Tuesday, September 3, 2013

BancorpSouth's Website is Insecure!


Wow.... I discovered this past weekend that BancorpSouth's website has an expired certificate which expired 8/31/13! (Yes, my system time is set correctly.) At the time I am writing this post (1:16 PM on 9/3/13), all you have to do is go to bancorpsouthonline.com to see the certificate error. I called them immediately but found that the only line I could call to talk to a live person on the holiday weekend was the credit card fraud line. So I told them of my concern but they did not care. I asked the woman on the phone to transfer me to her supervisor and she made me hold for a long time before coming back and saying that no supervisor was available. She took my number for them to call me back but they never did.

This morning, I checked and it still has an expired certificate. This is inexcusable for a bank! I also checked their Facebook page and found that while they admitted to being aware of the issue, they were still advising users to login as normal (which requires bypassing the certificate error!) As I'm sure you know, this is horrible. Users should never bypass a certificate warning, but especially not for a bank! This means that users are sending their password across the internet to a non-verified website that could be being redirected to a hacker, for all they know!




I also used an online tool that allows you to verify a website's certificate. It showed the certificate as expired, as well:




Since I have already attempted to contact BancorpSouth and they were dismissive (told me to call back later and talk to customer service after the holiday, etc.), I have been forced to contact the media. Hopefully, the end result of that will be that the average person will be safer by this being exposed. BancorpSouth made two mistakes: 1. Letting the certificate expire was inexcusable for a bank. 2. BancorpSouth should not have advised their customers to go ahead and use the site while the certificate is expired.

By the way, I want to also mention that their iPad app works just fine still! That is a bad thing!! That means that the app itself may not be even checking the certificate at all! BancorpSouth = FAIL

UPDATE 1 of 3: BancorpSouth has removed my post and some other negative posts about this issue from their Facebook timeline. Good thing I took screen captures and posted them here before they deleted them! They also blocked me from being able to post to their timeline. So this is how much they care about online privacy? First they fail their customers by making them vulnerable to being hacked, then they lie to them and tell them they are safe...and then lastly they block anyone from seeing the truth. Sorry to inform you BancorpSouth customers but BancorpSouth doesn't care about keeping your money secure. Time for you to find a new bank.

Here's what the above thread looked like after they deleted the truth from their Timeline and only preserved the post that made them look good:



Here's another comment of them admitting the problem but claiming that it is still safe to use their website:



UPDATE 2 of 3: BancorpSouth has finally fixed their website. It was insecure for THREE DAYS.

UPDATE 3 of 3: It occurred to me just now that when BancorpSouth told their users that the site was still safe they were unfortunately conditioning their customers to ignore security errors. This is very bad practice. Now they have conditioned their users to disregard certificate errors. So what if a user next month is the victim of a hack that redirects them to a malicous site but shows a certificate error? The user will ignore it because they have been conditioned to and potentially get their credentials stolen! Way to go BancorpSouth! :(

No comments:

Post a Comment

Spammy/foul language comments or those with an explicit avatar will be tossed in a 55 gallon drum and a match thrown in after them. (Oooo, now I can warm my hands!!)