NetSurf users hit by HSBC account freeze | RISC OS news and information from Drobe


Beta! \| About us \| Contact \| Submit news \| RSS \| Twitter	Webspace \| Tech docs \| Downloads \| BBC Micro \| Gallery \| Wallpaper

NetSurf users hit by HSBC account freeze

Published: 23rd Oct 2006, 03:19:16.

RISC OS machines accused of being backdoored by viruses

NetSurf users are reeling from HSBC's shock decision to suspend their accounts because their RISC OS computers are allegedly infected with spyware. The high street bank has confused the open source browser NetSurf with a strain of PC malware going by the same name, and has locked their customers out for security reasons, it is believed.

Days after celebrating the fact that NetSurf was finally able to log into the HSBC online banking website, RISC OS users were stunned when letters dropped on their doormats telling them they were banned from using their accounts. Punters say they were forced to turn up at their local branch with photo ID and sign a form promising to use Microsoft Windows XP with anti-virus software installed before they could access their money again.

In the letter, HSBC told RISC OS users: "An unauthorised person may have used your internet banking security number to log on to your Personal Internet banking. We believe that a PC that you use to log on to Internet banking may be infected with spyware. It is important that you do not use this computer until the problem has been identified and fixed. Some spyware programs can log your keystrokes, gathering personal data, then sending this to criminals."

There have been no reports of the existence of any Internet-based spyware for RISC OS. NetSurf and HSBC user Dave Ruck said the bank's decision had left him "nearly destitute" and "probably seriously overdrawn" with no way of paying off his bills. Another user, Tim Hill, fumed: "It is simply not good enough to test a website with a handful of mainstream desktop browsers or limit access in that way."

A HSBC technical support staffer said in response to complaints: "I cannot unfortunately confirm whether you would be able to access the accounts again using [NetSurf] or if the accounts would again be disabled. I have however escalated the matter to the concerned department who would be looking into the issue you faced. In the interim however, please use the browsers supported by us to access your accounts as these are browsers have been tested on our sites."

Through its so-called 'user-agent', NetSurf declares its name and version to websites as simply 'NetSurf' - whereas many other browsers lie and claim to be the latest release of Microsoft Internet Explorer running on Windows to dodge careless checks introduced by lazy webmasters. It is thought a piece of harmful PC spyware that is known to identify itself as 'netsurf.exe' is being confused with the NetSurf web browser, and therefore setting off alarm bells at HSBC.

Over the weekend, the NetSurf development team stressed they could not confirm that the problem was due to NetSurf's user-agent. Coder James Bursa said it is possible an unknown bug in NetSurf's handling of cookies or forms may have triggered HSBC's security systems. The team are sticking by their decision not to change the user-agent string, adding that punters can download and edit the source code if they want to change it. The release of NetSurf 1.0 will likely see the browser user-agent declare itself along with a version number and other details, according to James.

HSBC say they will only support Internet Explorer and Netscape on Microsoft Windows, Apple Mac or GNU/Linux systems.

Links
NetSurf website
HSBC website

Discussion

Viewing threaded comments | View comments unthreaded, listed by date | Skip to the end

Well, AFAIK it is always tricky to do things like online banking with a "weird" OS.

But I think that NetSurf should allow the user-agent to be changed - perhaps even such that it changes automatically for the odd website configured (like the one of this bank). Without that feature this nice browser will - as the others already do - probably make even more users decide that RISC OS is no good for webbrowsing since it is to be expected that the odd website checks the browser used and will refuse what they don't know. Since the chances that NetSurf will be well-known enough in the near future to be acknowledged by such websites it should be able to trick them.

hzn on 23/10/06 7:21AM [ Reply | Permalink | Report ]

*speechless*

CheatWarrior on 23/10/06 8:12AM [ Reply | Permalink | Report ]

Hope this has gone to the Sun and Star...

