Want to hear a depressing story about security, user (mis)education and online banking? Here’s a thread *just* for you!

So, on Saturday morning, I was casually doing some online shopping. I tried to buy something at the manufacturer’s site, but they ran out, so I went on to @AmazonFrance (I know..) I found what I wanted to buy, and continued to checkout. And at checkout, I’m greeted with this

In case that’s not clear, that’s @ingfrance’s login page (my bank), in an iframe embedded into the merchant site, asking me to type-in my banking login password(!!) I just stared at that with amazement for a few minutes, unable to speak.

Once I got back to my senses, I opened up devtools, to see if that’s at least my bank in an iframe. It was not. It was a @cardinalcommerc iframe, that’s getting the content from ING through an API or by embedding yet another iframe or whatnot (I failed to dig that deep).

I tried to type in a fake password, just to see if it would fail, as I wasn’t *really* sure this is not a scam. It indeed failed, proving that my bank’s servers are indeed at the end of this 3P chain (assuming they didn’t give my passwords to their “security” provider).

As I suspected, this is part of the bank’s recent efforts to “increase security”: communaute.ing.fr/t5/Moyens-… (in French)

Apparently, their idea of security is to teach their users to type in their *banking password* in random merchant sites, where they have no way to validate that the password is not leaked to the random site they are on. But it’s safe because “it’s over HTTPS”