My bank has a website allowing to perform most (though for some reason not all) activities in the account, and see the current status.
Since my income is more or less the same each month, and I have my regular deposit instructions, I rarely have the need to go straighten things out at the site. I do get over to the bank occasionally, so it’s simpler to just step in and talk with the investment consultant (or whatever the official term is) in person.
All this to say that I haven’t used that site in quite a few months. But now I did have a somewhat larger amount of money sitting in my checking account, and I figured it would be simpler to put it on something bearing interest rate through the site, instead of going to the bank in person.
I entered the site, put it my user name and password (OK, it’s a bit more complex than that, I’ll get to it soon), and was surprised to see that they’re not valid. I checked, and it turns out my bank is a believer in the idiotic concept of password expiration. In their opinion just because a few weeks have passed, never mind actual uses of the password or what I did with it, the password is suddenly less secure. And since I wasn’t on the site at the time frame where they would have asked me to replace the password, they just expired it.
Well, off I went to the bank to deal with the money, and while there I also asked them to reset the password. There wasn’t any problem with that, and they gave me one of those automatically printed sealed envelopes with the newly generated password inside. Which like all such bank password is the absolute best (yes, I’m being ironic) in secure passwords, being a short string of numerical digits only. Funny, that.
At home, I tried to log into the site again. Now, most anything password protected has a user name, which is supposed to make sense and be easy to remember, and a password, which is supposed to be non-obvious and secret. They don’t.
They have a user name, but that user name is assigned from the bank, and seems like a short random string of letters and digits with no obvious relation to my name or bank account (and it would have been a better password string than the auto-generated one they gave me).
They have a password. The one I was given, which after signing in I would be prompted to change.
And they have an “identifying field”. Which in my case is my account number, zero padded. I have no idea what’s the point in that, since the whole concept of the user name is to be uniquely identifying per user. Why would anyone need both the user name, and the identifying field? Plus, if the identifying field is so obvious then it serves no practical security purpose.
So I switch browsers, and login. What I expected was to be asked to replace the temporary password with a new one, and this is indeed what happened. Except the form I received wasn’t one for replacing the password. Instead it was titled as new user creation, which is a bit confusing since I was using the exact same user name, and accessing the exact same bank account. Not only that, but I had to enter my same user name and identifying field here, or it wouldn’t accept them. So it was a password change screen, but very wrongly titled and labelled.
I entered my details, and new password. And wanted to log in into the site. I was transferred to a page telling me the site was generating a new key, and then it asked me to install and run an ActiveX control. I refused, and received an error that the key could not be generated, and I cannot access the account. Why would they need an ActiveX control running on my side in order to allow me secure login in beyond me. As I mentioned, their site already supports SSL. Implemented correctly, than more than good enough. Certainly better than whatever proprietary scheme they and their ActiveX control are implementing, which can contain a large number of bugs and weaknesses they don’t know about.
But I did need to access to site, so I tried again, this time giving permission to run an ActiveX control on the page. After a few seconds it happily told me everything went fine, and I was redirected to the main page of the site.
And was confronted with a very large web form, titled as new user registration. Only unlike the previous one that contained only the user-name/identifying-field/passwords, this one contained fields for my real name, address, and lots of other personal details, all on its first part. Its second part had a list of areas of interest, with a field for email address to receive news from the bank about them. The third part allowed me to enter an email address or cellular phone number (for SMS messages), and had a EULA. This legal agreement started off by stating that I’m interested in the bank’s service for receiving various publications on financial services.
I don’t want their news, and I don’t want their services. The whole form, all three parts, had just one “Next” button. Meaning that I either accept everything, or nothing. I could potentially enter my personal details, and leave all the other items unchecked and unselected, to indicate I don’t want them. But that EULA prevents that, as I have to agree to it before proceeding. And I wasn’t willing to do that.
So was I in a problem? Were I unable to register to the site? Not at all. The site menus (Two of them, both at the top of the screen, and at the side) were already there, and I could navigate to other pages without a problem. I could see my account details, and manage my account and money, no problem. Which to me strongly indicates that I’m already registered to the site. So why do they give me, every time I logged in since then, a form titled “Site Registration”?
