NEW YORK (CNNMoney) — Nearly every major bank is using second-rate security to guard its website.
Capital One, JPMorgan Chase, Suntrust, Wells Fargo — none of them use what’s commonly referred to as the “best practice” in the industry when it comes to Web security.
The worst offenders are HSBC and TD Bank. Their homepages don’t even secure private connections with customers, who might be unwittingly logging into fake websites run by cyberthieves.
The only banks that do it right? BNY Mellon and PNC.
On the Web, you either communicate in the open, or on a secure channel. The difference? If you see http:// in the address bar, anyone can spy on your Internet session. The prefix https makes it private.
It’s the bare minimum in Internet privacy. Any respectable online service uses https. But neither HSBC.com nor TDbank.com employ this protection at the front gate.
Visitors to HSBC.com are redirected twice before the session starts communicating securely. TDBank.com customers must click on a “log in” button to start a private session.
The problem? If the homepage isn’t secure, there’s no way of telling if those “login” buttons are legitimate. It could be part of a phishing scam.
Anyone on your same Wi-Fi or corporate network can tap into your Internet session and setup a fake bank page. With your credentials, they’ll steal money directly from your bank account.
There’s no logic or reason for not securing the front door. Facebook, LinkedIn, Yahoo — they all employ https from the start.
Jason Sabin is the chief security officer of DigiCert, which provides websites with secure certificates. He said websites learned to secure their front doors ten years ago.
In its defense, TD Bank said it’s working on implementing this extra security measure on its website.
Meanwhile, HSBC said it makes up for this by making it harder for hackers in another way. HSBC requires that customers use a special device or banking app to log in. This gives customers a second, temporary passcode.
However, Sabin said: “That’s not OK. They should be using https throughout their site. It doesn’t cost any more.”
HSBC and TDBank are also making another mistake — along with Capital One, JPMorgan Chase, Wells Fargo and SunTrust. They’re using old technology to prove their websites are legitimate.
Websites rely on certificates. And those certificates are protected by encryption, which turns plain text into jumbled code. But encryption algorithms need to improve to stay one step ahead of hackers, who want to spoof certificates.
Mathematicians and spies at the NSA designed the encryption algorithm SHA-1, and later, the more powerful SHA-2. Respectable websites, like the search engines Bing and DuckDuckGo, have switched to the updated version.
But most banks have failed to upgrade their websites, even though in most cases it’s cheap, easy, and sometimes even free.
“There’s a very easy fix — upgrade their security. This is not a big expense and there’s no excuse for avoiding it,” said Matthew Green, a renowned cryptology expert at Johns Hopkins University.
The technology industry has seen this many times before, and each time laggards paid the price. Criminals were able to hack into systems. That’s why it’s responsible to use the latest cryptographic tools.
The Google Chrome browser is putting extra pressure on these banks. If you head to Chase.com, the browser puts a warning sign next to the website address.
“Your connection may not be private,” it warns. “Your connection to www.chase.com is encrypted with obsolete cryptography.”
It’s important to note that, as of today, hackers can’t crack the weaker version these banks are using. Bank customers aren’t exposed — yet. But cybersecurity experts all say it’s only a matter of time.
Banks are saying, “Hey, there’s a crack in the plane, but we won’t fix it because we don’t think it’ll cause the plane to crash today,” said cybersecurity expert Robert Graham.
American Express, Bank of America, Citibank and U.S. Bank have a similar, but less serious problem relating to the type of encryption they use.
All banks assured CNNMoney their customers are secure online. In most cases, that’s true. But that’s not the point.
“Banks should always use the latest cryptography,” said Martijn Grooten, a Dutch security researcher.
On the bright side? JPMorgan Chase and TD Bank say they’re currently working on upgrading to SHA-2. The others declined to say when they’ll update their systems.
A previous version of this story said Amazon’s website abides by best practices and is encrypted. It is not.