What sort of clowns stored the credit card number in a cookie? Seriously? What a breathtakingly stupid show of total incompetence.
Was considering switching my personal account to Santander, have been looking to move away from Natwest for a while now. Natwest are a dismal failure of a bank to the extent I'm always happy to go out my way and dissuade people from associating with them in any way. I'll be writing Santander off my list for sure now. How on earth can you trust them after seeing this?
For a business who HAS to take security seriously, for a business with a LOT of resources, for a business who hold YOUR cash this is utterly pathetic and inexcusable on their part.
Leaving them might be a good idea for your personal security, unfortunately the UK is a little short of good banks. Would love to see someone shake up banking like Stripe has shaken up online payments.
Maybe I'm an ignoramus, but what's wrong with storing your credit card number in a cookie, as long as it's encrypted? This is how session management is typically done, right? Your session information is stored encrypted in a cookie so that on subsequent page requests, the server still knows who you are, but the session information is encrypted and decrypted on the server, so that the client can't forge the session information.
If this technique is good enough to make sure that you still are who you said you were when you logged in, why is this not good enough for storing other sensitive information? And if it's not good enough for session management, then you're in deep trouble anyway, since someone else can now log in as you and funnel all your money into their Swiss bank account.
Edit: As it turns out, it seems that most cookie-based session data is only stored cryptographically signed, rather than encrypted. The reason for this seems to be that HMAC signing is up to 4X faster than encrypting with Blowfish.
I've found Santander to be absolutely ghastly as soon as any exceptions to their core process occur. Anecdotal, but in my opinion you're probably better off avoiding them anyway.
Barclays online offerings are pretty good as well, depends on how much you can ignore their slightly shady ethics when it comes to investment banking. They also weathered the last financial meltdown a bit better than the rest, so there's that.
UK is definitely missing a trustworthy, ethically sound bank though.
I think part of the incompetence has to do with what talented engineers want to work on. Most of us here on HN would never dream of writing mundane business logic software for a bank. Why would we, when we could be working on much more interesting problems, while earning a lot more money, working in a much more stimulating environment? This leaves mediocre programmers who can't get jobs at {Google, Facebook, Microsoft, Amazon, Startup X}. Talent goes where the money is, and the money is not in writing a bank web service.
In theory, I'd rather have it in a cookie than unprotected in a database. In practice, anyone doing something that stupid will have XSS exploits rendering that information available to anyone running an exploit.
While security and encryption are definitely not easy (and far less so when you're talking about adhering to PCI-DSS Level 1, which somehow actual banks never seem to do), there are plenty of well-tested libraries that make it significantly easier. Having said that, I'd prefer to see the data stored in plaintext - obviously bad - rather than using easily-broken encryption (short keys, re-used keys, bad key storage, poor algorithm, etc) which looks OK at the surface but provides a serious false sense of security.
What really blows my mind is that Visa and Mastercard never seem to require PCI certification for their issuing banks. Being deep in the industry I realize how many middlemen and layers of misdirection there are with this kind of thing (usually to get around these security requirements), but Visa's diligence process is actually quite thorough - at least in the US. I've been interviewed by PCI auditors, and my experience was that they were actually asking the right questions, and required demonstrations to prove your claims. But for all I know, that varies widely from auditor to auditor.
I don't know if you saw Bank of Dave [1] but it showed how difficult it is to start a new bank in the UK, even if you are going to be run responsibly and in a small way.
I find it difficult to imagine someone new entering this market place, other than "people" like Virgin and Tesco with deep pockets to back them.
If they bank does not have a two token security system, its is not secure. A single password should never, ever, anywhere, be enough to legally prove identity or validate a bank transfer.
Natwest are a dismal failure of a bank to the extent I'm always happy to go out my way and dissuade people from associating with them in any way.
Just as a countering data point, I've been with NatWest for 14 years both for personal and business banking (plus a business credit card) and have had nothing but an excellent experience with them (the only negative I can think of is their online banking goes down for maintenance at 2-3am sometimes for an hour or two).
A little bit off-topic, but in what way(s) is Natwest a "dismal failure of a bank"? I had a Natwest account a few years ago when I was in the UK, and I was happy with it at least in relation to the other bank I had an account with.
Doesn't seem too awful to store obfuscated credit card details in a short-lived cookie with httponly and secure set. (Say, in a checkout flow where you have to hold the credit card details somewhere for a couple minutes).
I actually quit Santander(UK) because of their security policies. They essentially changed online banking so you had to give them a mobile number and then had to get a code from a text message they sent you to login.
My question to them was "what happens if I don't have a mobile phone?" and "What do I do when I am on holiday abroad?" and their responses were (paraphrasing) "You won't be able to use online banking at all in either of those cases."
In order to just get this response I got transferred between like four or five different customer service reps. So I quit my bank of like ten years and when I quit they didn't even care enough to ask my WHY I was quitting.
Funny I actually prefer their system of texting to confirm new payees (on business banking it's only to setup new payees not ones you've used before).
