[Wylug-discuss] Natwest online banking

Smylers Smylers at stripey.com
Fri Jan 16 01:01:24 GMT 2004 

Robert Wood writes:

> Hello everybody! (This is my first post to a wylug list, I'm hoping to
> show up maybe at the next meet...)

Hello Robert -- welcome to Wylug.

> It would be interesting to know exactly why Natwest are insisting on
> IE.  Do they really think because Mozilla/Konqueror are open-source
> anybody who wants to could slip in extra Root CA certificates etc?

No.  The big risk with banking sites is that customers log on at net
cafés and after logging out there's some information left around on a
public terminal which others could take advantage of.

The Natwest site[*0] uses the autocomplete="off" attribute on the
<input> element.  This instructs browsers that any text entered should
not be saved so that it can be proffered on a future visit to the site:

  http://xrl.us/autocomplete

But the autocomplete attribute is not in any HTML standard.  Therefore
the banks wish to limit customers to using those browsers which they
have verified as supporting that attribute.

'Mozilla' has supported it, but only since August last year, and
apparently not in as many places as 'IE' does:

  http://bugzilla.mozilla.org/show_bug.cgi?id=178597
  http://bugzilla.mozilla.org/show_bug.cgi?id=198419

So it's understandable that when Natwest set up their online banking
that they declined to support 'Mozilla', but they should now be
persuadable that it's safe.

  [*0]  To discover this I went to their site in 'Mozilla Firebird'.
  After accepting its session cookies, and then spoofing my user agent
  as 'IE' and going out and coming back again, it finally displayed the
  log-in page, but only after redirecting through a page displaying this
  'message':

    <% option explicit 'Check that user has used www.natwest.com, and if
    so drop straight through if (instr(
    request.ServerVariables("SERVER_NAME"), "www.natwest.com") = 0) then
    'They've used something else so construct new URL dim strUrl strUrl
    = "http://www.natwest.com" & request.ServerVariables("URL") 'Check
    if there is a query string and if so append onto the end if
    (Len(request.ServerVariables("QUERY_STRING")) > 0) then strUrl =
    strUrl & "?" & request.ServerVariables("QUERY_STRING") end if
    response.redirect(strUrl ) end if %>

  That doesn't exactly inspire confidence in the system.  It can be seen
  at the following URL.  If it flashes past too quickly for you to read
  it try prompting to accept cookies so it pauses on that page or view
  it using 'Lynx':

    http://www.natwest.com/availability/nwolb_login.stm

Smylers

More information about the Wylug-discuss mailing list