Personal Finance

PC Financial Website -- safe to login?

  • Last Updated:
  • Mar 29th, 2010 4:47 pm
Tags:
None
Newbie
Mar 19, 2009
24 posts

PC Financial Website -- safe to login?

If you go to www.pcfinancial.ca, and try to log into online banking (mastercard seems ok at this point), you get an invalid expired certificate 03/28 message.

Is anyone else getting this, should I just not pay my bills until they rectify this?
16 replies
Newbie
Aug 4, 2009
71 posts
3 upvotes
Calgary
Well that seems embarrassing. I'm super paranoid with my online banking, I'd wait.

But really, they probably just ... forgot? I'm sure it'll get fixed pretty quick this coming week. All your information is still encrypted, so you'd most likely be safe to continue.
Sr. Member
Jul 20, 2005
691 posts
6 upvotes
It's expired on the weekend maybe on monday it'll update itself.
Deal Fanatic
Apr 15, 2004
5438 posts
80 upvotes
Sydney
Just because it's encrypted doesn't mean it's safe. If I encrypt your password with my key, I can still decrypt it.
Deal Addict
User avatar
Dec 11, 2003
1804 posts
70 upvotes
Vancouver
I got the same problem. I am afraid site might be compromised - maybe some hacker changed a link to www.txn.banking.pcfinancial.ca rather than what it originally suppose to be. Best to wait till monday to do banking.

In meantime, read this:
http://www.banking.pcfinancial.ca/a/sec ... urely.page

It lists that www.txn.banking.... site in one of the known fake site in spam email.
spot finder
Jr. Member
Nov 11, 2009
117 posts
4 upvotes
Big Brother wrote: I got the same problem. I am afraid site might be compromised - maybe some hacker changed a link to www.txn.banking.pcfinancial.ca rather than what it originally suppose to be. Best to wait till monday to do banking.

In meantime, read this:
http://www.banking.pcfinancial.ca/a/sec ... urely.page

It lists that www.txn.banking.... site in one of the known fake site in spam email.
I got the same thing. Wow, this is really embarrassing for them.
Deal Addict
Jun 27, 2005
1071 posts
148 upvotes
Toronto, ON
I have gotten spam mail imitatingboth PC Financial and TD Canada Trust websites. Be very careful when opening emails (although this may have not been the case this time).
Big Brother wrote: I got the same problem. I am afraid site might be compromised - maybe some hacker changed a link to www.txn.banking.pcfinancial.ca rather than what it originally suppose to be. Best to wait till monday to do banking.

In meantime, read this:
http://www.banking.pcfinancial.ca/a/sec ... urely.page

It lists that www.txn.banking.... site in one of the known fake site in spam email.
Deal Fanatic
Feb 16, 2008
5608 posts
131 upvotes
Good to know I'm not the only one with this problem. I hope they fix it ASAP, I need to transfer some money around before Wednesday.
Kommander_KornFlakes wrote: I make more than what 95% of people in this site makes.
Try a six-figure salary that starts with a "3" (that would be annually)
Gloaming wrote: Seriously- I TRIED to ignore him. KKF is like herpes, you keep scratching in an attempt to get temporary relief, but two weeks later he comes raging back more annoying and infuriating as ever.
Newbie
Mar 28, 2010
1 posts
I got the same message. Got bills to pay but will not risk it. I'll wait until tomorrow.
Deal Addict
User avatar
Dec 11, 2003
1804 posts
70 upvotes
Vancouver
Called pc... they are aware of the problem. They say it's safe and problem should be resolved by Monday. Their techs have been working on it since 8pm (EST)
spot finder
Deal Addict
User avatar
Nov 3, 2006
3791 posts
297 upvotes
YUL
It looks fine now.
New Verisign certificate issued 3/28/2010, expires 3/28/2012.
Deal Addict
Feb 9, 2005
4172 posts
20 upvotes
twotterdhc6 wrote: It looks fine now.
New Verisign certificate issued 3/28/2010, expires 3/28/2012.
I noticed this on the weekend too. I was pretty sure it was just that someone forgot to get a new certificate before the old one expired (which made sense based on the dates), but figured I'd play it safe in just in case the original certificate had been revoked because it was comprimised.
Deal Addict
Aug 16, 2005
1876 posts
130 upvotes
FYI, just because an SSL certificate is expired/revoked/whatever, it does not mean it stops working. Only difference is your browser will give a warning and make people paranoid, it doesn't mean it is any less safer compared to a few days ago when the certificate was not expired. All PCF did was pay another company x amt of dollars to renew, which all it really did was suppress the warnings messages so that you can feel less paranoid.