I almost always have my mobile handy, even abroad, however trying to find & use that darn HSBC dongle every time I want to login or add a payee drives me nuts.
I can certainly understand that it's a bit silly if they don't have a workaround for when you don't have a mobile though.
You can still receive texts when you're abroad for free from your bank (I rely on this..) . As for not having a cellphone.. I'm kinda puzzled they didn't give you other option.
In Turkey all the banks are required to use SMS validation while logging in, by law. You can receive SMS for free while you are abroad. You can use Skype or Google Voice, but yeah I know it is more expensive.
Slightly on-topic. I have been trying with some banks in the UK trying to find the best online banking system and I am not happy with the results so far.
HSBC works quite well but the login system (with a RSA key) is annoying. I can accept it for actions like transfers but most times I just login to check my balance and transactions, requiring a token seems to much for me. Their design, even if not great, works.
MetroBank seems great from the outside but their system has some issues. First, to login you need your account number, a password and three digits from a 8 digits PIN. After logging in, you can do everything without any other measure. The systems fails to login most times unless you realise you can just click on the link in the error message and logged in you are. A friend told me to use the incognito mode in Chrome and it seems to fix this issue, probably with sessions. Their design is not the best. On the transactionspage you can only see 3 or 4 transactions on the screen at a time (without scrolling, that is).
I am waiting to try Santander (which I will avoid now) and Northern Rock.
HSBC have been an absolute NIGHTMARE for my business. I'd urge anyone in the UK to avoid them for anything. Below is the rant I sent to their complaints department after I had decided to ditch them after one foul-up too many.
tl;dr: It took me weeks to register; they refused to expedite new codes to me after a cockup at their end; then when they eventually allowed me to use the service they declined EngineYard and Google apps payments every single month for over a year for "fraud prevention reasons".
In the process of switching… not sure who to yet.
--
Over a year ago I began the process of opening a business bank account with HSBC over the telephone. I'd already completed incorporation of my business and had a provisional acceptance from HSBC via their online application system. Someone was to phone me to ask some cursory questions. Through this conversation it emerged that one of the directors in the business had somehow mistaken his gender when filling out his paperwork, and there was a pause while we waited for Companies House to update their records.
A few days passed, and with the records amended, I ventured into the Fulham Broadway branch of HSBC to complete this process. I explained to the gentleman hovering menacingly near the doors what I needed to do.
"I see. Come with me to The Business Centre," he said solemnly, visibly annoyed that I was wearing yesterday's jeans and no socks.
He deposited me in a chair and assured me that someone would be over to see me shortly. Instantly, another gentleman arrived and inquired as to what I needed. I explained my situation again. Ah, yes, of course. I needed to see a Business Advisor. Did I have an appointment? No, but the office was empty. Ah, yes. Right this way.
The second gentleman led me to a third representative of HSBC's towering capacity for inefficiency. A portly lady squeezed into a too-tight uniform, tucked inside a glass livestock enclosure; she motioned wordlessly to a chair. I ventured that I had a reference number. She pecked away with her exquisite fingernails on the tiny plastic keyboard in front of her and then abruptly stood, and stalked to a printer, rolling and heaving her monstrous body against a uniform visibly weakening at the seams.
"What," she said, looking at her screen and then, for the first time, at me, "did you hope to do today?"
I explained, for the third time, that I needed to conclude the opening of my business account–a process I'd started over the telephone and had been assured I could pick up in a real life, physical, open-now-on-Sundays-thanks-to-Nat-West retail bank. She nodded.
"So all we need really is to physically ID the other directors and we're done."
Nobody had mentioned of this, and one of them was in France.
"Sorry, there's nothing we can do until then."
Could I just drag them into another branch and have them sign something? I could. Splendid.
Thus resolved, Director #1 and I went to the London Bridge branch of HSBC a few days later. He was clutching a disparate range of proofs of his identity, from bank statements to utility bills.
We explained to the 'Customer Host' what we needed to do. He ushered us up some stairs to The Business Centre, a grandiose term for two offices, a deserted reception area and a jolly looking woman stationed in a narrow glass booth.
After being left alone for several minutes, with no more obvious option, I approached her and, for the second time that day and the fifth overall, explained what Josh and I needed to accomplish. She motioned to the first office, which had an open door. "My colleague will be able to help you with that."
We went into the office. The man behind the desk looked up from the screen, creating the illusion of progress.
"Can I help yeh?" He asked, through the indolent, Americanised drawl of an east London schoolboy.
Once more I explained. Keep count.
"Yeahyeah, if you just take a seat, someone else will help you widdat."
Widdat, we sat and chatted about central American politics for a few minutes.
Another man, with a hole where it seemed obvious an earring usually was, walked past us into the office with Widdat in it. He gesticulated in our direction and then cast a wary glance over his shoulder at us.
He approached us and, as you might have expected, asked us what it was we were there to do, in a mumbling approximation of Widdat's voice which might have seemed like a parody if the intellectual bar set by HSBC's staff so far hadn't been so terribly, terribly low.
