From: sabrina downard Date: 14:03 on 04 Dec 2007 Subject: Banking web sites The entire fucking Internet had just better be grateful I'm practical enough to not limit myself to doing business only with people who can design functional web user interfaces, because I'd be shit out of luck finding one. Dear Citibank: You can stuff your criminally obtuse payment-account-addition interface in your ears. And top it off with your ridiculous "feedback can only be 20 lines (of unspecified length, natch)" comments form. I'll tell you what, I'll keep my feedback to 20 lines or less if you make the explanatory text on your dialogues not LIE about required formatting. Dear Chase: And as for you people, you can just take that ridiculous "You're logging on from a new computer! OMG!" authorization code transfer nonsense and shove it where the sun don't shine. I am in fact NOT signing on from a new computer, I'm signing on from one of the two computers I always use, on its same IP it always uses, and your goddamn inability to handle cookies is not my problem. God, imagine the pain if I had multiple machines changing NAT addresses all the time behind my firewall at home. It's amazing it ever works for anyone at all. I want goddamn SecurID tokens for my banks just to eliminate this bullshit. I hear tell other people get them, and I'm bitterly, bitterly jealous. hatefully, --s.
From: A. Pagaltzis Date: 14:39 on 04 Dec 2007 Subject: Re: Banking web sites Hi sabrina, I stopped reading after the subject. Yours with sympathy and a lie for comedic effect,
From: Jonathan Katz Date: 14:53 on 04 Dec 2007 Subject: Re: Banking web sites Aristotle/Sabrina, I concur that banking sites are becoming obtuse. I want a login page with a username and password ON THE SAME PAGE; a place where I can authenticate, click a button, and get to my goodies. I know enough to check the browser bar and make sure I'm hitting the correct site, not some phishing site in Khazastoniastan. I don't need a little picture to ensure I'm reaching the right site. The whole pause between username and password is a decent security principle, but a pain in the ass from a usability standpoint. We can safely blame TJX for a majority of this hate and its precipitation of the PCI-DSS standard.
From: Mike Beattie Date: 19:54 on 04 Dec 2007 Subject: Re: Banking web sites I hate to go against the grain of the hate, but check out the interface to my online banking.... http://www.asbbank.co.nz/fastnetnew/ Mike.
From: Mike Beattie Date: 20:01 on 04 Dec 2007 Subject: Re: Banking web sites On 5/12/2007, at 8:54 AM, Mike Beattie wrote: > I hate to go against the grain of the hate, but check out the > interface to my online banking.... > > http://www.asbbank.co.nz/fastnetnew/ And just to reply to myself: Better demo: http://www.asbbank.co.nz/about-fastnet/classic_demo/demo/index.stm "Netcode", using RSA tokens or SMS messages, if you exceed your daily transfer limit: http://www.asb.co.nz/section783.asp? http://www.asb.co.nz/story8712.asp? Mobile banking (blackberries, pdas, etc): http://www.asbbank.co.nz/mobile/ Mike.
From: Peter da Silva Date: 20:58 on 04 Dec 2007 Subject: Re: Banking web sites On 04-Dec-2007, at 13:54, Mike Beattie wrote: > I hate to go against the grain of the hate, but check out the > interface to my online banking.... > > http://www.asbbank.co.nz/fastnetnew/ A big blank box with a "flash" logo in the center?
From: Mike Beattie Date: 22:14 on 04 Dec 2007 Subject: Re: Banking web sites On 5/12/2007, at 9:58 AM, Peter da Silva wrote: > A big blank box with a "flash" logo in the center? No, that's just a tour of the 'new' system. The actual interface is decidedly HTML compliant, for a bank: https://fnc.asbbank.co.nz/ Anyway, this is not hate, so I'll shut up. Mike.
From: Marco Von Ballmoos Date: 19:26 on 05 Dec 2007 Subject: Re: Banking web sites On Dec 4, 2007, at 23:14, Mike Beattie wrote: > Anyway, this is not hate, so I'll shut up. Indeed. It's lucky you said something or one of us would have been forced to. -- Marco Von Ballmoos http://earthli.com - Home of the earthli WebCore; PHP web sites made simple.
