RISC OS News on Drobe
RISC OS Search
containing
"Oh, and making up stories and quoting private emails out of context isn't damaging then?"
Welcome back guest  |  Login  |  Register Tuesday 7th October 
Login

drobe.co.uk
About Drobe
RISC OS News
Drobe Features
Alternatives
Bookmarks
Riscos.org.uk
Auctions
Events (shows)
AU issues
Tech Material
Wallpaper
Movies
File archives
SH eBooks
FAQs
Changelog

Interact
Forums
Online chat
Your webspace
BBC Emu(games!)
User gallery
RSS news &
comments
Submit news
Contact us

Quick Links
Open directory
Nutshells
ANS archives
ArcSite
RO Repository
Announce
RISCOS Ltd.
Castle

NTK
The Inquirer
The Register
OSNews
Slashdot
Google

Alternatives
NetBSD
ARM Linux
Iyonix Linux

Found Apps
 RISC OS Software !Avalanche
 RISC OS Software !Darts
 RISC OS Software !CFuncAnal
 RISC OS Software !TranTIFF+
 RISC OS Software !Dustbin
 RISC OS Software !NurseW
 RISC OS Software !Tally
 RISC OS Software !VideoLog
 RISC OS Software !USBKick
 RISC OS Software !Spr2Jpeg
Recent users
jmb is a RISC OS User jmb
JMBarber is a RISC OS User JMBarber
ajb is a RISC OS User ajb
scf@ is a RISC OS User scf@
OliverB is a RISC OS User OliverB
sascott is a RISC OS User sascott
Charlie is a RISC OS User Charlie
rjek is a RISC OS User rjek
flypig is a RISC OS User flypig
hEgelia is a RISC OS User hEgelia


Why donate?

Serving: 15GB
Fuel: caffeine
0 users online
24 guests
159 active accts 24359 comments

Webstats

 
RISC OS News Article
NetSurf users hit by HSBC account freeze
Published: 23rd Oct 2006, 03:19:16GMT  Source: drobe.co.uk
By the Drobe news desk
Page 1 of 1
RISC OS machines accused of being backdoored by viruses
HSBC in NetSurfNetSurf users are reeling from HSBC's shock decision to suspend their accounts because their RISC OS computers are allegedly infected with spyware. The high street bank has confused the open source browser NetSurf with a strain of PC malware going by the same name, and has locked their customers out for security reasons, it is believed.

Days after celebrating the fact that NetSurf was finally able to log into the HSBC online banking website, RISC OS users were stunned when letters dropped on their doormats telling them they were banned from using their accounts. Punters say they were forced to turn up at their local branch with photo ID and sign a form promising to use Microsoft Windows XP with anti-virus software installed before they could access their money again.

In the letter, HSBC told RISC OS users: "An unauthorised person may have used your internet banking security number to log on to your Personal Internet banking. We believe that a PC that you use to log on to Internet banking may be infected with spyware. It is important that you do not use this computer until the problem has been identified and fixed. Some spyware programs can log your keystrokes, gathering personal data, then sending this to criminals."

There have been no reports of the existence of any Internet-based spyware for RISC OS. NetSurf and HSBC user Dave Ruck said the bank's decision had left him "nearly destitute" and "probably seriously overdrawn" with no way of paying off his bills. Another user, Tim Hill, fumed: "It is simply not good enough to test a website with a handful of mainstream desktop browsers or limit access in that way."

A HSBC technical support staffer said in response to complaints: "I cannot unfortunately confirm whether you would be able to access the accounts again using [NetSurf] or if the accounts would again be disabled. I have however escalated the matter to the concerned department who would be looking into the issue you faced. In the interim however, please use the browsers supported by us to access your accounts as these are browsers have been tested on our sites."

Through its so-called 'user-agent', NetSurf declares its name and version to websites as simply 'NetSurf' - whereas many other browsers lie and claim to be the latest release of Microsoft Internet Explorer running on Windows to dodge careless checks introduced by lazy webmasters. It is thought a piece of harmful PC spyware that is known to identify itself as 'netsurf.exe' is being confused with the NetSurf web browser, and therefore setting off alarm bells at HSBC.