He explained, in a roundabout way, that he had to do some work and had an appointment coming in ten minutes, but that a lady would be along to see us very soon indeed, and that if she wasn't, he'd take care of us.
We resumed our discussion for what seemed like a very long time–and not because of Josh's constant oversimplification of the complexities of US paternalism. Eventually, Widdat #2 came back out and invited us into his office, muttering about the receptionist not being at her desk.
Instead of asking what we wanted to do, he began to faff about with his computer. I trotted out the most succinct version of my mission to date.
"I started the process of opening a business account with you. I was told I needed to bring in ID for the directors so you could verify them. I have one of them with me, with his ID."
"Right yeh but there's loads of paperwork to do to conclude and everything, it's maybe 25, 30 minutes and I have appointments and that."
We didn't need to do the paperwork. Could he just scan or photocopy the ID and say that he had seen it?
"I can take the ID from you but I can't give it back to you. We have to keep it. Sorry. You can either go into another branch and try to get it done or come back here and see me."
There is a box on the form for HSBC's Business Banking application which asks you how much you intend to deposit into the account. I assume Widdat #2 hadn't seen it, because I wouldn't ordinarily expect to fight someone to give them or their business several tens of thousands of pounds.
I lost interest. I told him it was ludicrous. He didn't disagree. We left. As a last chance I dropped into their deserted Clerkenwell branch and spoke to a business advisor who told me the previous HSBC employees I'd dealt with were all idiots and that it was very simple. We had the account opened in minutes.
Internet banking is very important to me because A) it's 2012, and I don't see a very good reason for highstreet banks to exist and B) I quite like the internet. So we registered for internet banking (which you have to do separately: is there really anyone who doesn't have or use the internet nowadays?). There are three parts of the verification system for this. HSBC posted me a 25-digit activation code, a cryptographic dongle thing, and another shorter code.
Ignoring the fact that a 25-digit activation code = 25! possibilities, which means HSBC have leave to create, I don't know, a BAJILLION online bank accounts, it's a fucking usability nightmare. Typing this stupid code into a computer, it's absolute overkill.
Oh, and they sent me two. Neither of which worked. The second one canceled the first, apparently (although they arrived at the same time), so I had to wait for a third code to be sent out. Nobody can do anything over the phone. You have to wait for the codes to arrive by post. They can only send them to the business address, meaning that you have to be in the office to pick them up. I spoke to a manager on the phone and politely asked what they could do to speed up the process of getting the code to me, since it was their mistake. Nothing at all, as it happened. They couldn't give it out over the phone, they couldn't send it recorded delivery, they couldn't courier it to me. Thanks for making amends for your mistake!
So after entering this 25-digit code, and another code which was a mix of alphanumerics, and picking a unique username, and specifying a password, and using my secure key dongle to generate a unique entry code, I finally get access to online banking about five weeks after the process begins, and I can finally pay our providers who have been patiently waiting (because they understand our pain–they also bank with HSBC).
I have account with both HSBC and smile (online branch of the Cooperative Bank).
HSBC is as you describe - seems pretty secure, but enormously frustrating that you need the dongle just to check balances etc. They'll only provide a single dongle, which is annoying as I want to access my bank from both work and home. The dongle is small enough that you could fit it in a wallet if you wanted to avoid that, but then you're more at risk of losing it.
For Smile, to login you just need your numbers, including 2 digits from a 4-digit PIN selected via drop-down. I guess this is to avoid keylogging but seems a bit odd as a shoulder-surfer could see quite easily. For any new/ unusual payments, the card-reader is needed. They were happy to provide me with a second reader so I can bank from home and work. The reader is too bulky to carry around though, so this is necessary.
The other thing Smile do is heavily plug "Trusteer" software on every login. Fortunately this is not yet mandatory.
On the whole I prefer Smile's approach, though I'd be happier if they could provide a smaller dongle that would be easier to travel with.
FirstDirect is better than HSBC, while still being part of the HSBC group. Their phone service is a lot better, with lower time-to-human, and Scottish accents instead of Indian ones. Their web usability is still pretty bad, though.
There's no ridiculous calculator-shaped hardware token. To log in, FD requires 3 characters from your password, and a "secret answer" — effectively, another password. Infuriatingly, they disable the Enter key in the log in form, so a mouse click is necessary.
FD's web UI is stuck firmly in the 90s, with nested menus, cramped screens, and plentiful transitions. Even the log out button redirects to another screen, in order to ask for confirmation.
Finally, FD give you £100 as an incentive to switch, and an additional £100 if you switch back out.
I like the Barclays mobile app. You authenticate it once using a pin sentry device, and give it a pass code, and from then on you can just use that pass code to get your balance using the app. The app also acts as a pin sentry when you want to access your account using a computer.
I've used quite a few over the years, Lloyds TSB was probably the best in terms of usability (but others will likely disagree). If I were choosing a bank though, I would be more interested in their ethics, hidden charges - which usually means avoiding PLCs.