I can generate my own SSL certificates for free and will encrypt the connection just fine (lock icon will appear). Only difference is my free certificate will generate warnings and the paid/recognized ones will not.
Deal Addict
Nov 1, 2009
2646 posts
81 upvotes
myapple wrote: FYI, just because an SSL certificate is expired/revoked/whatever, it does not mean it stops working. Only difference is your browser will give a warning and make people paranoid, it doesn't mean it is any less safer compared to a few days ago when the certificate was not expired. All PCF did was pay another company x amt of dollars to renew, which all it really did was suppress the warnings messages so that you can feel less paranoid.

I can generate my own SSL certificates for free and will encrypt the connection just fine (lock icon will appear). Only difference is my free certificate will generate warnings and the paid/recognized ones will not.
This is just wrong. Expired is one thing, but revoked??! Someone steals the corresponding private key of PC financial certificate and the certificate is revoked, but you think it's ok to still use it? Heard of man-in-the-middle attacks? If a hacker has both your private key and your certificate (latter was public to begin with) - and if the end user ignores the revoked warning, that's pretty sweet for the hacker.

As for your self-generated certificate that is not signed by a root authority or a child of, "a warning" is not the only difference. There is a fundamental security issue which makes your certificate susceptible to Man-in-the-middle attacks while a root signed certificate is not. The chain of trust must be validated top to bottom. The parent certificates are embedded in the user's browser. If the chain doesn't exist, full validation cannot occur and MIM attacks are possible.

And "renewing" a certificate does not just "make the warnings go away" - it generates new private/public keys as well.
Deal Addict
Feb 9, 2005
4172 posts
20 upvotes
myapple wrote: FYI, just because an SSL certificate is expired/revoked/whatever, it does not mean it stops working. Only difference is your browser will give a warning and make people paranoid, it doesn't mean it is any less safer compared to a few days ago when the certificate was not expired. All PCF did was pay another company x amt of dollars to renew, which all it really did was suppress the warnings messages so that you can feel less paranoid.
You should never be OK with a certificate that has been revoked. It means it's probably been know to be comprimised allowing a hacker to decrypt the information being transfered. I realized it said it expired but I'm not sure if a revoked certificate would show up as expired on the day it was revoked, or if it would say it was revoked. I also realized it would be strange that it was revoked exactly 2 years after it was issued. Still, I figured if it was comprimised after it was expired it probably wouldn't be revoked, so I'd feel a bit aprehensive about using it even if I was sure it was expired but not revoked.

Trust me, if I was a hacker, I'd be trying all sorts of devious things with the goal of making people think "Oh, it's just expired but it's still safe to use."

Besides, I figured PCF would work quickly to resolve the issue, so I decided since I didn't have a pressing need to login, I'd just wait.
Deal Addict
Aug 16, 2005
1876 posts
130 upvotes
Guys relax. I understand all your points and they are valid. I am not saying commercial banking sites should continue to operate without a signed certificate. I am not discussing best practices, potential for domain hijacking, or anything like that.

My only point is just that expired or not, a signed or unsigned SSL certificate will still provide an encryption connection between a browser and the server you are trying to visit. You can't really argue against my point that the connection is still encrypted, it's a fact!

I don't even know why I'm defending PCF. I actually had many issues with PCF's online banking over the years and have stopped using them all together. My issues were not SSL-related.
Deal Addict
Nov 1, 2009
2646 posts
81 upvotes
myapple wrote: My only point is just that expired or not, a signed or unsigned SSL certificate will still provide an encryption connection between a browser and the server you are trying to visit. You can't really argue against my point that the connection is still encrypted, it's a fact!
It may be encrypted, but that doesn't make it safe. If I impersonate a bank and ask John Doe sends "the bank" (i.e. me) his SIN #, the SIN # will be encrypted in transit and no one will be able to get to it - except for me... Which I am sure John Doe does not want.

IMO there are 4 cornerstones to crypto - authentication, encryption, integrity, and non-repudiation. By not having a proper certificate, you are just throwing authentication out the window and just opening yourself to be had.

Top