henning Makholm
38 mins ago
2
2
"at least don't know about it" naturally, because they probably don't have adequate monitoring in place either...
– msanford
yesterday
"at least don't know about it" naturally, because they probably don't have adequate monitoring in place either...
– msanford
yesterday
As other posters noted, they do have SSL encryption on the login page if you type https:// to get to the bank page. But you've got a lot of other good points.
– Joshua
22 hours ago
As other posters noted, they do have SSL encryption on the login page if you type https:// to get to the bank page. But you've got a lot of other good points.
– Joshua
22 hours ago
@Joshua yeah, I didn't notice that myself until the other answers came in, but it was covered well enough in other answers that I figured there was no point in adding it to my answer.
– Conor Mancone
22 hours ago
@Joshua yeah, I didn't notice that myself until the other answers came in, but it was covered well enough in other answers that I figured there was no point in adding it to my answer.
– Conor Mancone
22 hours ago
Even without social engineering #8 doesn't make much sense. If it's a brokerage account, an attacker would still be able to trade -- say, to buy some illiquid assets that the attacker's twin brother just happens to have for sale at a high asking price.
– Henning Makholm
38 mins ago
Even without social engineering #8 doesn't make much sense. If it's a brokerage account, an attacker would still be able to trade -- say, to buy some illiquid assets that the attacker's twin brother just happens to have for sale at a high asking price.
– Henning Makholm
38 mins ago
add a comment |Â
up vote
7
down vote
Whomever designed the website appears to have a lack of security knowledge. As others have pointed out, they do support HTTPS, but at the very least you should be redirected from the HTTP to HTTPS when you go to the login site. That was standard for secure websites more than 10 years ago. It's extremely trivial to implement this, offers real protection from real attacks, and not having it is a red flag.
Even better would be supporting HSTS (also not supported), which is a way of publishing information on how the website should only be available via HTTPS. This standard is now almost 6 years old, and widely implemented. A bank not having this simple security measure is another red flag.
It should come as no surprise to you that Italian websites... aren't really the best. I've spent considerable time in Italy using Italian websites, and many are shockingly bad and about 15 years behind the times. This site is no exception.
The password length limits are sadly the norm for many banks. This is because much of the banking industry is itself far behind the times with an enormous amount of legacy systems still in place. The lack of 2-Factor authentication is also relatively common. Both these are indications the institution isn't focused on security, but it's far too common for these to be red flags.
I ran a test of their SSL configuration against SSL Labs:
https://www.ssllabs.com/ssltest/analyze.html?d=www1.directatrading.com
It's actually not terrible (They get a B), which isn't a red flag, but is another indicator of not keeping up with security standards.
I wouldn't recommend using this financial institution since they seem to have a severe disregard for modern security practices going back at least 10-15 years. The visible problems are often just the tip of the iceberg.
answered yesterday
Steve Sether
15.9k53364
add a comment |Â
up vote
7
down vote
Whomever designed the website appears to have a lack of security knowledge. As others have pointed out, they do support HTTPS, but at the very least you should be redirected from the HTTP to HTTPS when you go to the login site. That was standard for secure websites more than 10 years ago. It's extremely trivial to implement this, offers real protection from real attacks, and not having it is a red flag.
Even better would be supporting HSTS (also not supported), which is a way of publishing information on how the website should only be available via HTTPS. This standard is now almost 6 years old, and widely implemented. A bank not having this simple security measure is another red flag.
It should come as no surprise to you that Italian websites... aren't really the best. I've spent considerable time in Italy using Italian websites, and many are shockingly bad and about 15 years behind the times. This site is no exception.
The password length limits are sadly the norm for many banks. This is because much of the banking industry is itself far behind the times with an enormous amount of legacy systems still in place. The lack of 2-Factor authentication is also relatively common. Both these are indications the institution isn't focused on security, but it's far too common for these to be red flags.
I ran a test of their SSL configuration against SSL Labs:
https://www.ssllabs.com/ssltest/analyze.html?d=www1.directatrading.com
It's actually not terrible (They get a B), which isn't a red flag, but is another indicator of not keeping up with security standards.
I wouldn't recommend using this financial institution since they seem to have a severe disregard for modern security practices going back at least 10-15 years. The visible problems are often just the tip of the iceberg.
answered yesterday
Steve Sether
15.9k53364
add a comment |Â
up vote
7
down vote
up vote
7
down vote
Whomever designed the website appears to have a lack of security knowledge. As others have pointed out, they do support HTTPS, but at the very least you should be redirected from the HTTP to HTTPS when you go to the login site. That was standard for secure websites more than 10 years ago. It's extremely trivial to implement this, offers real protection from real attacks, and not having it is a red flag.