HSBC refuses to allow me to login. I am unable to use their online banking. HSBC have been unable to fix this for me, despite months of trying. I gave up two years ago. I might try again.
This is bad in such an amazingly awful way on a "secure" banking website that I'm surprised that this bank even has an IT team, let alone a development team!
How did this not get picked up in QA testing, or even in a cursory audit?!?
I wonder what is the PCI DSS audit committee doing? I mean the world is fool of idiots that need policing and that's why such organs exists at a first place.
Shit like this just shows that being a PCI DSS level 1 certified means absolutely nothing in the real world.
Actually I'm not sure which of the twelve requirements are being violated here. They could be compliant with part 3 ("Protect stored cardholder data") in their network. If the cookie is secure and only transmitted via SSL, they have a case for being compliant with part 4 ("Encrypt transmission of cardholder data across open, public networks"). Part 9 doesn't really apply here. Part 6 might or might not.
Santander ALSO stores your passwords in plaintext, or at least has access to them in that form.
My password used to include special characters, until a transfer to their new web interface year ago. After they did it,I could not log into my account - it kept telling me that my password was incorrect. So I rang them up,and a lady on the phone asked,if I had any special characters in my password. I said yes - and then she told me to try logging in without them,as the new system does not accept them and they were automatically stripped during the transition to new interface.
At first I was like - ok, at least now I can log into my account. But then it hit me - how the holy fuck could they remove special characters from my password???? The only way they could do that is if they had access to its plaintext, which is completely unacceptable.
I complained to Santander about it,only to receive a letter stating that they appreciate my concerns but their system is safe.
I've got all the correspondence with them if anybody wants to see.
Can confirm that cookies on my laptop did (don't anymore, and I won't be using their online banking anymore) contain sensitive information about my santander account that I last logged into over 24 hours ago.
Going to go email them and tell them I'll be closing my account if they don't start taking their security seriously.
I remember a bank I used to work at got bought out by Suntrust. After we had been migrated over, for some reason I had decided to check out the cookies they were using. Sure enough I saw my full SSN there. They don't do that now, but even as a junior developer at the time, I was pretty taken aback.
What's really annoyed me about Santander's website is when you click 'log-out' you might think you have logged out - but no - you are taken to the 'are you sure you want to log-out' page.
With banking websites I just want to click that link and be sure I am logged out. I don't mind logging in again if I clicked by accident.
1. As explained in the original email XSS attacks now lead CC exposure, very bad
2. If the cookies are not session cookies. It's horrible, then anyone who got access to that computer later can read the cookies and Credit Card. But also don't forget tons of websites still keeps auto-complete enabled!!!! in freaking CC fields.
3. If the cookies are not marked as "secure" (or issued over HTTPS) then it's totally messed up and invalidates PCI etc. directly. Now your credit card transmitted over HTTP.
4. Other than this even though it's rather pointless thing to do, there is not any more direct attack I can think of.
Put it this way, this is not worse than a XSS vulnerability in a website as an XSS can lead more serious issues directly.
Confirmed for my santander account. I have not got a credit card, but the NewUniversalCookie cookie does contain my passcode (in all caps, just discovered it is case insensative!).
The data is not just one base64 chunk, but multiple space separated chunks that base64 -d chokes on after a bit. I am probably missing a step.
These hacks better be glad this industry isn't regulated like other professions where the individual professional is liable for his work. If these developers were doctors or engineers they personally would be liable for damages. Right now we have laid blame at the feet of the company, but this company doesn't seem to understand they don't have the technical know how to be building websites for their customer base.
The company certainly should be responsible. The alternative (which I'd say would be good for us seasoned software professionals, bad for the companies, and not very good for the indie software profession) is Computer Software Creators get their own professional, gov't-approved certifications, a large pay increase to go with the risk increase, and a legal requirement for these businesses to only hire certified Computer Software Creators.
For anyone interested, if you want to see the information it is storing then take the NewUniversalCookie and seperate it by the #'s then you can see two base64 strings which are easily decoded
The scary part is that the 'alias' id is actually one of the 2 passwords needed to log into the account. So in fact if someone had that and my card number all they would need is the 5 digit numerical code to log in
Slightly off topic but I bank with Natwest.com and I have gone to their homepage today and am AMAZED as to what I saw.
If you navigate to their homepage - in prime view you'll see a section that says:
"Great ideas come from great conversations"
Under this is feedback from customer - 90% of the feedback is incredibly negative. For example:
""Tell your customers the truth how bad a silver account is. Premium numbers to contact and register, cannot register mobiles for ..."
"Natwest is an embarassment, you have lost a customer for life".
This just sums up how out of touch banks are today with the internet. Don't advertise this sort of feedback! Especially on a homepage! What are they thinking?
IBM OS/2 warp is still a very viable solution for always on terminals and is more common than you may realize. While not officially supported anymore, for a price IBM will still support it. While I wouldn't choose it for a new solution, I wouldn't run out and create new ATM software, if it is working well, just because of the OS. Would you be more comfortable if they were running windows?
