Is this bank website secure enough? No https in login page

doesn't use Https protocol

The website you provided does support HTTPS, but not HSTS or HTTP to HTTPS redirect. That is why you could be directed to an unsecured HTTP site. SSL Labs analysis.

Moreover your password can be at maximum 10 characters

Oddly this is common of online banking. I have experienced a bank which defined the following rules for a password {az-AZ-09} with a character limit less or equal to 10.

there's no 2 step verification...

Despite this becoming a norm in security. Some still have configured their infrastructure with primitive security, given modern attack vectors. 2FA should be a must. Most banks will either provide a "secure key" or access to a one-time password from their mobile banking app.

My personal advice. Avoid online banking with this bank, and look for an alternative which can satisfy your security (OpSec) needs.


Presuming that is the actual login page:

Yes, this is very insecure by modern standards, and even more so for anything involving actual monetary transactions.

There is always the slim possibility that the page loads on HTTP but then submits to a server protected by HTTPS. That would still be bad but would at least be "better". However, I confirmed that this doesn't happen. As I'm sure you know this would allow anyone on your local network (or anywhere between you and their server) to read your username and password.

There is also no CSRF protection on the login endpoint - this can introduce a lot of other more subtle security weaknesses (although not anywhere near as severe as failing to encrypt your login credentials).

The best-case scenario here is that the page you are on isn't supposed to be the primary login page, but you ended up there by accident and they forgot to remove it and direct people to the login page which is actually secure.

I ran the website describing their security through google translate. Obviously it won't be perfect, but it certainly gives the highlights:

  1. We've never had a breach before - nothing to worry about!
  2. We have a super secure firewall
  3. We use SSL encryption!
  4. You can change your password!
  5. You can deny access to your account from all but one device
  6. You can see when/where you last logged in
  7. You can get a text message everytime someone logs in
  8. Even if someone were to login your money would be safe because we don't allow transfers to any accounts not specified by you and indicated in your contract

I wouldn't take any of that very seriously, especially in light of their inability to provide SSL encryption on the login page, which is probably the most important page of all to secure. Given their lax practices here I would assume that they have security holes elsewhere in their system. Whether or not they have ever had a breach is something no one will ever know - what should say is:

If we've ever had a breach we at least don't know about it! We promise we're not lying!

If they really haven't ever had a breach it is probably because no one has ever bothered trying to target them, and not because of good security practices. I wouldn't even take point #8 seriously. You'd be surprised what people talk account support technicians into doing, and even if an attacker can't actively steal your money, this doesn't mean that they can't cause you severe harm if they get into your account.


Whomever designed the website appears to have a lack of security knowledge. As others have pointed out, they do support HTTPS, but at the very least you should be redirected from the HTTP to HTTPS when you go to the login site. That was standard for secure websites more than 10 years ago. It's extremely trivial to implement this, offers real protection from real attacks, and not having it is a red flag.

Even better would be supporting HSTS (also not supported), which is a way of publishing information on how the website should only be available via HTTPS. This standard is now almost 6 years old, and widely implemented. A bank not having this simple security measure is another red flag.

It should come as no surprise to you that Italian websites... aren't really the best. I've spent considerable time in Italy using Italian websites, and many are shockingly bad and about 15 years behind the times. This site is no exception.

The password length limits are sadly the norm for many banks. This is because much of the banking industry is itself far behind the times with an enormous amount of legacy systems still in place. The lack of 2-Factor authentication is also relatively common. Both these are indications the institution isn't focused on security, but it's far too common for these to be red flags.

I ran a test of their SSL configuration against SSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=www1.directatrading.com

It's actually not terrible (They get a B), which isn't a red flag, but is another indicator of not keeping up with security standards.

I wouldn't recommend using this financial institution since they seem to have a severe disregard for modern security practices going back at least 10-15 years. The visible problems are often just the tip of the iceberg.