CharlesB on 23/10/06 8:35AM [ Reply | Permalink | Report ]

In reply to hzn:

Privoxy can be used to change the user agent string. AFAIK it hasn't been ported to RISC OS yet, but it definitely works with Netsurf if you run it on another machine. I would expect that porting would be fairly straightforward.

gdshaw on 23/10/06 8:38AM [ Reply | Permalink | Report ]

Change banks and let them know why!

mripley on 23/10/06 8:45AM [ Reply | Permalink | Report ]

This could be only the "tip of the iceberg" showing ID, signing a form promising to use Microsoft Windows XP.

The bank may go "the whole hog" and declare that customers shall not go to the bank in a British made car! (just kidding).

The amusing part about it is that the bank would be better off supporting RISC OS if they only knew the truth. I agree with mripley, change banks and let them know why.

Sawadee on 23/10/06 10:24AM [ Reply | Permalink | Report ]

My internet banking has been re-enabled this morning so at least I can now admire the size of my overdraft again.

If anyone wants to confirm whether it is the user agent string which is setting of the HSBC attack dogs, then make sure you have paid your bills this month and then use another browser such as Oregano2, which is known to work without problems with HSBC, and change its browser faking string to just "NetSurf". Then check your door mat tomorrow morning.

druck on 23/10/06 11:02AM [ Reply | Permalink | Report ]

So much for using net-based banking services. I don't trust online banking, when I need I go to nearest ATM and make payments/transfers/whatever. Occasionally, I go to bank for services I can't do with ATM. But I agree with Mripley/Sawadee, change your bank ASAP and make them know why!!

bernie on 23/10/06 11:09AM [ Reply | Permalink | Report ]

What hasn't been mentioned so far, that as well as cutting off internet banking HSBC thoughtfully also disabled phone banking, just incase NetSurf also contains a speech synethesier and VOIP software

druck on 23/10/06 11:29AM [ Reply | Permalink | Report ]

Browser-based banking is not very secure anyway, there are lots of ways to attack it. Although many banks in Germany still offer the web-based systems, they also have established the HomeBanking Computer Interface (HBCI), wich defines a standard for secure transmission of banking data between a bank-server and a specialised secure homebanking software. There is also an open-source implementation of the standard available at www.aqbanking.de/.

JGZimmerle on 23/10/06 11:49AM [ Reply | Permalink | Report ]

JGZimmerle:

It's interesting you should say that. When Internet banking started growing in the UK, most banks created intricate proprietary systems using Java, javascript and so on. My understanding is that many banks now use standardised solutions based on TSL (using authentication certificates and key-exchange) as they consider this to be pretty secure. I believe this is why more and more banks are becoming accessible to RISC OS (unless they do what HSBC has done, of course!).

The majority of ways to attack banking sites are based on social engineering and attacking other vulnerable parts of the system, rather than during the transmission stage. HBCI certainly looks interesting though.

flypig on 23/10/06 12:49PM [ Reply | Permalink | Report ]

It makes a mockery of their adverts on TV of being the worlds local bank.

Revin Kevin on 23/10/06 3:04PM [ Reply | Permalink | Report ]

Of course, the whole mention of certificates reveals one area where Netsurf is genuinely less secure than their preferred browsers (along with all other RISC OS browsers, although I don't know how easy it is to get the certificates into RO Firefox).

SimonC on 23/10/06 3:12PM [ Reply | Permalink | Report ]

hzn: Should any form of ability to perform user-agent faking be added to NetSurf, it would be on a per-site basis; there would be no global setting. All too often, if people are provided with the ability to change the UA globally, they do so in order to access a site, then forget they've changed it and all future browsing they do claims they're using whatever browser they're faking, which defeats the point of having a UA string at all.

