There was only one F: Columbia Bank. Their grade has improved to an A in my 2016 test.
Details of 2014 test
This time there were four F's:
Banks notified via Twitter on 4-13-16:
Middlesex https://www.middlesexbank.com/ Trustco Bank https://www.trustcobank.com/ HSA Bank https://secure.hsabank.com/ibanking3/login.aspx INTRUST Bank https://www.intrustbank.com/
On 5-18-16, they were all still graded at F.
Good idea! The results were very similar to banks:
Here are the five F's:
I notified them via Twitter on 4-16-16:
NCUA.gov https://www.ncua.gov/Pages/default.aspx OneCU https://www.onecu.org/ Guardians CU https://www.pbccuvirtual.org/ISuite5/Features/Auth/SelfEnrollment/SelfEnrollmentDisclosure.aspx Vibrant CU https://vibrantcreditunion.org/ Deere Employees CU https://content.dccu.com/
I tested them again on 4-18-16 and they were all still F's.
Also, Wright-Patt Credit Union is the only bank or credit union in the top 100 to still use mixed-mode authentication: an https login link on an insecure page. I haven't seen any bank use that unsafe method in years and I suspect it is a violation of banking regulations.
I Tweeted to WPCU and they answered, which is good. However, they don't seem to understand the importance of this issue. Switching the whole site to https is good, but moving the login page to htps is a critical security measure every other bank and credit union I tested has done. WPCU is far behind its competitors in this aspect of security.
Here's the link to a Troy Hunt video that explains why putting an HTTPS login button on an HTTP page is like putting a padlock on your wallet and leaving it in the street:
Your login form posts to HTTPS, but you blew it when you loaded it over HTTP
On Feb. 9, 2017, I got this Tweet:
However, when I tested it, it's not much better. The login page is now HTTPS, but if you open a browser and type in wpcu.info you pass through two stages of insecure redirection before reaching the secure page:
This page is still susceptible to hijacking, but it can be fixed by adding an HSTS header, as explained in this Troy Hunt page from 2015.