Over the weekend, the NetSurf development team stressed they could not confirm that the problem was due to NetSurf's user-agent. Coder James Bursa said it is possible an unknown bug in NetSurf's handling of cookies or forms may have triggered HSBC's security systems. The team are sticking by their decision not to change the user-agent string, adding that punters can download and edit the source code if they want to change it. The release of NetSurf 1.0 will likely see the browser user-agent declare itself along with a version number and other details, according to James.

HSBC say they will only support Internet Explorer and Netscape on Microsoft Windows, Apple Mac or GNU/Linux systems.

Links
NetSurf website
HSBC website

Related articles
NetSurf bags GBP10K investment from Google
Google funding offered to NetSurf project
NetSurf progress reviewed

This article has been linked to, or is available in the following formats:  
 
 
 
 
 
[Printable] [Digg this] [Blog search]


hzn(valued user) (+2.0)
23/10/06 7:21AM
Well, AFAIK it is always tricky to do things like online banking with a "weird" OS.

But I think that NetSurf should allow the user-agent to be changed - perhaps even such that it changes automatically for the odd website configured (like the one of this bank). Without that feature this nice browser will - as the others already do - probably make even more users decide that RISC OS is no good for webbrowsing since it is to be expected that the odd website checks the browser used and will refuse what they don't know. Since the chances that NetSurf will be well-known enough in the near future to be acknowledged by such websites it should be able to trick them.
CheatWarrior (+1.0)
23/10/06 8:12AM
*speechless*
CharlesB (+3.2)
23/10/06 8:35AM
Hope this has gone to the Sun and Star...
gdshaw (+2.0)
23/10/06 8:38AM
In reply to hzn:

Privoxy can be used to change the user agent string. AFAIK it hasn't been ported to RISC OS yet, but it definitely works with Netsurf if you run it on another machine. I would expect that porting would be fairly straightforward.
mripley(good user) (+8.2)
23/10/06 8:45AM
Change banks and let them know why!
Sawadee(valued user) (+2.0)
Face
23/10/06 10:24AM
This could be only the "tip of the iceberg" showing ID, signing a form promising to use Microsoft Windows XP.

The bank may go "the whole hog" and declare that customers shall not go to the bank in a British made car! (just kidding).

The amusing part about it is that the bank would be better off supporting RISC OS if they only knew the truth. I agree with mripley, change banks and let them know why.
druck(valued user) 
Face
23/10/06 11:02AM
My internet banking has been re-enabled this morning so at least I can now admire the size of my overdraft again.

If anyone wants to confirm whether it is the user agent string which is setting of the HSBC attack dogs, then make sure you have paid your bills this month and then use another browser such as Oregano2, which is known to work without problems with HSBC, and change its browser faking string to just "NetSurf". Then check your door mat tomorrow morning.
bernie(bad user / troll) (+2.0)
23/10/06 11:09AM
So much for using net-based banking services. I don't trust online banking, when I need I go to nearest ATM and make payments/transfers/whatever. Occasionally, I go to bank for services I can't do with ATM.
But I agree with Mripley/Sawadee, change your bank ASAP and make them know why!!
druck(valued user) 
Face
23/10/06 11:29AM
What hasn't been mentioned so far, that as well as cutting off internet banking HSBC thoughtfully also disabled phone banking, just incase NetSurf also contains a speech synethesier and VOIP software :)
JGZimmerle (+2.0)
Face
23/10/06 11:49AM
Browser-based banking is not very secure anyway, there are lots of ways to attack it. Although many banks in Germany still offer the web-based systems, they also have established the HomeBanking Computer Interface (HBCI), wich defines a standard for secure transmission of banking data between a bank-server and a specialised secure homebanking software. There is also an open-source implementation of the standard available at www.aqbanking.de/.
flypig(valued user) (+1.0)
Face
23/10/06 12:49PM
In reply to JGZimmerle:

It's interesting you should say that. When Internet banking started growing in the UK, most banks created intricate proprietary systems using Java, javascript and so on. My understanding is that many banks now use standardised solutions based on TSL (using authentication certificates and key-exchange) as they consider this to be pretty secure. I believe this is why more and more banks are becoming accessible to RISC OS (unless they do what HSBC has done, of course!).