SimonC: Perhaps you'd like to post to the NetSurf mailing list about this issue, providing rather more information. If there's truly a problem, I expect it would be investigated. For reference, NetSurf ships with the same root certificate bundle as Firefox and if it can't verify a certificate's validity (for whatever reason), it will ask the user to decide whether to accept the certificate for the current session. To aid you in your decision, it provides access to the complete certificate chain.

jmb on 23/10/06 3:36PM [ Reply | Permalink | Report ]

For clarification, RISC OS Firefox does not presently ship with _any_ root certificates because of the reliance on using shared libraries to implement this, so will always ask.

mrchocky on 23/10/06 4:13PM [ Reply | Permalink | Report ]

In reply to jmb: A per-site user-agent faking would be absolutely perfect - and unfortunately user-agent faking is necessary in some cases.

In reply to JGZimmerle: The main security risk for web-based online banking are the OS vunerabilities and the user. I guess RISC OS is fine on that account - not that it is safe but it is so unknown that it is currently not attacked. As for the user: Who clicks on links to a bank in his mail etc. will probably do so when using some online banking software and thus be the main risk.

In reply to gdshaw: "Privoxy..." True, but then I might as well use some other browser or OS or bank.

In reply to druck: I'd like to have that VoIP software for RISC OS :-)

To Drobe: Amazing: Ads by Google lists "Hsbc Bank. We've Found the Best 4 Sites About Hsbc Bank. Banks.Best4Sites.net" :-)

hzn on 23/10/06 5:04PM [ Reply | Permalink | Report ]

jmb: My apologies. I was under the impression that Netsurf didn't ship with any at all, and didn't check them either (mostly because I've never been asked about when using Netsurf, but have a few times when using Firefox outside of RO).

SimonC on 23/10/06 5:21PM [ Reply | Permalink | Report ]

One of the things that always annoys me when this sort of thing happens is that the perpatrator doesn't even understand what he is talkng about: "use the browsers supported by us". For real? You support the browsers? Hello, I have a problem with my copy of Internet Explorer, please come out and fix it. If they had any concept of what they were talking about they would say "the bowsers that support us".

Or, the browsers that understand our horribly corrupted and strangulated coding...

jgharston on 23/10/06 9:38PM [ Reply | Permalink | Report ]

You mean "the only browser our techs use and believe they understand"

VinceH on 23/10/06 11:24PM [ Reply | Permalink | Report ]

Barclays requests online users to:

1. Use a personal firewall and AV s/ware; 2. keep their browser and OS up to date;

and include links to MS, Firefox and Apple. The Firefox link takes you to v1.50 on the Mozilla webpage, which AFAIK is the same as the current RO version. So - in theory - users of RO Firefox beta5 in conjunction with a firewalled router + RO 5.12 with VProtect installed have met the Barclays' requirements. But I'm not sure I'm willing to bet my bank balance on it ....

bucksboy on 24/10/06 11:06AM [ Reply | Permalink | Report ]

bucksboy: Would you be willing to bet your bank balance on it meeting those requirements on a Windows machine? I can't think how that RO setup would be riskier than that (OK, as mentioned above the RO Firefox always prompts about certificates, but you can examine them if you want to).

SimonC on 24/10/06 11:38AM [ Reply | Permalink | Report ]

I don't think the risk is greater under RO + Firefox (quite possibly less); my worry is what the position of the bank might be in the event of an unauthorised withdrawal when they discover that I am not using a 'standard' platform and browser combo. OTOH, Barclays haven't specified a recommended platform or browser - they have simply given general advice - so one could argue that those conditions that are specified (see earlier post) /have/ been met.

bucksboy on 24/10/06 12:18PM [ Reply | Permalink | Report ]

I've just been using HSBC online banking using MSIE and Windows with the useragent string set up to report "NetSurf". Everything seemed fine, but we'll see if I get a letter in the next few days ;-)

Personally, I highly doubt that it's the user agent string causing the problem and think it's more likely to be broken/nested forms or cookie issues.

not_ginger_matt on 24/10/06 2:04PM [ Reply | Permalink | Report ]

