[Wylug-discuss] Natwest online banking
Smylers
Smylers at stripey.com
Fri Jan 16 01:01:24 GMT 2004
Robert Wood writes:
> Hello everybody! (This is my first post to a wylug list, I'm hoping to
> show up maybe at the next meet...)
Hello Robert -- welcome to Wylug.
> It would be interesting to know exactly why Natwest are insisting on
> IE. Do they really think because Mozilla/Konqueror are open-source
> anybody who wants to could slip in extra Root CA certificates etc?
No. The big risk with banking sites is that customers log on at net
cafés and after logging out there's some information left around on a
public terminal which others could take advantage of.
The Natwest site[*0] uses the autocomplete="off" attribute on the
<input> element. This instructs browsers that any text entered should
not be saved so that it can be proffered on a future visit to the site:
http://xrl.us/autocomplete
But the autocomplete attribute is not in any HTML standard. Therefore
the banks wish to limit customers to using those browsers which they
have verified as supporting that attribute.
'Mozilla' has supported it, but only since August last year, and
apparently not in as many places as 'IE' does:
http://bugzilla.mozilla.org/show_bug.cgi?id=178597
http://bugzilla.mozilla.org/show_bug.cgi?id=198419
So it's understandable that when Natwest set up their online banking
that they declined to support 'Mozilla', but they should now be
persuadable that it's safe.
[*0] To discover this I went to their site in 'Mozilla Firebird'.
After accepting its session cookies, and then spoofing my user agent
as 'IE' and going out and coming back again, it finally displayed the
log-in page, but only after redirecting through a page displaying this
'message':
<% option explicit 'Check that user has used www.natwest.com, and if
so drop straight through if (instr(
request.ServerVariables("SERVER_NAME"), "www.natwest.com") = 0) then
'They've used something else so construct new URL dim strUrl strUrl
= "http://www.natwest.com" & request.ServerVariables("URL") 'Check
if there is a query string and if so append onto the end if
(Len(request.ServerVariables("QUERY_STRING")) > 0) then strUrl =
strUrl & "?" & request.ServerVariables("QUERY_STRING") end if
response.redirect(strUrl ) end if %>
That doesn't exactly inspire confidence in the system. It can be seen
at the following URL. If it flashes past too quickly for you to read
it try prompting to accept cookies so it pauses on that page or view
it using 'Lynx':
http://www.natwest.com/availability/nwolb_login.stm
Smylers
More information about the Wylug-discuss
mailing list