The majority of ways to attack banking sites are based on social engineering and attacking other vulnerable parts of the system, rather than during the transmission stage. HBCI certainly looks interesting though.
Revin Kevin(valued user) (+2.1)
Face
23/10/06 3:04PM
It makes a mockery of their adverts on TV of being the worlds local bank.
SimonC(valued user) (+0.8)
Face
23/10/06 3:12PM
Of course, the whole mention of certificates reveals one area where Netsurf is genuinely less secure than their preferred browsers (along with all other RISC OS browsers, although I don't know how easy it is to get the certificates into RO Firefox).
jmb(good user) (+6.4)
23/10/06 3:36PM
In reply to hzn:

Should any form of ability to perform user-agent faking be added to NetSurf, it would be on a per-site basis; there would be no global setting. All too often, if people are provided with the ability to change the UA globally, they do so in order to access a site, then forget they've changed it and all future browsing they do claims they're using whatever browser they're faking, which defeats the point of having a UA string at all.

In reply to SimonC:

Perhaps you'd like to post to the NetSurf mailing list about this issue, providing rather more information. If there's truly a problem, I expect it would be investigated. For reference, NetSurf ships with the same root certificate bundle as Firefox and if it can't verify a certificate's validity (for whatever reason), it will ask the user to decide whether to accept the certificate for the current session. To aid you in your decision, it provides access to the complete certificate chain.
mrchocky(valued user) (+1.0)
Face
23/10/06 4:13PM
For clarification, RISC OS Firefox does not presently ship with any root certificates because of the reliance on using shared libraries to implement this, so will always ask.
hzn(valued user) (+0.1)
23/10/06 5:04PM
In reply to jmb:

A per-site user-agent faking would be absolutely perfect - and unfortunately user-agent faking is necessary in some cases.

In reply to JGZimmerle:
The main security risk for web-based online banking are the OS vunerabilities and the user. I guess RISC OS is fine on that account - not that it is safe but it is so unknown that it is currently not attacked. As for the user: Who clicks on links to a bank in his mail etc. will probably do so when using some online banking software and thus be the main risk.

In reply to gdshaw:
"Privoxy..." True, but then I might as well use some other browser or OS or bank.

In reply to druck:
I'd like to have that VoIP software for RISC OS :-)

In reply to Drobe:

Amazing: Ads by Google lists "Hsbc Bank. We've Found the Best 4 Sites About Hsbc Bank. Banks.Best4Sites.net" :-)
SimonC(valued user) (+0.1)
Face
23/10/06 5:21PM
In reply to jmb:
My apologies. I was under the impression that Netsurf didn't ship with any at all, and didn't check them either (mostly because I've never been asked about when using Netsurf, but have a few times when using Firefox outside of RO).
jgharston (+1.0)
23/10/06 9:38PM
One of the things that always annoys me when this sort of thing happens is that the perpatrator doesn't even understand what he is talkng about: "use the browsers supported by us". For real? You support the browsers? Hello, I have a problem with my copy of Internet Explorer, please come out and fix it. If they had any concept of what they were talking about they would say "the bowsers that support us".

Or, the browsers that understand our horribly corrupted and strangulated coding...

VinceH(valued user) (+1.0)
Face
23/10/06 11:24PM
You mean "the only browser our techs use and believe they understand"
bucksboy(good user) (+2.0)
24/10/06 11:06AM
Barclays requests online users to:

