I don’t know about you but whenever I have to enter my SSN or Credit card into a website, I get downright paranoid and use tools like Fiddler to ensure that the sight is secure. So just this morning I went to my benefits website for my FSA (flexible spending account) so that I could re-enroll for next year and I realized that I left the password at home (in an encrypted repository). So I clicked the link titled “click here to get your login password if you forgot it” (or something like that).
The following window popped open:
Notice the URL just below the title bar. It’s http not Https! I used fiddler to confirm that the page was indeed transmitting everything in clear text! (for those that don’t know Fiddler is essentially a traffic sniffer that looks at HTTP)
So I called the company and let them know that they were compromizing people’s SSNs!
rrrr.
The benefits company manages FSA and 401K benefits. How freaky is that!?
November 14, 2007 at 4:30 pm
Well, at least they aren’t managing anything that might be at risk.
Glad you caught it. I’ll have to give Fiddler a try. I was looking for something like that.