hzn (+2.0)
23/10/06 7:21AM |
Well, AFAIK it is always tricky to do things like online banking with a "weird" OS.
But I think that NetSurf should allow the user-agent to be changed - perhaps even such that it changes automatically for the odd website configured (like the one of this bank). Without that feature this nice browser will - as the others already do - probably make even more users decide that RISC OS is no good for webbrowsing since it is to be expected that the odd website checks the browser used and will refuse what they don't know. Since the chances that NetSurf will be well-known enough in the near future to be acknowledged by such websites it should be able to trick them. |
CheatWarrior (+1.0)
23/10/06 8:12AM |
*speechless* |
CharlesB (+3.2)
23/10/06 8:35AM |
Hope this has gone to the Sun and Star... |
gdshaw (+2.0)
23/10/06 8:38AM |
In reply to hzn:
Privoxy can be used to change the user agent string. AFAIK it hasn't been ported to RISC OS yet, but it definitely works with Netsurf if you run it on another machine. I would expect that porting would be fairly straightforward. |
mripley (+8.2)
23/10/06 8:45AM |
Change banks and let them know why! |
Sawadee (+2.0)
23/10/06 10:24AM |
This could be only the "tip of the iceberg" showing ID, signing a form promising to use Microsoft Windows XP.
The bank may go "the whole hog" and declare that customers shall not go to the bank in a British made car! (just kidding).
The amusing part about it is that the bank would be better off supporting RISC OS if they only knew the truth. I agree with mripley, change banks and let them know why. |
druck
23/10/06 11:02AM |
My internet banking has been re-enabled this morning so at least I can now admire the size of my overdraft again.
If anyone wants to confirm whether it is the user agent string which is setting of the HSBC attack dogs, then make sure you have paid your bills this month and then use another browser such as Oregano2, which is known to work without problems with HSBC, and change its browser faking string to just "NetSurf". Then check your door mat tomorrow morning. |
bernie (+2.0)
23/10/06 11:09AM |
So much for using net-based banking services. I don't trust online banking, when I need I go to nearest ATM and make payments/transfers/whatever. Occasionally, I go to bank for services I can't do with ATM.
But I agree with Mripley/Sawadee, change your bank ASAP and make them know why!! |
druck
23/10/06 11:29AM |
What hasn't been mentioned so far, that as well as cutting off internet banking HSBC thoughtfully also disabled phone banking, just incase NetSurf also contains a speech synethesier and VOIP software  |
JGZimmerle (+2.0)
23/10/06 11:49AM |
Browser-based banking is not very secure anyway, there are lots of ways to attack it. Although many banks in Germany still offer the web-based systems, they also have established the HomeBanking Computer Interface (HBCI), wich defines a standard for secure transmission of banking data between a bank-server and a specialised secure homebanking software. There is also an open-source implementation of the standard available at www.aqbanking.de/. |
flypig (+1.0)
23/10/06 12:49PM |
In reply to JGZimmerle:
It's interesting you should say that. When Internet banking started growing in the UK, most banks created intricate proprietary systems using Java, javascript and so on. My understanding is that many banks now use standardised solutions based on TSL (using authentication certificates and key-exchange) as they consider this to be pretty secure. I believe this is why more and more banks are becoming accessible to RISC OS (unless they do what HSBC has done, of course!).
The majority of ways to attack banking sites are based on social engineering and attacking other vulnerable parts of the system, rather than during the transmission stage. HBCI certainly looks interesting though. |
Revin Kevin (+2.1)
23/10/06 3:04PM |
It makes a mockery of their adverts on TV of being the worlds local bank. |
SimonC (+0.8)
23/10/06 3:12PM |
Of course, the whole mention of certificates reveals one area where Netsurf is genuinely less secure than their preferred browsers (along with all other RISC OS browsers, although I don't know how easy it is to get the certificates into RO Firefox). |
jmb (+6.4)
23/10/06 3:36PM |
In reply to hzn:
Should any form of ability to perform user-agent faking be added to NetSurf, it would be on a per-site basis; there would be no global setting. All too often, if people are provided with the ability to change the UA globally, they do so in order to access a site, then forget they've changed it and all future browsing they do claims they're using whatever browser they're faking, which defeats the point of having a UA string at all.
In reply to SimonC:
Perhaps you'd like to post to the NetSurf mailing list about this issue, providing rather more information. If there's truly a problem, I expect it would be investigated. For reference, NetSurf ships with the same root certificate bundle as Firefox and if it can't verify a certificate's validity (for whatever reason), it will ask the user to decide whether to accept the certificate for the current session. To aid you in your decision, it provides access to the complete certificate chain. |
mrchocky (+1.0)
23/10/06 4:13PM |
For clarification, RISC OS Firefox does not presently ship with any root certificates because of the reliance on using shared libraries to implement this, so will always ask. |
hzn (+0.1)
23/10/06 5:04PM |
In reply to jmb:
A per-site user-agent faking would be absolutely perfect - and unfortunately user-agent faking is necessary in some cases.
In reply to JGZimmerle:
The main security risk for web-based online banking are the OS vunerabilities and the user. I guess RISC OS is fine on that account - not that it is safe but it is so unknown that it is currently not attacked. As for the user: Who clicks on links to a bank in his mail etc. will probably do so when using some online banking software and thus be the main risk.
In reply to gdshaw:
"Privoxy..." True, but then I might as well use some other browser or OS or bank.
