5 EYEWITNESS NEWS Investigates Flaw in Security of Popular Websites

Updated: 05/16/2014 7:44 AM
Created: 05/15/2014 8:32 PM
By: Stephen Tellier

Your bank, your email, and your favorite retailer - your online accounts with all three - could be vulnerable to an attack almost any hacker could pull off.

5 EYEWITNESS NEWS first told you about this security gap months ago. We put the websites you visit the most to the test once again to find out which ones are now properly protecting you.

The last time we reported on this issue, we did not name the banks that failed this test to protect their customers and give them time to correct the problem. But now, we're keeping a promise to you to hold these companies accountable and keep your personal data safe.

Mark Lanterman with Computer Forensic Services in Minnetonka is a computer security expert. With 5 EYEWITNESS NEWS reporter Steve Tellier's permission, he stole many of his usernames and passwords, over and over again.

"I got you right away," Lanterman said.

In the tests Lanterman ran, Tellier played the role of the unsuspecting victim, logging into accounts on various websites using a laptop connected to unsecured, public Wi-Fi -- that's the easiest way for a hacker to carry out this kind of attack.

"Public Wi-Fi -- very convenient, not very secure," Lanterman said.

Lanterman played the role of the criminal. He used a small device, beloved by hackers -- one so dangerous, we're not telling you what it's called or how to get one. But it mimics a trusted Wi-Fi connection, and intercepts your personal data - usernames and passwords.

"Think of it as being allowed on an airplane without a ticket," Lanterman said. "Basically, what the bad guy needs is a budget of $100, a Wi-Fi router, and know-how."

5 EYEWITNESS NEWS tested many popular websites to see if they're susceptible. When we first tested the banks, three out of four failed. First up this time: U.S. Bank.

"It's showing me everything except for your username, the answer to your secret question, and your password," Lanterman said.

It passed.

TCF Bank passed as well, after failing a few months ago. Now, a warning pops up, which states, "Secure connection failed."

"TCF Bank is not just protecting the consumer, they're warning the consumer you may have a problem," Lanterman said. "TCF Bank has written their page to actually specifically detect this vulnerability."

Wells Fargo was also protected.

Bremer Bank was the only one we tested that failed, but once we brought the issue to Bremer's attention they had the issue fixed within 24 hours. Lanterman ran another test, and said they're now secure.

Next up: The retailers.

The first has dealt with plenty of data security issues recently: Target.

"I got it," Lanterman said, upon stealing Tellier's username and password. failed the test twice in two weeks.

Other retailers were vulnerable as well. Amazon failed, as did Apple, eBay, Walmart,, and JCPenney.

"There's your password. There's your username," Lanterman said.

PayPal, Sears, and Best Buy passed.

"Best Buy is expecting a secured connection, and it didn't get it," Lanterman said.

Facebook, Twitter, and Google's Gmail passed. Yahoo Mail failed.

MNsure passed, after 5 EYEWITNESS NEWS brought its vulnerability to light. That site now alerts users to the danger, while also stopping it in its tracks.

"It definitely can be fixed," Lanterman said.

When asked about the fact that at least one company has said this is a problem with the Internet itself, Lanterman replied, "This is not a problem with the Internet. This is a problem with a vendor not understanding what the issue is."

Lanterman said the issue is how companies are encrypting their websites.

" or Target can't fix this, nor can a consumer really protect themselves," said Jeremiah Grossman, CEO of WhiteHat Security, a firm Target pays to find its own security weaknesses.

Grossman insisted this flaw is not Target's fault.

"It's a flaw in the way Wi-Fi and the way the Internet works," Grossman said.

He also said the risk of an attack like this is relatively low, and the rewards for hackers are far higher elsewhere.

"If you're worried about credit card numbers and things like that, the bad guys are just going to go straight at or whatever the retailer is, and hack them directly," Grossman said.

"I think that that is a shortsighted security strategy," Lanterman said.

"It's really amateur hacking tools," said Massoud Amin, the director of the Technological Leadership Institute at the University of Minnesota.

Amin said these kinds of attacks are not new, but can be lethal.

"It's done nearly at the speed of light," Amin said.

He said companies can take steps to limit them, but urges consumers to be part of the solution as well.

"I would say it's a shared responsibility," Amin said. "It's a partnership."

Our experts tell us you can help protect yourself with one simple letter. If you type in "https://" before typing in the name of the website you'd like to visit, this particular kind of attack can't happen - the S is the key.

More generally, customers should avoid using unsecured wireless networks, those that don't require passwords, at all costs. You can also protect yourself by turning off the Wi-Fi setting on your cellphone. That way, it won't automatically connect to an unsecured network.

5 EYEWITNESS NEWS reached out to all of the companies that failed this test. Only a few replied. In addition to Target, we've been in touch with both Walmart and JCPenney, but both declined to comment.

Minneapolis/St. Paul

53° | 38°
  • Feels like: 36° F
  • Wind: E 17mph
  • Humidity: 82%
  • Sun Sunny
    60° | 40°
  • Mon Partly cloudy
    62° | 42°
  • Tue Mix of sun and clouds
    63° | 44°
  • Wed Times of sun and clouds
    68° | 49°