Reveal Poor Web Security… Have RSA Threaten You With Trademark Infringement

from the not-cool dept

Scott Jarkoff recently discovered a problem with the Navy Federal Credit Union website, in that it allows users to login from an unsecured webpage. That’s the type of stuff that we thought pretty much all banks had figured out ages ago. However, what’s fascinating is what happened after that. Scott received an angry email from RSA, the well-known security company, who apparently built the NFCU website, claiming trademark infringement and demanding that he take down the post. RSA was upset with the implication that the site was insecure, but rather than either fixing the problem or explaining why the site is actually safe (which they insist), they threaten Scott with a trademark claim because he has a small screenshot of the NFCU website. Doesn’t that make you feel secure? Since when is RSA in the business of sweeping security concerns under the rug by threatening those who point out problems with a trademark infringement claim?

Filed Under: ,
Companies: navy federal credit union, rsa

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Reveal Poor Web Security… Have RSA Threaten You With Trademark Infringement”

Subscribe: RSS Leave a comment
Dark Helmet (profile) says:

Yay for security

Ok, first of all let me get this out of the way: if my last name was Jarkoff, I would have such an incredible amount of fun with it, it would be astounding. “Hey, Jarkoff, stop Jarking off…”

Secondly, security has never been about being secure. I know, I’ll take a moment while you read that again….got it? Ok, now here’s what I mean: security firms in a plethora of specialties (airport security, malware security, bank security, etc.) aren’t there PRIMARILY to keep things secure, they’re primarily there to create the ILLUSION of security.

Part of that means doing some real securty work: scanning bags, releasing zero-day pathes, carrying guns in the bank. However, you’ll notice that none of that stops the determined criminal. Drug traffickers, weapons, and terrorists still make it on the plane. Malware is still relatively effective in infecting computers. Banks still get robbed with a frequency that would probably surprise the hell out of most people.

But we fly. We visit websites. We put our money in banks.

So no worries, little sheeple. Trust the establishment: you’re safe.

The Infamous Joe (profile) says:

Re: Re: Yay for security

Rants can do that, I’m told.

In regard to your point, while I agree that much of security if based on *feeling secure* instead of actually *being secure* (I’m looking at you, Every-Airport-In-America!) I think that another side of it is that “Security” is a constant, on-going battle. Also, there needs to be a balance of usuablity and convienence when regarding security. Your house would be pretty damn secure if it had no doors or windows, but it wouldn’t be a very useful house.

With that in mind, I wouldn’t freak out about a flaw discovered in my bank’s online site as long as it was quickly patched instead of hushed up– If I were NavyFCU, I’d look for someone else to build my website, pronto.

Anonymous Coward says:

Re: Yay for security

On the other hand, the illusion of security is far more effective at creating safety than actual security.

Banks don’t care about getting robbed. A few thousand dollars stolen won’t shut a bank down, but customers scared to make bank deposits will.

Most malware is only found through extensive use of computers and after a large number of infections (just like a biological disease), and malware security is most effective when a problem has already been discovered. If everyone was afraid of getting infected, the chances of discovering issues would be less and less.

And on a more pessimistic note, the more people that fly on airplanes, the safer you personally will be. Granted, if very few people used airplanes, then security would be more effective…but since that extreme isn’t possible, the other extreme ends up being almost as good.

barrenwaste (profile) says:


The truly stupid thing is, it’s all image related, Lonzo. The only legal way they could get him for trademark infringement is if they claim his use of thier name endorsed or improved marketing of his product. In other words, they don’t want to be associated with or potentially endorsing thier own screw up. To top it all off, legaly there is no way they can win the case on these grounds, and I am certain they know that.

Trails says:

A technical point

“explaining why the site is actually safe (which they insist)”

It’s not. It cannot be.

The page html being sent from the nfcu server to the user’s machine is sent in the clear, and subject to man-in-the-middle injection attacks.

The request upon login, going from the user’s machine to nfcu server is encrypted, but that’s shutting the barn door after the horses have run off.

I do this stuff for a living, and I can assert that this is a very well known, obvious, exploitable, and basic insecurity. It flouts common best practices, and is stunning in its obviousness. It’s a no-brainer for anyone involved in web security.

Keven Sutton says:

Re: Re: A technical point

It’s possible to have the log-in page on a HTTP site, fill out the field and have all of the field data sent over HTTPS. that would make the log in safe.
that being said, if it reverts to http, the the page being displayed afterwards get’s cached. which can lead to insecurity. perhaps this is what they meant when they said it was secure anyway.