HSBC technical department have already acknowledged it is due to their systems detecting accesses coming from a program with a similar name as a piece of Windows spyware. Unfortunately they are having difficulty getting the concept of running legitimate software on an alternative operating system, and are continuing to tell me to download Windows anti-spyware software and to use IE or Netscape.

druck on 24/10/06 3:17PM [ Reply | Permalink | Report ]

Having dealt with many technical departments, they generally know very little and will happily fob you off by simply agreeing with whatever you say. Do you honestly trust the technical competency of anyone who still suggests Netscape as a browser? Aside from this, I don't believe that netsurf.exe even changes the useragent string (I'll set a box up over the next few days to confirm this too but I have never seen it in any of the server logs I've looked at for sites with *large* volumes of traffic.) !NetSurf, however has known form and cookie issues which I'm going to test (I'm not near my RiscPC until Thursday) by running a build of the app with a MSIE-compatible useragent and accessing a different (unlinked) HSBC online bank account. I definitely think that actually exploring the issue for ourselves is the best way to go here.

not_ginger_matt on 24/10/06 4:12PM [ Reply | Permalink | Report ]

Bucksboy:

I use Netsurf to access Barclays and have never had any problems. I meet the first requirement easily (Select Firewall and !Killer) and I'm sure I meet the second one by being a Select subscriber and regularly downloading Netsurf test builds. ;-)

Jades on 24/10/06 8:22PM [ Reply | Permalink | Report ]

Its usually just a clause to protect banks from liability. e.g. if your not up to date we're not liable if your account details are stolen.

I work for HBOS, so would worry more about compatability on our sites, we don't care what browser/os you use as long as its secure enough to stop people stealing your account details. So if it doesn't follow our recommendations we have no liability.

HSBC has gone into 'nanny mode' and actually disabled accounts, which is not only poor service, but removes the customers choices.

JDC on 24/10/06 9:15PM [ Reply | Permalink | Report ]

Well done HSBC, not only do you close my local branch, making life monsterously inconvenient for non-drivers like myself. Now they are trying to tell me what sort of computer I can own. It is a good job I cannot get Netsurf to run on my Iyonix*. Sorting out a problem like this would be a nightmare.

*("Internal Error : undefined error at <random hex string>" error message when I doubleclick the icon).

JWCR on 25/10/06 11:16AM [ Reply | Permalink | Report ]

druck: "HSBC technical department have already acknowledged it is due to their systems"

Time to contact the banking ombudsman/regulator, perhaps, especially if you're out of pocket because of their swift but less than smart reaction.

guestx on 25/10/06 11:54AM [ Reply | Permalink | Report ]

JWCR: Please post details to the NetSurf mailing list and we'll try to resolve any issues you may be having.

not_ginger_matt on 25/10/06 2:19PM [ Reply | Permalink | Report ]

Comments from [link] continued here.

diomus on 25/10/06 11:20PM [ Reply | Permalink | Report ]

For a reference, NetSurf is great! :@P Cheers guys!

em2ac on 26/10/06 12:04AM [ Reply | Permalink | Report ]

Much to my astonishment, and I'm sure to others' too, a letter came from HSBC this morning to say that they had "modified our systems to re-enable access from the NetSurf browser."

Behold pink pigs in the air! :-)

I've posted more about this on c.s.a.misc.

With best wishes,

Peter.

pnyoung on 26/10/06 2:55PM [ Reply | Permalink | Report ]

Sounds like at least they are capable of admitting they got something wrong and doing something about it. I wouldn't have been surprised if they hadn't just continued with "not our problem, use IE".

SimonC on 26/10/06 3:56PM [ Reply | Permalink | Report ]

Please login before posting a comment. Use the form on the right to do so or create a free account.

Create a new account
Forgot your password?

Search this website

This week's poll

Recent developments have left me feeling...

Assured ROS will appear on new hardware		55%
Pleased OS desktop features are being developed		10%
ROL and ROOL will eventually kiss and make up		5%
App developments are critical		10%
Dave Holden sleeps easy at night		19%

Discuss this | Archives