1. Use a personal firewall and AV s/ware;
2. keep their browser and OS up to date;

and include links to MS, Firefox and Apple. The Firefox link takes you to v1.50 on the Mozilla webpage, which AFAIK is the same as the current RO version. So - in theory - users of RO Firefox beta5 in conjunction with a firewalled router + RO 5.12 with VProtect installed have met the Barclays' requirements. But I'm not sure I'm willing to bet my bank balance on it ....
SimonC(valued user) (+2.0)
Face
24/10/06 11:38AM
In reply to bucksboy:
Would you be willing to bet your bank balance on it meeting those requirements on a Windows machine? I can't think how that RO setup would be riskier than that (OK, as mentioned above the RO Firefox always prompts about certificates, but you can examine them if you want to).
bucksboy(good user) (+2.0)
24/10/06 12:18PM
I don't think the risk is greater under RO + Firefox (quite possibly less); my worry is what the position of the bank might be in the event of an unauthorised withdrawal when they discover that I am not using a 'standard' platform and browser combo. OTOH, Barclays haven't specified a recommended platform or browser - they have simply given general advice - so one could argue that those conditions that are specified (see earlier post) /have/ been met.
not_ginger_matt (+1.0)
24/10/06 2:04PM
I've just been using HSBC online banking using MSIE and Windows with the useragent string set up to report "NetSurf". Everything seemed fine, but we'll see if I get a letter in the next few days ;-)
Personally, I highly doubt that it's the user agent string causing the problem and think it's more likely to be broken/nested forms or cookie issues.
druck(valued user) (+1.0)
Face
24/10/06 3:17PM
HSBC technical department have already acknowledged it is due to their systems detecting accesses coming from a program with a similar name as a piece of Windows spyware. Unfortunately they are having difficulty getting the concept of running legitimate software on an alternative operating system, and are continuing to tell me to download Windows anti-spyware software and to use IE or Netscape.
not_ginger_matt (+1.1)
24/10/06 4:12PM
Having dealt with many technical departments, they generally know very little and will happily fob you off by simply agreeing with whatever you say. Do you honestly trust the technical competency of anyone who still suggests Netscape as a browser?
Aside from this, I don't believe that netsurf.exe even changes the useragent string (I'll set a box up over the next few days to confirm this too but I have never seen it in any of the server logs I've looked at for sites with large volumes of traffic.) !NetSurf, however has known form and cookie issues which I'm going to test (I'm not near my RiscPC until Thursday) by running a build of the app with a MSIE-compatible useragent and accessing a different (unlinked) HSBC online bank account.
I definitely think that actually exploring the issue for ourselves is the best way to go here.
Jades 
24/10/06 8:22PM
In reply to Bucksboy:

I use Netsurf to access Barclays and have never had any problems. I meet the first requirement easily (Select Firewall and !Killer) and I'm sure I meet the second one by being a Select subscriber and regularly downloading Netsurf test builds. ;-)
JDC(good user) (+1.0)
24/10/06 9:15PM
Its usually just a clause to protect banks from liability.
e.g. if your not up to date we're not liable if your account details are stolen.

I work for HBOS, so would worry more about compatability on our sites, we don't care what browser/os you use as long as its secure enough to stop people stealing your account details.
So if it doesn't follow our recommendations we have no liability.

HSBC has gone into 'nanny mode' and actually disabled accounts, which is not only poor service, but removes the customers choices.
JWCR(good user) (+1.0)
Face
25/10/06 11:16AM
Well done HSBC, not only do you close my local branch, making life monsterously inconvenient for non-drivers like myself. Now they are trying to tell me what sort of computer I can own. It is a good job I cannot get Netsurf to run on my Iyonix*. Sorting out a problem like this would be a nightmare.

*("Internal Error : undefined error at <random hex string>" error message when I doubleclick the icon).
guestx (+1.1)
25/10/06 11:54AM
In reply to druck:
"HSBC technical department have already acknowledged it is due to their systems"

Time to contact the banking ombudsman/regulator, perhaps, especially if you're out of pocket because of their swift but less than smart reaction.
not_ginger_matt (+1.0)
25/10/06 2:19PM
In reply to JWCR:
Please post details to the NetSurf mailing list and we'll try to resolve any issues you may be having.
  Use the forum for more comments on this article

Top Tip

Search for games!

Use the search bar at the top of the page to find games, utilities and more!
 
Headline news
Iyonix range taken off the market
27th Sep 2008

Wakefield 2008 show photos
28th Apr 2008

Wakefield 2008 show live news
26th Apr 2008

Who would want an A9home PDA?
24th Apr 2008

Gallery photo
Older news
RISC OS 6.10 available to Select subscribers
24th Apr 2008

Animation and typing applications really released
24th Apr 2008

Wakefield 2008 show preview
22nd Apr 2008

R-Comp unveils new PDF authoring package
22nd Apr 2008

NetSurf bags GBP10K investment from Google
21st Apr 2008

Apple Mac VirtualRiscPC leaves beta
20th Apr 2008

Blu-ray disc burn breakthrough
14th Apr 2008

PDF import support for ArtWorks
13th Apr 2008

Wakefield 2008 show theatre line-up revealed
13th Apr 2008

Features
A9home: two years on
4th Dec 2007

A9home DIY laptop: first pictures
1st Dec 2007

Software hosted by Drobe: Your guide
5th Nov 2007

 

Top | Design and concept © Fudgecake Design, 1999 - 2001. Content © The Drobe Team, 1999 - 2008. 
Click here for more information and terms and conditions.