Microsoft VBScript runtime error ’800a0009′
Subscript out of range: ‘[number: 0]‘
/Premium/SPECIFICFILES/Premium/AM_MyAsset1.asp, line 85
The site, BTW, is extremely slow. Very very very slow. Page loads can be in the range of 10, or sometimes double that, seconds. And because it’s all done with those controls, and with frames (Yes, frames. Frames are getting very unpopular everywhere, but this site still loves them dearly), it means that the browser indicated that the page has finished loading rather quickly, with the page still being totally blank, or with gaping white holes. There is no way to know that it’s still getting the page, except to wait in the hope that it’s working and not stuck. Very bad design, that. It’s bad for a quick site, but it’s terrible for a slow site where you have this dilemma on every single page load. And some of the times it really did die (either that, or I was just too hasty in refusing to wait more than a whole minute for page load), so it’s not as if every time I waited enough the page eventually came through.
This is Israel here, and the language is Hebrew. The site was in Hebrew as well. And most of the time everything went fine, giving the browser no problem. The characters were in the correct code page, and in the correct writing direction (Hebrew is RTL, not LTR like English). Except that some page weren’t. Not entirely critical, since it’s possible to select a different code page through the browser, but it’s very unprofessional. And can be quite confusing to computer illiterate users of the site.
And while most of the functionality was there, some pages were clearly broken. Some of the pages, showing certain types of deposits, has a disabled drop-down list of the bank accounts, and no details. This despite the fact that I have deposits of the relevant types. So some parts of my account are not accessible from the site, even though the site is visibly designed to deal with them.
More amusingly, these drop-downs are badly designed. Usually they work simply enough, defaulting to the main account, and allowing to select another one, or some relevant subset. But some pages gave it as a selection, with a “next” button, and the default item was “All Accounts”. Which sounded fine to me. But the “next” button didn’t want to go anywhere. I had to open the drop-down, and select one of the other options, for a specific account. I assume “All Accounts” was not so much an option as the name of what the drop-down list showed, and they should have either eliminated it as an item, or named it “please choose…” like all those standard web forms wanting you to choose a value without a default.
Another interesting design decision was to put access to preferences/settings/options both on the top menu, and the side menu. The one on the top menu even had this cute little icon next to it, and accessible everywhere (the side menu changed based on the area on the site). Naturally I tried the one on the top first. Which, regardless where I pressed its link from, just redirected me to main account details page. The one on the side menu worked well enough, though.
What are disk settings, you ask? Good question. In the long long past, when they just went on-line, they also didn’t trust SSL. So they had this external program used to encrypt (hopefully) the communications to the bank. And it kept the encryption key on a diskette. The idea was that you could take the diskette with you, so nobody could access the account without you, and yet you could access it from everywhere. Yes, whoever designed that wasn’t too bright, I agree. But that’s the way it was.
These days they don’t really use those disks any more, but the terminology still involves them (When getting the password, I had to sign a form saying I received a disk, and am agreeing to keep the disk secure. Yet no disk was involved. Seriously). And this page seemed like it allows to choose to actually require the usage of the disk for some sorts of transactions. I didn’t try to make the change, not having a disk and all, so I don’t know whether it actually does something, or just there since they hated to lose the screen after working so hard to design it.
Oh, they also had a page there stating that the site is best viewed under a 800×600 resolution. This may be a good time for me to state, in case anyone doesn’t know it, that most people use 1024×768 or higher. 800×600 is so passée.
Which leaves us just with the fascinating subject of “mail”. See, they have two totally different things. One is messages from the bank (Of which I had none, despite not checking them for months and months). The other is “mail”. Which, as it turns out, includes messages from the bank.
I think the term “mail” refers to the fact that these are the same message they send you in the post if you don’t get to check them in any other way. Since it would eventually become mail if they have to send it, they decided it must be mail in any case.
It did make me hope that maybe they will allow reading them like mail message. Getting them through an encrypted mail server would be both secure and comfortable, since I could easily set my mail program to check it automatically, and to read it comfortably. But no such luck, any relation to Internet mail standards is totally non-existent.
The main menu page shows in the corner the amount of unread “mail” messages. When I logged in there were four. After I read them there were, obviously, none. Yet as I kept navigating the site the number there kept changing. Sometimes I saw there weren’t any unread mail messages, and sometimes it showed there were four. Excellent refresh there.