WhiteHat finds a security vulnerability. They tell the company. But, with banks, it's pretty hard to find the right person to tell. What steps should WhiteHat take to satisfy responsible disclosure? Just a printed letter to banks registered address is enough? (Banks, and everyone really, should have a "please use this address for responsible disclosure" - that would reassure me as a customer that they are taking security seriously).
But then, in England, we have a potential further step with the regulatory bodies. There's the ICO (information commissioner's office) who are overworked and will do nothing about this. And then there are the card companies who will, I'd have thought, be keen to protect their customers from fraud. Would responsible disclosure include a step to involve these third parties, if only to provide some clue pressure to the insecure site?
Sometimes the media can help. If you have a contact, they can put pressure on the company by calling them to interview about the vulnerability they are going to write a story on.
Back when I used to read the disclosure lists, I'd see people ask "I need a security contact as XYZ Inc." all the time.
On top of all the other issues, add the fact that some browsers no longer delete sessions cookies when you close the browser. Notably, Chrome and Firefox.
i guess no-one else here cares, but i had a quick look and santander.cl seems to not do this (but i just logged in and looked at cookies, which all seemed to be opaque).
Given the recent IEEE clear text passwords stored on an FTP server fiasco we need to transition from shock and outrage and switch to resignation and ennui.
for what it's worth, i use sovereign bank who was recently acquired by santander. the sovereign online banking contains the NewUniversalCookie, which contains an XML document (LOL) with 3 nodes: name, username, and userID. seemingly no intensely sensitive data in my cookies, but also seems to be some crossover with Santander's security system.
I've seen error messages in Spanish, which would seem to indicate (since Sovereign was originally a New England-based company) that some backend services are shared. Luckily, I barely use the account, and I will continue to do so now that this post has come to light.
A huge irony in all this is that Santander pulled out of a deal to buy a large number of branch offices from a rival bank because apparently the computer systems of this rival bank weren't up to scratch and merging would have been an issue.
This bank probably didn't believe in storing sensitive information in publically accessible places clearly
[+] [-] TomGullen|13 years ago|reply
Was considering switching my personal account to Santander, have been looking to move away from Natwest for a while now. Natwest are a dismal failure of a bank to the extent I'm always happy to go out my way and dissuade people from associating with them in any way. I'll be writing Santander off my list for sure now. How on earth can you trust them after seeing this?
For a business who HAS to take security seriously, for a business with a LOT of resources, for a business who hold YOUR cash this is utterly pathetic and inexcusable on their part.
Leaving them might be a good idea for your personal security, unfortunately the UK is a little short of good banks. Would love to see someone shake up banking like Stripe has shaken up online payments.
[+] [-] nessus42|13 years ago|reply
If this technique is good enough to make sure that you still are who you said you were when you logged in, why is this not good enough for storing other sensitive information? And if it's not good enough for session management, then you're in deep trouble anyway, since someone else can now log in as you and funnel all your money into their Swiss bank account.
Edit: As it turns out, it seems that most cookie-based session data is only stored cryptographically signed, rather than encrypted. The reason for this seems to be that HMAC signing is up to 4X faster than encrypting with Blowfish.
[+] [-] dcminter|13 years ago|reply
[+] [-] nicholassmith|13 years ago|reply
UK is definitely missing a trustworthy, ethically sound bank though.
[+] [-] michael_miller|13 years ago|reply
[+] [-] Firehed|13 years ago|reply
While security and encryption are definitely not easy (and far less so when you're talking about adhering to PCI-DSS Level 1, which somehow actual banks never seem to do), there are plenty of well-tested libraries that make it significantly easier. Having said that, I'd prefer to see the data stored in plaintext - obviously bad - rather than using easily-broken encryption (short keys, re-used keys, bad key storage, poor algorithm, etc) which looks OK at the surface but provides a serious false sense of security.
What really blows my mind is that Visa and Mastercard never seem to require PCI certification for their issuing banks. Being deep in the industry I realize how many middlemen and layers of misdirection there are with this kind of thing (usually to get around these security requirements), but Visa's diligence process is actually quite thorough - at least in the US. I've been interviewed by PCI auditors, and my experience was that they were actually asking the right questions, and required demonstrations to prove your claims. But for all I know, that varies widely from auditor to auditor.
[+] [-] ookware|13 years ago|reply
I find it difficult to imagine someone new entering this market place, other than "people" like Virgin and Tesco with deep pockets to back them.
[1a] http://www.guardian.co.uk/tv-and-radio/tvandradioblog/2012/j...
[1b] http://www.ft.com/cms/s/0/2ba372d4-d80b-11e1-80a8-00144feabd...
[1c] http://www.burnleysavingsandloans.co.uk/about-us/
[+] [-] lmm|13 years ago|reply
[+] [-] belorn|13 years ago|reply
[+] [-] petercooper|13 years ago|reply
Just as a countering data point, I've been with NatWest for 14 years both for personal and business banking (plus a business credit card) and have had nothing but an excellent experience with them (the only negative I can think of is their online banking goes down for maintenance at 2-3am sometimes for an hour or two).