Even better would be supporting HSTS (also not supported), which is a way of publishing information on how the website should only be available via HTTPS. This standard is now almost 6 years old, and widely implemented. A bank not having this simple security measure is another red flag.
It should come as no surprise to you that Italian websites... aren't really the best. I've spent considerable time in Italy using Italian websites, and many are shockingly bad and about 15 years behind the times. This site is no exception.
The password length limits are sadly the norm for many banks. This is because much of the banking industry is itself far behind the times with an enormous amount of legacy systems still in place. The lack of 2-Factor authentication is also relatively common. Both these are indications the institution isn't focused on security, but it's far too common for these to be red flags.
I ran a test of their SSL configuration against SSL Labs:
https://www.ssllabs.com/ssltest/analyze.html?d=www1.directatrading.com
It's actually not terrible (They get a B), which isn't a red flag, but is another indicator of not keeping up with security standards.
I wouldn't recommend using this financial institution since they seem to have a severe disregard for modern security practices going back at least 10-15 years. The visible problems are often just the tip of the iceberg.
answered yesterday
Steve Sether
15.9k53364
Whomever designed the website appears to have a lack of security knowledge. As others have pointed out, they do support HTTPS, but at the very least you should be redirected from the HTTP to HTTPS when you go to the login site. That was standard for secure websites more than 10 years ago. It's extremely trivial to implement this, offers real protection from real attacks, and not having it is a red flag.
Even better would be supporting HSTS (also not supported), which is a way of publishing information on how the website should only be available via HTTPS. This standard is now almost 6 years old, and widely implemented. A bank not having this simple security measure is another red flag.
It should come as no surprise to you that Italian websites... aren't really the best. I've spent considerable time in Italy using Italian websites, and many are shockingly bad and about 15 years behind the times. This site is no exception.
The password length limits are sadly the norm for many banks. This is because much of the banking industry is itself far behind the times with an enormous amount of legacy systems still in place. The lack of 2-Factor authentication is also relatively common. Both these are indications the institution isn't focused on security, but it's far too common for these to be red flags.
I ran a test of their SSL configuration against SSL Labs:
https://www.ssllabs.com/ssltest/analyze.html?d=www1.directatrading.com
It's actually not terrible (They get a B), which isn't a red flag, but is another indicator of not keeping up with security standards.
I wouldn't recommend using this financial institution since they seem to have a severe disregard for modern security practices going back at least 10-15 years. The visible problems are often just the tip of the iceberg.
answered yesterday
Steve Sether
15.9k53364
edited 22 hours ago
answered yesterday
Steve Sether
15.9k53364
answered yesterday
Steve Sether
15.9k53364
answered yesterday
Steve Sether
15.9k53364
15.9k53364
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f190924%2fis-this-bank-website-secure-enough-no-https-in-login-page%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
1
https://www1.directatrading.comexists– curiousguy
yesterday
7
It's an Italian website. What do you expect? It looks like you're in Italy, so I expect you already know this. The short answer is, don't use this bank, they don't know what they're doing.
– Steve Sether
yesterday
10
@SteveSether After re-reading your comment several times, I'm still struggling to understand it. Are you saying that Italian websites are known for having poor security?
– Jon Bentley
18 hours ago
4
@JonBentley Maybe it wasn't clear from context, but Italian websites are known for being poorly designed, poorly translated, and just poor in general. For example, My wife used to be a tour guide in Rome, and bought tickets to the Vatican all the time, and was often frustrated by it. It often was completely broken, and some of the translation is/was terrible broken English. For example, the Captcha instead of saying "Can't read this?" says: "You cannot read?" This kind of thing is typical in Italy, and Italian websites in general. Things don't work.
– Steve Sether
15 hours ago
1
@JonBentley Being Italian I must admit that there are significant website with awful practices. For example:
trenitaliais the biggest train company yet it will email you your plaintext uppercased password when registering. Even worse: if you try to change password they will send you the same email but your password will actually not work, you must use the uppercased version (yes, when you register the password is kept as is even though it is emailed in uppercase, while when you change it they "secretely" uppercase it before saving it). At least this was the case a few months ago.– Bakuriu
13 hours ago