I went to see the mail. There was this table, with the subjects of the message, the date they were sent at, and the date they were “downloaded” to the computer (which was blank at the first view). It was possible to click on one in order to open a new browser pop-up window with it. And there was an option to mark some of the messages (no “select all”, I had to go one-by-one through the lot of them) and download them to the computer. Downloading them seemed like a good idea, since according to the text on the site if I read them on-line then they won’t send them in the mail, meaning that I’ll have no confirmation of ever seeing those messages. It also means that from now on I’m not checking “mail” on the site.
I pressed the download button, and got to a screen with some explanations on how to read the downloaded messages. Apparently it requires a password. The password consists of the number of the branch of my bank I’m using (not secret, and in the bank’s listings), the digit 0, and my account number (also non-secret, and printed on about any interaction with the bank whatsoever) padded with 0s to eight digits. This is presumably the exact same way a password would be built for any other user on the system. So it doesn’t serve security against any attacker who is even half-serious.
I pressed the download link again. At which case IE showed a message that it blocked downloading an unsafe file. This is IE’s nice way to say that it doesn’t let me download executables, even if I want to, unless I approve them specifically. So I navigated on the short menu to where I can select to allow downloading this file for this time. Except by the time I done that I got redirected back to the main account page of the site, and didn’t get the file.
After a few such futile attempts I realized that the only way to download it would be to add the bank’s site to my secure sites link. Because I totally trust the people who design a site so well, requiring me to run their code on every turn, and even have me download an executable just to read some textual messages.
But that’s the only way to get the file, so that what I temporarily did. I then went to the mail area again, selected all the message again (they all had a downloaded date by now, the site didn’t notice my browser never asked to actually download the file it generated), and went to download them. I read again the password instructions, and pressed the second download button (the password instructions are all you get after the first one).
Stopping to read the instructions may have been a mistake. I started the download, and most of the way though the download hanged. Either they have a really bad connection, or they want to (for security reasons? Such as what?) expire the file quickly after generating it, assuming everyone would download it very fast. In any case all I ended up with was a corrupt file I could do nothing with. I had to clear the browser’s cache and download it again (without clearing the cache I just got back the same corrupt file, since the generated file had the same name).
Finally I downloaded the executable file. It was a self-extracting zip archive. Which, if you run it, is set to automatically create a folder of the same name inside the current folder, open everything into it, and run an exe file inside there. No questions or confirmations asked. Very rude.
The internal executable has the original name “Decrypt”, which had the internal name of “CPExplorer MFC Application”. No request for downloading the MFC libraries was made, so I guess on many computers the thing will just refuse to run. It also shows that possibly the bank didn’t write it, and didn’t think to change the name to something containing their own.
It also came with a DLL file called “DES3dll.dll”, so I guess the encryption they’re using is triple-DES. Though why send their very own implementation is, again, beyond me. Very odd.
In addition, the directory contained lots of HTML files and image files. Just what the site showed when reading those “mail” message. Except that the HTML files were encrypted, and appeared like junk at first glance. Though that didn’t stop them from keeping the html file extension, instead of naming them something else.
When the program was run, it opened a screen asking for the password. This password window did not appear in the task bar (So it’s not as obvious to some people how to switch to it), and did not have a title bar (so couldn’t be moved from the centre of the screen).
If instead of entering the password I pressed the “cancel” button, it closed down, leaving the created directory and files intact. Same if it was run with the password, and later closed. So many of the bank’s users must have lots of these leftover junk files still on their drives.
After entering the password, a window opened with the main html file of the index. A simple table of the messages. Clicking on the link to any of those caused the program to copy it into a temporary folder, decrypt it, and show it.
Except that it didn’t. The file names of the messages were in Hebrew. And since apparently their program isn’t UNICODE, it couldn’t find the Hebrew file names. All I got was an error message that the files cannot be found, with a garbled file name of how the Hebrew name looks like in Western characters.
The solution for that on Windows XP is to change, under regional settings, the default code page of non-UNICODE programs to Hebrew. I have no intention whatsoever of doing that at the moment. Not for this stupid “mail” reader of my bank, in any case.
Bad, bad, bad programming and design all around…