Either way, having the log-in page as HTTPS is still a good Idea. It provides a reassurance that the web engineer didn’t forget something as simple as making the log-in go over a secure connection.

Dark Helmet (profile) says:

Re: Re: Re: A technical point

“Either way, having the log-in page as HTTPS is still a good Idea. It provides a reassurance that the web engineer didn’t forget something as simple as making the log-in go over a secure connection.”

Kevin, totally NOT saying you’re wrong or anything, just asking for an opinion on what you said: doesn’t that sound like EXACTLY what I was saying about creating the illusion or appearence of safety being a chief priority?

[patting self on back]

Keven Sutton says:

Re: Re: Re:2 A technical point

As far as a User perspective of security, yes; the appearance of security is very important.

From the other side though, as a bit of a I.T. security specialist (mostly a hobby) There needs to be some substance behind that perceived security. You can create the Illusion of security, but if you try to monetize that illusion it might be successful for a very short period, but will have no long term profitability. If you have High Security and the Illusion of Insecurity, you’ll have to fight against people’s concepts that you are a poor security solution. (see many open source security solutions, the best thing out there, but because you can see the source code managers who have little understanding of the programs themselves think that they are inherently more insecure.)

NotFromToronto (profile) says:

Re: Re: Re: A technical point

I work for a large financial services company. I can assure you that having the login page under SSL is more than just a good idea… it’s an absolute requirement.

The problem with an initial page has nothing to do with where it is supposed to post it’s contents to. The problem is that because it is sent unsecured, the contents could be altered in-flight, and the posting destination could be changed. If done well, the customer doesn’t even know his account details have been compromised.

Shameful way to deal with this from RSA.

Freedom says:

Old School and High Priced...

This logic just amazes me:

Public site/public author makes creditable criticism about a relatively high-profile site your company was contracted to make….

What are your options:

Option A. Threaten individual author with bogus trademark case. After all, someone that has already gone public won’t release our threat letter in a public forum and make the issue worse or anything – nah, definitely not that. Of course, lawyers are cheap as well so this will be a slame dunk – low cost, easy fix – hear no security flaws, see no security flaws – the lawyers can make it all go away! Hmmm.. I wonder if the guy might be right, never mind, legal will take care of it for us!

Option B. Take two minutes (or more likely with overhead – 4 weeks), fix the initial page so that it is SSL based and take this as an opportunity to show how you handle mistakes in a professional manor.

Option C. Just ignore it…

With the economy like it is, I sure hope that the person at RSA that made this decision has some backup options as I wouldn’t want to be part of the soon-to-be upcoming meeting on this issue!


Bobby Boulders (profile) says:

WTF everyone? Why does it have to be this way? I have been with Navy Fed for over 12 years. Never ONCE have I had a problem, an issue, or a security concern. Please DON’T make NFCU the bad guy here… If the RSA is gonna be on “A-Hole Mode” then blame RSA. Besides, if NFCU has a security concern, they will take care of it. So STFU you haters and don’t worry about MY credit union. They are awesome.

Dave says:

NFCU ignores us

I got my first NFCU account almost 40 years ago. I still do most of my banking there. BUT be aware, their only, repeat only claim to fame is to being the largest credit union. They are no where near the best. Indeed, they are simply a marginal organization that has let the world pass them by when it comes to on-line services and a willingness to quickly react to problems and clearly respond to complaint.

NFCU is now sooooo big, they contract out most of their services just like any other multinational. The layers of management make it almost impossible to get quick resolution to any problems an individual member may have.

In fact, they have the best “form answer” letters in the business that make it seem they care, when they really just want you to go away. Complain, and they will bluntly tell you something like “moving forward, you need to use the proper” whatever….

This week, you can hardly get around their web site to do your on-line banking without locking up. I began just today the lengthy process of severing my relation with them. And guess what? They will not even care.

wadewillson (profile) says:

Secure Internet Gateway Solutions from Comodo

Great information..! Here is a similar information i got

Comodo Dome offers Secure internet gateway the best-in-class security suite with functionalities to identify and prevent all malware types from accessing your network. The Default approach backed by auto-containment technology ensures safety for the user and the data stored on the computer. This prevention mechanism analyzes the unknown files when they are delivered to the users. Comodo Dome Secure Internet Gateway uses a comprehensive technology that is flexible, end-user friendly and easy to set up.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...