From: David Cantrell Date: 13:00 on 09 Dec 2007 Subject: Re: Banking web sites On Tue, Dec 04, 2007 at 08:03:41AM -0600, sabrina downard wrote: > Dear Chase: And as for you people, you can just take that ridiculous > "You're logging on from a new computer! OMG!" authorization code > transfer nonsense and shove it where the sun don't shine. I am in > fact NOT signing on from a new computer, I'm signing on from one of > the two computers I always use, on its same IP it always uses, and > your goddamn inability to handle cookies is not my problem. God, > imagine the pain if I had multiple machines changing NAT addresses all > the time behind my firewall at home. It's amazing it ever works for > anyone at all. > > I want goddamn SecurID tokens for my banks just to eliminate this > bullshit. I hear tell other people get them, and I'm bitterly, > bitterly jealous. I find your naive faith that such obvious incompetents would implement SecurID correctly to be most touching.
From: Jarkko Hietaniemi Date: 14:52 on 09 Dec 2007 Subject: Re: Banking web sites David Cantrell wrote: > On Tue, Dec 04, 2007 at 08:03:41AM -0600, sabrina downard wrote: > >> Dear Chase: And as for you people, you can just take that ridiculous >> "You're logging on from a new computer! OMG!" authorization code >> transfer nonsense and shove it where the sun don't shine. I am in >> fact NOT signing on from a new computer, I'm signing on from one of >> the two computers I always use, on its same IP it always uses, and >> your goddamn inability to handle cookies is not my problem. God, >> imagine the pain if I had multiple machines changing NAT addresses all >> the time behind my firewall at home. It's amazing it ever works for >> anyone at all. >> >> I want goddamn SecurID tokens for my banks just to eliminate this >> bullshit. I hear tell other people get them, and I'm bitterly, >> bitterly jealous. > > I find your naive faith that such obvious incompetents would implement > SecurID correctly to be most touching. > Apologies in advance since this is not a hate: despite other issues I have with one my banks and their website, they have used one-time pad security since like mid-nineties, and over time they have honed it to be rather slick (with touches of user-friendliness: if I forget to cross the password I used, and try to reuse it, the website tells me that I have used that one already, how about trying to next one.) Oh, how do I get the one time pads? They send me them one by one in snail mail, and when they see I'm getting low, they send me a new one. To login I needs my "customer id" which is secret, not shown online or in receipts (and unrelated to my accounts or personal info, they told it to me once), and one of those one-time generated passwords. Transactions are verified by a different set of passwords. So it *is* possible for banks to have a clue, at least sometimes. What *is* hateful is that I know it is possible to do it better, and then being subjected to the utter disasters of web sites in other banks and similar institutions.
From: Ricardo SIGNES Date: 17:42 on 09 Dec 2007 Subject: Re: Banking web sites * Jarkko Hietaniemi <jhi@xxx.xx> [2007-12-09T09:52:56] > So it *is* possible for banks to have a clue, at least sometimes. > What *is* hateful is that I know it is possible to do it better, and > then being subjected to the utter disasters of web sites in other banks > and similar institutions. Yeah, like Centurion Bank (aka American Express). They provide fantastic services. I spend most of my money through them. Their web logins allow passwords of no MORE than eight characters. What?!
From: numien Date: 15:06 on 10 Dec 2007 Subject: Re: Banking web sites Ricardo SIGNES wrote: > Their web logins allow > passwords of no MORE than eight characters. > > What?! > > Mine does the same thing. Minimum 6 characters, maximum 8. Huh? The only reason I can think of for this is frightening... They DON'T hash our passwords, rather, store them plaintext/obscured. And long passwords eat DB space. Scary concept for a bank.
From: H.Merijn Brand Date: 15:16 on 10 Dec 2007 Subject: Re: Banking web sites On Mon, 10 Dec 2007 10:06:14 -0500, numien@xxxxxxxxx.xxx wrote: > Ricardo SIGNES wrote: > > Their web logins allow > > passwords of no MORE than eight characters. > > > > What?! > > > > > Mine does the same thing. Minimum 6 characters, maximum 8. Huh? > The only reason I can think of for this is frightening... > They DON'T hash our passwords, rather, store them plaintext/obscured. Is that the only hate you can think of? I presume they *accept* > 8, but only *use* the first 8 characters: much more frightening > And long passwords eat DB space. > Scary concept for a bank.