[+] [-] atas|13 years ago|reply
[+] [-] monsterix|13 years ago|reply
[+] [-] joevandyk|13 years ago|reply
[+] [-] UnoriginalGuy|13 years ago|reply
My question to them was "what happens if I don't have a mobile phone?" and "What do I do when I am on holiday abroad?" and their responses were (paraphrasing) "You won't be able to use online banking at all in either of those cases."
In order to just get this response I got transferred between like four or five different customer service reps. So I quit my bank of like ten years and when I quit they didn't even care enough to ask my WHY I was quitting.
[+] [-] kule|13 years ago|reply
I almost always have my mobile handy, even abroad, however trying to find & use that darn HSBC dongle every time I want to login or add a payee drives me nuts.
I can certainly understand that it's a bit silly if they don't have a workaround for when you don't have a mobile though.
[+] [-] eLobato|13 years ago|reply
[+] [-] darkhorn|13 years ago|reply
[+] [-] iaskwhy|13 years ago|reply
HSBC works quite well but the login system (with a RSA key) is annoying. I can accept it for actions like transfers but most times I just login to check my balance and transactions, requiring a token seems to much for me. Their design, even if not great, works.
MetroBank seems great from the outside but their system has some issues. First, to login you need your account number, a password and three digits from a 8 digits PIN. After logging in, you can do everything without any other measure. The systems fails to login most times unless you realise you can just click on the link in the error message and logged in you are. A friend told me to use the incognito mode in Chrome and it seems to fix this issue, probably with sessions. Their design is not the best. On the transactionspage you can only see 3 or 4 transactions on the screen at a time (without scrolling, that is).
I am waiting to try Santander (which I will avoid now) and Northern Rock.
Any good experiences?
[+] [-] georgespencer|13 years ago|reply
tl;dr: It took me weeks to register; they refused to expedite new codes to me after a cockup at their end; then when they eventually allowed me to use the service they declined EngineYard and Google apps payments every single month for over a year for "fraud prevention reasons".
In the process of switching… not sure who to yet.
--
Over a year ago I began the process of opening a business bank account with HSBC over the telephone. I'd already completed incorporation of my business and had a provisional acceptance from HSBC via their online application system. Someone was to phone me to ask some cursory questions. Through this conversation it emerged that one of the directors in the business had somehow mistaken his gender when filling out his paperwork, and there was a pause while we waited for Companies House to update their records.
A few days passed, and with the records amended, I ventured into the Fulham Broadway branch of HSBC to complete this process. I explained to the gentleman hovering menacingly near the doors what I needed to do.
"I see. Come with me to The Business Centre," he said solemnly, visibly annoyed that I was wearing yesterday's jeans and no socks.
He deposited me in a chair and assured me that someone would be over to see me shortly. Instantly, another gentleman arrived and inquired as to what I needed. I explained my situation again. Ah, yes, of course. I needed to see a Business Advisor. Did I have an appointment? No, but the office was empty. Ah, yes. Right this way.
The second gentleman led me to a third representative of HSBC's towering capacity for inefficiency. A portly lady squeezed into a too-tight uniform, tucked inside a glass livestock enclosure; she motioned wordlessly to a chair. I ventured that I had a reference number. She pecked away with her exquisite fingernails on the tiny plastic keyboard in front of her and then abruptly stood, and stalked to a printer, rolling and heaving her monstrous body against a uniform visibly weakening at the seams.
"What," she said, looking at her screen and then, for the first time, at me, "did you hope to do today?"
I explained, for the third time, that I needed to conclude the opening of my business account–a process I'd started over the telephone and had been assured I could pick up in a real life, physical, open-now-on-Sundays-thanks-to-Nat-West retail bank. She nodded.
"So all we need really is to physically ID the other directors and we're done."
Nobody had mentioned of this, and one of them was in France.
"Sorry, there's nothing we can do until then."
Could I just drag them into another branch and have them sign something? I could. Splendid.
Thus resolved, Director #1 and I went to the London Bridge branch of HSBC a few days later. He was clutching a disparate range of proofs of his identity, from bank statements to utility bills.
We explained to the 'Customer Host' what we needed to do. He ushered us up some stairs to The Business Centre, a grandiose term for two offices, a deserted reception area and a jolly looking woman stationed in a narrow glass booth.
After being left alone for several minutes, with no more obvious option, I approached her and, for the second time that day and the fifth overall, explained what Josh and I needed to accomplish. She motioned to the first office, which had an open door. "My colleague will be able to help you with that."
We went into the office. The man behind the desk looked up from the screen, creating the illusion of progress.
"Can I help yeh?" He asked, through the indolent, Americanised drawl of an east London schoolboy.
Once more I explained. Keep count.
"Yeahyeah, if you just take a seat, someone else will help you widdat."
Widdat, we sat and chatted about central American politics for a few minutes.
