Hacker News new | ask | show | jobs
by alistairSH 2078 days ago
Interesting. My mortgages have always ended up with a known retail bank and can be paid through their normal websites. Is your mortgage held by some fly-by-night bank?

The only sites I visit frequently that do the domain forwarding and have ancient designs are local government sites (for paying taxes and fees).
2 comments
rsync 2078 days ago
"Interesting. My mortgages have always ended up with a known retail bank and can be paid through their normal websites. Is your mortgage held by some fly-by-night bank?"

I think you misunderstand. Your parent is saying that after logging into his normal bank, he is taken through two or three third party banking providers that have their own domain names and web user interfaces - just to perform some core action related to paying his mortgage.

I have seen this and can give you a few concrete examples:

- Log onto unionbank.com. Mortgage payment is done through "my mortgage portal" which jumps you to unionbank.customercarenet.com.

- Log onto tiaabank.com. You are quickly redirected through the first third party domain which goes by too fast to copy/paste then you are redirected to cibng.ibanking-services.com, where you do your TIAA banking online (!)

USBank bounces you around weirdo domains as well. FWIW, I have never seen wells fargo do this.

This is a phishing nightmare and it is right at the crux of high-consequence interactions (your mortgage, your banking) and barely technically literate users.

It is unbelievable that they do this.

link
adkadskhj 2078 days ago
> I think you misunderstand. Your parent is saying that after logging into his normal bank, he is taken through two or three third party banking providers that have their own domain names and web user interfaces - just to perform some core action related to paying his mortgage

Actually i think it's slightly different (in my specific example). It looks and feels just like you describe, but i get the impression that it's all the same bank. For some reason the application operates on multiple domains.

My old credit union was the same way. I'd log into `someCU.com` and be forwarded to `secure.CUentry.com` or w/e (i forget the specifics). Both domains were the same CU entity, i imagine, but the pattern we should be telling the "average person" to look for is to always find `foo.com` in the address. If you're not connected to `foo.com` then it's evil. However when sites forward you to likely safe but alternate domains entirely we erode this trust in fixed domain names.

Next time a user clicks on an email to `scamCU.com` and don't think anything of it, since `someCU.com` already has multiple domain names.

But yea, you hit the nail on the head with the root problem. It's gross.

link
alistairSH 2078 days ago
I think I have it. I just haven’t encountered that with my banks. There may be some requests that cross domains, but none of them drop me on a payment page that looks suspect.
link
mgkimsal 2078 days ago
> Is your mortgage held by some fly-by-night bank

Even if it's not, it might be if someone decides to sell it. years ago, I went with a well known company, and in the disclosures they have fine print saying "we may sell this". 2 months after closing, they sold, and the new servicing company required $5 per payment 'fee'. I never agreed to that, but... essentially have no choice in the matter. Options? Spend another 4 figure amount to refinance and hopefully get a different servicing company?

link
alistairSH 2078 days ago
Interesting. My mortgage has always gone the other way - initiated someplace small and unheard of, and then bought by a name-brand bank. Just luck or the draw, I suppose.
link
adkadskhj 2078 days ago
Yup. I was warned, not even in fine print, that it was almost assured that the mortgage would be sold one or more times. I'm on my 2nd, currently.
link
srtjstjsj 2078 days ago
Those fees are usually illegal but good luck fighting it
link