Web site design issues

#1 (**permalink**) 05-15-2011, 12:15 PM

I think there may be a need for web site design standards.

I was looking at my account on a particular financial web site. One
of the disclaimers in the site's fraud reimbursement guarantee says
that clients need to check the account frequently. I am sure few
clients bother to read these disclaimers.

I posed the question: how should I check for unauthorized activity in
my account?

It appears to be harder than one would like. There is no reliable
activity log. The online log allows messages to be deleted by the
client. Confirmations can be redirected from the online log to U.S.
mail. Online confirmations can be turned off. In short, a crook
with my login credentials can cover his tracks by deleting and
redirecting messages. If a crook changes the email address on my
account to his address, then he gets confirmation of this change by I
don't get a confirmation at my old email address. A confirmation is
sent to my accounts message box that I can view when logged in, but
the crook can delete that message.

I have discussed this with other clients of the site and I have yet to
find one that was aware of any of this.

There are various places on the site with misinformation about these
matters, leaving the impression that you will get messages and
confirmations of changes to your account profile.

I have come to the conclusion that the only effective countermeasure
is to check your profile directly. For instance, check the email
address there, check the electronic bank transfer status directly,
don't rely on the confirmations to alert you of a change. But few if
any clients know this.

I explore some of this by testing my account. But then I noticed that
the terms and conditions of the site prohibit probing for security
holes. So I am reluctant to do more probing.

I have emailed the firm concerning the problems.

I think the solution is a single online activity log that cannot be
tampered with. That would be secure against all but pharming and an
inside job, I think. It might be nice to have a separate readonly
login credential for that log.

#2 (**permalink**) 05-25-2011, 10:50 PM

On May 15, 8:15*am, Tom Adams <tadams...@yahoo.com> wrote:
> I think there may be a need for web site design standards.
>
> I was looking at my account on a particular financial web site. * One
> of the disclaimers in the site's fraud reimbursement guarantee says
> that clients need to check the account frequently. *I am sure few
> clients bother to read these disclaimers.
>
> I posed the question: how should I check for unauthorized activity in
> my account?
>
> It appears to be harder than one would like. *There is no reliable
> activity log. *The online log allows messages to be deleted by the
> client. *Confirmations can be redirected from the online log to U.S.
> mail. * Online confirmations can be turned off. *In short, a crook
> with my login credentials can cover his tracks by deleting and
> redirecting messages. *If a crook changes the email address on my
> account to his address, then he gets confirmation of this change by I
> don't get a confirmation at my old email address. *A confirmation is
> sent to my accounts message box that I can view when logged in, but
> the crook can delete that message.
>
> I have discussed this with other clients of the site and I have yet to
> find one that was aware of any of this.
>
> There are various places on the site with misinformation about these
> matters, leaving the impression that you will get messages and
> confirmations of changes to your account profile.
>
> I have come to the conclusion that the only effective countermeasure
> is to check your profile directly. *For instance, check the email
> address there, *check the electronic bank transfer status directly,
> don't rely on the confirmations to alert you of a change. *But few if
> any clients know this.
>
> I explore some of this by testing my account. *But then I noticed that
> the terms and conditions of the site prohibit probing for security
> holes. *So I am reluctant to do more probing.
>
> I have emailed the firm concerning the problems.
>
> I think the solution is a single online activity log that cannot be
> tampered with. *That would be secure against all but pharming and an
> inside job, I think. *It might be nice to have a separate readonly
> login credential for that log.

Change you password once a week. Use a strong password like S4H7JK?.-K8