From: numien Date: 16:25 on 10 Dec 2007 Subject: Re: Banking web sites <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> H.Merijn Brand wrote:<br> <blockquote cite="mid:20071210151655.7039a43c@xxxx.xxxxxxx.xx" type="cite"> <pre wrap=""><!----> Is that the only hate you can think of? I presume they *accept* > 8, but only *use* the first 8 characters: much more frightening </pre> </blockquote> Mine won't even accept it.<br> <br> I tried to put in a long one originally, and it gacked complaining it was over 8 characters, forced me to use a shorter one.<br> <br> I'm not sure if accepting it and silently discarding beyond 8 characters would be more or less hateful. At least it would be customer-friendly, not whining about your password being too secure. But then it's nice, albeit not very reassuring, to be aware of the fact your bank hires morons for programmers.<br> <br> </body> </html>
From: sabrina downard Date: 17:15 on 10 Dec 2007 Subject: Re: Banking web sites On 12/10/07, numien@xxxxxxxxx.xxx <numien@xxxxxxxxx.xxx> wrote: > I tried to put in a long one originally, and it gacked complaining it was > over 8 characters, forced me to use a shorter one. Back several years ago (but not too many!), before Chase bought them out, Bank One used to require an exactly four-digit password. (Not your ATM pin! Just a four-digit password. No more, no less.) It was at about that point that I began to give up on humanity. --s. (who supposes at least they've gotten better since then... sorta kinda maybe a little.)
From: A. Pagaltzis Date: 00:07 on 11 Dec 2007 Subject: Re: Banking web sites * sabrina downard <viv@xxxxxxxx.xxx> [2007-12-10 18:30]: > Bank One used to require an exactly four-digit password. > > --s. (who supposes at least they've gotten better since then... > sorta kinda maybe a little.) Doesn't seem like they could go any way other than up from there. Regards,
From: Scott Francis Date: 18:25 on 10 Dec 2007 Subject: Re: Banking web sites -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Dec 10, 2007 at 11:25:05AM -0500, numien@xxxxxxxxx.xxx said: [-- text/html is unsupported (use 'v' to view this part) --] this is almost the last place (ASR would be if they had a mailing list) I'd expect to see HTML-only mail (yeah, I could pipe it to lynx or something, but c'mon ... how about leaving web pages for my web BROWSER, and sending RFC-compliant plaintext messages formatted as emails for my MUA?) dovetails nicely with the (gob-smacking) Unicode hate from Mr. Schwern recently ... I keep thinking that if I get low-level enough, I can find SOME interface SOMEWHERE that will always and forever be straight ASCII plaintext, with no markup or prettification. I'm beginning to despair. - -- Scott Francis | darkuncle(at)darkuncle(dot)net | 0x5537F527 Less and less is done until non-action is achieved when nothing is done, nothing is left undone. -- the Tao of Sysadmin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (OpenBSD) iD8DBQFHXYSYWaB7jFU39ScRAjqJAJ9pPk5vCYz9dj9h7T5mS7fBCF00wgCgtlum akumnlZ8IW0x4GgUaM8e3CU= =oViG -----END PGP SIGNATURE-----
From: A. Pagaltzis Date: 07:01 on 11 Dec 2007 Subject: Re: Banking web sites * Scott Francis <darkuncle@xxxxxxxxx.xxx> [2007-12-11 06:10]: > always and forever be straight ASCII plaintext Parochial bigot. Regards,
From: numien Date: 07:39 on 11 Dec 2007 Subject: Re: Banking web sites Scott Francis wrote: > > this is almost the last place (ASR would be if they had a mailing list) I'd > expect to see HTML-only mail (yeah, I could pipe it to lynx or something, but > c'mon ... how about leaving web pages for my web BROWSER, and sending > RFC-compliant plaintext messages formatted as emails for my MUA?) > My apologies for the HTML-only mail. Didn't realize Thunderbird shipped set to that. Hate may be distributed wherever you feel appropriate.
