top | item 37014037

(no title)

ajimix | 2 years ago

Why bank websites remove the ability to paste? You have already copied the text when you realize you cannot paste. So what is the point? Writing things by hand are prone to errors and if your clipboard is poisoned you have already copied the stuff by the time you realize you cannot paste…

discuss

epivosism|2 years ago

I always imagine there is an "intro to forms programming" which includes code to disable copy and paste, and its concepts now have thousands of descendants across the web, to the point that people start imagining it's a security measure and proactively copy it. I agree w/you and don't see the point in stopping users from pasting in the first place.

mgkimsal|2 years ago

I don't think it specifically violates any accessibility regulations, but preventing pasting has always come across to me as an accessibility violation.

bakugo|2 years ago

Not only does my bank's website not allow me to paste my "password", it doesn't allow me to type it at all. It's insane. Said "password" is just a 6 digit number (we're not allowed to set our own passwords, because 6 digits is definitely way more secure than the 16 character random strings my password manager generates) and it forces me to enter it using buttons on the page itself with randomized positions. No idea how any of this is supposed to help with security, if my device is already compromised to the point that all my keypresses and clicks are being logged, the attacker can probably also just read the password from the browser's memory...

porridgeraisin|2 years ago

I agree with your overarching point.

But, how exactly does being able to install a keylogger on someone's computer mean you can also break memory integrity and steal data from the browser's memory?

From what I know, windows keylogger "services" were very popular some 10 years ago and hence the banks rushing to "fix" it.

russelg|2 years ago

Is this ING? Sounds very similar to how ING does it.

earthling8118|2 years ago

It's time to find a real bank.

duderific|2 years ago

That's maniacal.

samwillis|2 years ago

I hate this so much, was registering for a new ISP the other day, they blocked paste in the password inputs and broke my password manger. Such an incredible bad decision from a security perspective.

drowsspa|2 years ago

Keepass is pretty cool when it comes to that, I can just invoke the auto-type on those situations

capableweb|2 years ago

Usually it starts with a company having issues with robot traffic. So they try a bunch of things to hinder the robot(s). They do something, the robot stops working, but after a while it comes back, it's a cat and mouse game essentially.

One day, they (developers pushed by middle managers) disable copy-paste on the login page, and the robot temporary stops working, until a couple of days later, when the robot found a way around it.

On to the next thing to do to stop the robot, but that previous "fix" is still there, with the thinking that "maybe that stops some of the robots", but it probably doesn't.

But there it sits, some ~10-ish lines of JS that will hang around until rewrite v6 when they'll begin from the beginning, and some months/years later come around to disabling it once again.

No, I'm absolutely not speaking from experience.

KirillPanov|2 years ago

Just give up.

You can't win; you're going to get robot traffic unless everybody does something like Web Environment Integrity. Seriously.

Just allocate your finite resources in a hierarchical 32-level binary tree based on bit prefixes of the client IP address. Exactly what the root DNS servers do. And exactly what the only mitigation for slowloris attacks does. Then get on with your life.

Devasta|2 years ago

Not saying this is the case, but there was malware that would check to see if you had copied what looked to be a bitcoin account and replaced it with its own.

https://techcrunch.com/2018/07/03/new-malware-highjacks-your...

Something like that maybe?

klabb3|2 years ago

Yeah I also hate this but they have a point. Desktop clipboard is a shitshow. Any app can read it willy nilly, certainly if focused but I wouldn’t be surprised if it works in the background on some platforms.

It is one of the prime candidates for a global redesign from scratch, including even physical keys (since copy-paste is so common, certainly more than say caps lock). All the APIs are riddled with decades of tech debt and are entirely platform-specific.

LatticeAnimal|2 years ago

Reminds me of treasurydirect.gov which presents you with a virtual keyboard and you have to click to type out your (case insensitive) password. It is insane

Falkon1313|2 years ago

It's to reduce security.

Of course a long, random, unique password from a password manager is best for security, everyone knows that.

So forcing people to instead use a short, easy-to-type, memorable password clearly couldn't possibly be anything else but an attempt to undermine the user's security and put their account at increased risk. That bank does not have your best interests in mind. With that in mind, it doesn't matter why they don't.

So switch to another bank (or better yet, a credit union) that does.

bobbylarrybobby|2 years ago

This is why I have an automation on my computer to type out the clipboard character by character.

undebuggable|2 years ago

The banks protect you from malicious clipboard manipulation by manipulating the clipboard content ("we let you paste but complete some digits manually") and/or entirely disabling pasting text into text fields. Yes, they employ at least one "security expert" who will elaborately explain you why it's better for your security.

extraduder_ire|2 years ago

IME, middle-clicking on a linuxy computer still works as expected most places. I use that far more often than real copy/paste.

bryanrasmussen|2 years ago

maybe they think criminals are too stupid to put a varying timer to make keypress times seem natural.