Javascript and Online Banking
I have recently started using Opera for my day-to-day surfing, as Firefox 3 Beta 5 locks up now and again, and decides to use 100% CPU. This usually happens when I have a few tabs loading that have Flash video in them. However, Opera’s javascript engine isn’t quite like IE or Firefox’s.
This caught me out when I tried to login to Internet Banking at a certain bank. Like many other banks, they have some drop-down menus for you to select the requested digits from your security code, presumably to stop keyloggers. But unlike password entry fields, drop-down menus are much easier to shoulder surf, so they use Javascript to make the entry display an asterisk in the drop-down as soon as you’ve made your selection.
Of course, this caused Opera to fail to login, with a message along the lines of “You’ve got your account details or security details wrong, or you’re not registered for online banking“. So I tried again, and soon locked myself out.
Had they actually tested the site on a few browsers, this would have been easily discovered, and could have been fixed, or they could sniff the user agent and display a different page, or a message telling customers to use a different browser. That’s not ideal, I know, but it stops customers locking themselves out.
Of course, at the other end of the spectrum, Natwest sniff user agents, and reject virtually every browser, yet faking to be IE yields a perfectly working site anyway.
And then there’s HSBC. When their site eventually loads, has the first part of the login process on a non-SSL served page, which POSTs to an SSL page. Whilst this could be argued to be secure, it goes against what the banks have been telling Joe Consumer (”look for the padlock”), and its possible for a fake entry form to be sent through DNS poisoning or a man-in-the-middle attack, which POSTs elsewhere. People will not spot this as easily as a canned phishing email.
Maybe someone can enlighten me on why banks feel the need to reinvent the wheel. We have SSL. We have EV SSL certificates. SSL has been proven to work. Why do banks make sites that depend on Javascript, specific browsers, and bulky calculator-like devices that fit oh-so-easily in your wallet?
Of course, its their response to keyloggers and phishing emails. However, I don’t have a virus-ridden Windows box, nor do I believe the scams that drop into my inbox every day. I don’t see why I should have to waste time because someone couldn’t be bothered to sniff the user agent, display a warning or actually test some Javascript which was designed to safeguard users who’ll type their bank details into anything and open any attachment without a second thought. (Should people who pose such a security risk to their own account even be given internet banking?)
In fact, I don’t think the bank has any reason to need my email address at all, but it doesn’t stop MBNA sending official advertising emails from suspicious looking email addresses, with links to URLs that look equalling fishy. When you have real banks sending out these phishy emails, no wonder Joe Consumer falls for scam ones. (For the record MBNA didn’t reply when I emailed them asking why they engage in this practice.)