From: Rory McCann Date: 15:29 on 10 Dec 2007 Subject: Re: Banking web sites This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig98975AF9E20C218F4DCC4E69 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable numien@xxxxxxxxx.xxx wrote: > Mine does the same thing. Minimum 6 characters, maximum 8. Huh? > The only reason I can think of for this is frightening... > They DON'T hash our passwords, rather, store them plaintext/obscured. > And long passwords eat DB space. > Scary concept for a bank. Also what's scary is being thate concerned about bytes. Worst case scenario: 2,000,000 customers with 20 character passwords =3D 40 MB!! Think of how many extra servers they'll have to buy to store that! (I know there's all kinds of thing like database optimisation CHAR vs VARCHARS, but still) Rory --------------enig98975AF9E20C218F4DCC4E69 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHXVtAfM8hGU8tATMRArV2AJ9VPz2zcWNTWjMQqFBaRZNoce6wqgCgstjw vvAXtYOD96qpEXlpETJWros= =al8y -----END PGP SIGNATURE----- --------------enig98975AF9E20C218F4DCC4E69--
From: book Date: 10:51 on 11 Dec 2007 Subject: Re: Banking web sites On Mon, Dec 10, 2007 at 10:06:14AM -0500, numien@xxxxxxxxx.xxx wrote: > Ricardo SIGNES wrote: >> Their web logins allow >> passwords of no MORE than eight characters. >> >> What?! >> >> > Mine does the same thing. Minimum 6 characters, maximum 8. Huh? At least it's not maximum 8, but only digits. And let the users choose their passswords. Mmm, 1 million possible passwords, a few million customer... Given that 8 digits can be use to make an easy to remember password, e.g. a date and that 30 years of dates gives you about 11000 possible passwords to try first, do you really need to write a bot to check the odds of a brute force attack succeeding (provided the logins are not too difficult to construct)?
From: Abigail Date: 00:38 on 11 Dec 2007 Subject: Re: Banking web sites --R6sEYoIZpp9JErk7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Dec 09, 2007 at 09:52:56AM -0500, Jarkko Hietaniemi wrote: > David Cantrell wrote: > > On Tue, Dec 04, 2007 at 08:03:41AM -0600, sabrina downard wrote: > >=20 > >> Dear Chase: And as for you people, you can just take that ridiculous > >> "You're logging on from a new computer! OMG!" authorization code > >> transfer nonsense and shove it where the sun don't shine. I am in > >> fact NOT signing on from a new computer, I'm signing on from one of > >> the two computers I always use, on its same IP it always uses, and > >> your goddamn inability to handle cookies is not my problem. God, > >> imagine the pain if I had multiple machines changing NAT addresses all > >> the time behind my firewall at home. It's amazing it ever works for > >> anyone at all. > >> > >> I want goddamn SecurID tokens for my banks just to eliminate this > >> bullshit. I hear tell other people get them, and I'm bitterly, > >> bitterly jealous. > >=20 > > I find your naive faith that such obvious incompetents would implement > > SecurID correctly to be most touching. > >=20 >=20 > Apologies in advance since this is not a hate: despite other issues > I have with one my banks and their website, they have used one-time pad > security since like mid-nineties, and over time they have honed it > to be rather slick (with touches of user-friendliness: if I forget to > cross the password I used, and try to reuse it, the website tells me > that I have used that one already, how about trying to next one.) >=20 > Oh, how do I get the one time pads? They send me them one by one in > snail mail, and when they see I'm getting low, they send me a new one. >=20 > To login I needs my "customer id" which is secret, not shown online or > in receipts (and unrelated to my accounts or personal info, they told it > to me once), and one of those one-time generated passwords. > Transactions are verified by a different set of passwords. >=20 > So it *is* possible for banks to have a clue, at least sometimes. > What *is* hateful is that I know it is possible to do it better, and > then being subjected to the utter disasters of web sites in other banks > and similar institutions. Out of the four banks I've accounts with (not counting some dorment accounts in the UK and the USA), there are two I use their website to move money around. Both banks have send me a little gadget - to authenticate, I slide my ATM card in the gadget, use my PIN to activate the gadget, and then type in the 8 digit code the website gives me. The gadget then calculates an 8 digit number, which I use as a password. The password is valid for a few minutes. I've to repeat the process if I'm about to transfer money. I use my account number and card number as my login id. Given that I've actually worked for the bank I use most, and hence, I know how many incompetent people are working for their IT department, I fully expect this scheme to be implemented in such away to be completely insecure. Abigail --R6sEYoIZpp9JErk7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFHXdvtBOh7Ggo6rasRArtnAJwPhGdU2m0uKwivQ5a4HhO6lTaxCwCfaz89 7Qodfn+bDhzCXeC5qVLUFk8= =0TRU -----END PGP SIGNATURE----- --R6sEYoIZpp9JErk7--
Generated at 10:26 on 16 Apr 2008 by mariachi