In reply to druck:
I'd like to have that VoIP software for RISC OS
In reply to Drobe:
Amazing: Ads by Google lists "Hsbc Bank. We've Found the Best 4 Sites About Hsbc Bank. Banks.Best4Sites.net" |
SimonC (+0.1)
23/10/06 5:21PM |
In reply to jmb:
My apologies. I was under the impression that Netsurf didn't ship with any at all, and didn't check them either (mostly because I've never been asked about when using Netsurf, but have a few times when using Firefox outside of RO). |
jgharston (+1.0)
23/10/06 9:38PM |
One of the things that always annoys me when this sort of thing happens is that the perpatrator doesn't even understand what he is talkng about: "use the browsers supported by us". For real? You support the browsers? Hello, I have a problem with my copy of Internet Explorer, please come out and fix it. If they had any concept of what they were talking about they would say "the bowsers that support us".
Or, the browsers that understand our horribly corrupted and strangulated coding...
|
VinceH (+1.0)
23/10/06 11:24PM |
You mean "the only browser our techs use and believe they understand" |
bucksboy (+2.0)
24/10/06 11:06AM |
Barclays requests online users to:
1. Use a personal firewall and AV s/ware;
2. keep their browser and OS up to date;
and include links to MS, Firefox and Apple. The Firefox link takes you to v1.50 on the Mozilla webpage, which AFAIK is the same as the current RO version. So - in theory - users of RO Firefox beta5 in conjunction with a firewalled router + RO 5.12 with VProtect installed have met the Barclays' requirements. But I'm not sure I'm willing to bet my bank balance on it .... |
SimonC (+2.0)
24/10/06 11:38AM |
In reply to bucksboy:
Would you be willing to bet your bank balance on it meeting those requirements on a Windows machine? I can't think how that RO setup would be riskier than that (OK, as mentioned above the RO Firefox always prompts about certificates, but you can examine them if you want to). |
bucksboy (+2.0)
24/10/06 12:18PM |
I don't think the risk is greater under RO + Firefox (quite possibly less); my worry is what the position of the bank might be in the event of an unauthorised withdrawal when they discover that I am not using a 'standard' platform and browser combo. OTOH, Barclays haven't specified a recommended platform or browser - they have simply given general advice - so one could argue that those conditions that are specified (see earlier post) /have/ been met. |
not_ginger_matt (+1.0)
24/10/06 2:04PM |
I've just been using HSBC online banking using MSIE and Windows with the useragent string set up to report "NetSurf". Everything seemed fine, but we'll see if I get a letter in the next few days 
Personally, I highly doubt that it's the user agent string causing the problem and think it's more likely to be broken/nested forms or cookie issues. |
druck (+1.0)
24/10/06 3:17PM |
HSBC technical department have already acknowledged it is due to their systems detecting accesses coming from a program with a similar name as a piece of Windows spyware. Unfortunately they are having difficulty getting the concept of running legitimate software on an alternative operating system, and are continuing to tell me to download Windows anti-spyware software and to use IE or Netscape. |
not_ginger_matt (+1.1)
24/10/06 4:12PM |
Having dealt with many technical departments, they generally know very little and will happily fob you off by simply agreeing with whatever you say. Do you honestly trust the technical competency of anyone who still suggests Netscape as a browser?
Aside from this, I don't believe that netsurf.exe even changes the useragent string (I'll set a box up over the next few days to confirm this too but I have never seen it in any of the server logs I've looked at for sites with large volumes of traffic.) !NetSurf, however has known form and cookie issues which I'm going to test (I'm not near my RiscPC until Thursday) by running a build of the app with a MSIE-compatible useragent and accessing a different (unlinked) HSBC online bank account.
I definitely think that actually exploring the issue for ourselves is the best way to go here. |
Jades
24/10/06 8:22PM |
In reply to Bucksboy:
I use Netsurf to access Barclays and have never had any problems. I meet the first requirement easily (Select Firewall and !Killer) and I'm sure I meet the second one by being a Select subscriber and regularly downloading Netsurf test builds. |
JDC (+1.0)
24/10/06 9:15PM |
Its usually just a clause to protect banks from liability.
e.g. if your not up to date we're not liable if your account details are stolen.
I work for HBOS, so would worry more about compatability on our sites, we don't care what browser/os you use as long as its secure enough to stop people stealing your account details.
So if it doesn't follow our recommendations we have no liability.
HSBC has gone into 'nanny mode' and actually disabled accounts, which is not only poor service, but removes the customers choices. |
JWCR (+1.0)
25/10/06 11:16AM |
Well done HSBC, not only do you close my local branch, making life monsterously inconvenient for non-drivers like myself. Now they are trying to tell me what sort of computer I can own. It is a good job I cannot get Netsurf to run on my Iyonix*. Sorting out a problem like this would be a nightmare.
*("Internal Error : undefined error at <random hex string>" error message when I doubleclick the icon). |
guestx (+1.1)
25/10/06 11:54AM |
In reply to druck:
"HSBC technical department have already acknowledged it is due to their systems"
Time to contact the banking ombudsman/regulator, perhaps, especially if you're out of pocket because of their swift but less than smart reaction. |
not_ginger_matt (+1.0)
25/10/06 2:19PM |
In reply to JWCR:
Please post details to the NetSurf mailing list and we'll try to resolve any issues you may be having. |
| Use the forum for more comments on this article |
NetSurf users are reeling from HSBC's shock decision to suspend their accounts because their RISC OS computers are allegedly infected with spyware. The high street bank has confused the open source browser NetSurf with a strain of PC malware going by the same name, and has locked their customers out for security reasons, it is believed.
