Commerce Bank’s huge security failure

By admin

September 29, 2009

My checking account is part of Commerce Bank which about a year ago was bought out by TD Bank. Up until this summer their site still worked for all my online banking. The theme had changed on the site but all the same login functionality was there. Then September 20th rolled around and I goto log into my account to check on some things only to find that now is a search engine spam page?! A whois lookup on commerceonline.com shows…

% whois commerceonline.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered

with many different competing registrars. Go to http://www.internic.net

for detailed information.

Domain Name: COMMERCEONLINE.COM

Registrar: CYDENTITY, INC. D/B/A CYPACK.COM

Whois Server: whois.cypack.com

Referral URL: http://www.cypack.com

Name Server: NS1.TRAFFICZ.COM

Name Server: NS2.TRAFFICZ.COM

Status: clientTransferProhibited

Updated Date: 20-sep-2009

Creation Date: 30-jul-1996

Expiration Date: 29-jul-2011

For the non-technical person, they let their fucking domain name expire. If they did this purposely they don’t deserve to be a bank, if this slipped passed someone… they don’t deserve to be a bank. Why this is bad you ask? Right now there is nothing preventing the owner of the site from going to web archive of commerceonline.com and just copying the old look of the site and stealing X number of identities by faking a registration page or login page.

Besides the whole fuckup of their old domain, apparently the login mechanism is different on tdbank now and my login information doesn’t work. Yet I can’t sign up for a new account as it says I’m already registered. I’m seriously considering switching off TD Bank because of this pisspoorplanning .