Another man, with a hole where it seemed obvious an earring usually was, walked past us into the office with Widdat in it. He gesticulated in our direction and then cast a wary glance over his shoulder at us.
He approached us and, as you might have expected, asked us what it was we were there to do, in a mumbling approximation of Widdat's voice which might have seemed like a parody if the intellectual bar set by HSBC's staff so far hadn't been so terribly, terribly low.
He explained, in a roundabout way, that he had to do some work and had an appointment coming in ten minutes, but that a lady would be along to see us very soon indeed, and that if she wasn't, he'd take care of us.
We resumed our discussion for what seemed like a very long time–and not because of Josh's constant oversimplification of the complexities of US paternalism. Eventually, Widdat #2 came back out and invited us into his office, muttering about the receptionist not being at her desk.
Instead of asking what we wanted to do, he began to faff about with his computer. I trotted out the most succinct version of my mission to date.
"I started the process of opening a business account with you. I was told I needed to bring in ID for the directors so you could verify them. I have one of them with me, with his ID."
"Right yeh but there's loads of paperwork to do to conclude and everything, it's maybe 25, 30 minutes and I have appointments and that."
We didn't need to do the paperwork. Could he just scan or photocopy the ID and say that he had seen it?
"I can take the ID from you but I can't give it back to you. We have to keep it. Sorry. You can either go into another branch and try to get it done or come back here and see me."
There is a box on the form for HSBC's Business Banking application which asks you how much you intend to deposit into the account. I assume Widdat #2 hadn't seen it, because I wouldn't ordinarily expect to fight someone to give them or their business several tens of thousands of pounds.
I lost interest. I told him it was ludicrous. He didn't disagree. We left. As a last chance I dropped into their deserted Clerkenwell branch and spoke to a business advisor who told me the previous HSBC employees I'd dealt with were all idiots and that it was very simple. We had the account opened in minutes.
Internet banking is very important to me because A) it's 2012, and I don't see a very good reason for highstreet banks to exist and B) I quite like the internet. So we registered for internet banking (which you have to do separately: is there really anyone who doesn't have or use the internet nowadays?). There are three parts of the verification system for this. HSBC posted me a 25-digit activation code, a cryptographic dongle thing, and another shorter code.
Ignoring the fact that a 25-digit activation code = 25! possibilities, which means HSBC have leave to create, I don't know, a BAJILLION online bank accounts, it's a fucking usability nightmare. Typing this stupid code into a computer, it's absolute overkill.
Oh, and they sent me two. Neither of which worked. The second one canceled the first, apparently (although they arrived at the same time), so I had to wait for a third code to be sent out. Nobody can do anything over the phone. You have to wait for the codes to arrive by post. They can only send them to the business address, meaning that you have to be in the office to pick them up. I spoke to a manager on the phone and politely asked what they could do to speed up the process of getting the code to me, since it was their mistake. Nothing at all, as it happened. They couldn't give it out over the phone, they couldn't send it recorded delivery, they couldn't courier it to me. Thanks for making amends for your mistake!
So after entering this 25-digit code, and another code which was a mix of alphanumerics, and picking a unique username, and specifying a password, and using my secure key dongle to generate a unique entry code, I finally get access to online banking about five weeks after the process begins, and I can finally pay our providers who have been patiently waiting (because they understand our pain–they also bank with HSBC).
[+] [-] screwt|13 years ago|reply
HSBC is as you describe - seems pretty secure, but enormously frustrating that you need the dongle just to check balances etc. They'll only provide a single dongle, which is annoying as I want to access my bank from both work and home. The dongle is small enough that you could fit it in a wallet if you wanted to avoid that, but then you're more at risk of losing it.
For Smile, to login you just need your numbers, including 2 digits from a 4-digit PIN selected via drop-down. I guess this is to avoid keylogging but seems a bit odd as a shoulder-surfer could see quite easily. For any new/ unusual payments, the card-reader is needed. They were happy to provide me with a second reader so I can bank from home and work. The reader is too bulky to carry around though, so this is necessary.
The other thing Smile do is heavily plug "Trusteer" software on every login. Fortunately this is not yet mandatory.
On the whole I prefer Smile's approach, though I'd be happier if they could provide a smaller dongle that would be easier to travel with.
[+] [-] mietek|13 years ago|reply
There's no ridiculous calculator-shaped hardware token. To log in, FD requires 3 characters from your password, and a "secret answer" — effectively, another password. Infuriatingly, they disable the Enter key in the log in form, so a mouse click is necessary.
FD's web UI is stuck firmly in the 90s, with nested menus, cramped screens, and plentiful transitions. Even the log out button redirects to another screen, in order to ask for confirmation.
Finally, FD give you £100 as an incentive to switch, and an additional £100 if you switch back out.
[+] [-] SpoonMeiser|13 years ago|reply
[+] [-] malsme|13 years ago|reply
[+] [-] DanBC|13 years ago|reply
[+] [-] chris_wot|13 years ago|reply
This is bad in such an amazingly awful way on a "secure" banking website that I'm surprised that this bank even has an IT team, let alone a development team!
How did this not get picked up in QA testing, or even in a cursory audit?!?
[+] [-] martokus|13 years ago|reply
Shit like this just shows that being a PCI DSS level 1 certified means absolutely nothing in the real world.
[+] [-] mark242|13 years ago|reply
[+] [-] gambiting|13 years ago|reply
My password used to include special characters, until a transfer to their new web interface year ago. After they did it,I could not log into my account - it kept telling me that my password was incorrect. So I rang them up,and a lady on the phone asked,if I had any special characters in my password. I said yes - and then she told me to try logging in without them,as the new system does not accept them and they were automatically stripped during the transition to new interface.
At first I was like - ok, at least now I can log into my account. But then it hit me - how the holy fuck could they remove special characters from my password???? The only way they could do that is if they had access to its plaintext, which is completely unacceptable.
I complained to Santander about it,only to receive a letter stating that they appreciate my concerns but their system is safe.
I've got all the correspondence with them if anybody wants to see.
[+] [-] Lockyy|13 years ago|reply
Going to go email them and tell them I'll be closing my account if they don't start taking their security seriously.
[+] [-] stuff4ben|13 years ago|reply
[+] [-] Major_Grooves|13 years ago|reply
With banking websites I just want to click that link and be sure I am logged out. I don't mind logging in again if I clicked by accident.
[+] [-] fmavituna|13 years ago|reply
1. As explained in the original email XSS attacks now lead CC exposure, very bad
2. If the cookies are not session cookies. It's horrible, then anyone who got access to that computer later can read the cookies and Credit Card. But also don't forget tons of websites still keeps auto-complete enabled!!!! in freaking CC fields.
3. If the cookies are not marked as "secure" (or issued over HTTPS) then it's totally messed up and invalidates PCI etc. directly. Now your credit card transmitted over HTTP.
4. Other than this even though it's rather pointless thing to do, there is not any more direct attack I can think of.
Put it this way, this is not worse than a XSS vulnerability in a website as an XSS can lead more serious issues directly.
[+] [-] advisedwang|13 years ago|reply
The data is not just one base64 chunk, but multiple space separated chunks that base64 -d chokes on after a bit. I am probably missing a step.
[+] [-] chubbard|13 years ago|reply
[+] [-] delinka|13 years ago|reply
Ain't capitalism grand?
[+] [-] readme|13 years ago|reply
[+] [-] joeconway|13 years ago|reply
The scary part is that the 'alias' id is actually one of the 2 passwords needed to log into the account. So in fact if someone had that and my card number all they would need is the 5 digit numerical code to log in
[+] [-] sw007|13 years ago|reply
If you navigate to their homepage - in prime view you'll see a section that says:
"Great ideas come from great conversations"
Under this is feedback from customer - 90% of the feedback is incredibly negative. For example:
""Tell your customers the truth how bad a silver account is. Premium numbers to contact and register, cannot register mobiles for ..."
"Natwest is an embarassment, you have lost a customer for life".
This just sums up how out of touch banks are today with the internet. Don't advertise this sort of feedback! Especially on a homepage! What are they thinking?
[+] [-] michaelfeathers|13 years ago|reply
[+] [-] SethMurphy|13 years ago|reply
[+] [-] DanBC|13 years ago|reply
WhiteHat finds a security vulnerability. They tell the company. But, with banks, it's pretty hard to find the right person to tell. What steps should WhiteHat take to satisfy responsible disclosure? Just a printed letter to banks registered address is enough? (Banks, and everyone really, should have a "please use this address for responsible disclosure" - that would reassure me as a customer that they are taking security seriously).
But then, in England, we have a potential further step with the regulatory bodies. There's the ICO (information commissioner's office) who are overworked and will do nothing about this. And then there are the card companies who will, I'd have thought, be keen to protect their customers from fraud. Would responsible disclosure include a step to involve these third parties, if only to provide some clue pressure to the insecure site?
[+] [-] danielweber|13 years ago|reply
Back when I used to read the disclosure lists, I'd see people ask "I need a security contact as XYZ Inc." all the time.
[+] [-] nathan_long|13 years ago|reply
http://dalevisser.wordpress.com/2012/07/18/how-to-fix-firefo...
[+] [-] andrewcooke|13 years ago|reply
[+] [-] d4nt|13 years ago|reply
Santander bought A&L a few years ago when they got into trouble during the credit crunch. Before then, Santander was not trading in the UK.
[+] [-] Tloewald|13 years ago|reply
Given the recent IEEE clear text passwords stored on an FTP server fiasco we need to transition from shock and outrage and switch to resignation and ennui.
[+] [-] catshirt|13 years ago|reply
[+] [-] btown|13 years ago|reply
[+] [-] reidrac|13 years ago|reply
I got the XML with an userID field, but that's all. Also the cookie was removed when I logged out. Seems fine to me.
[+] [-] SeanDav|13 years ago|reply
This bank probably didn't believe in storing sensitive information in publically accessible places clearly
/sarcasm