Wednesday, February 08, 2006

Damn Banks...

Now, don't get me wrong, I think internet banking is a great thing. Anything that can help me avoid entering a real bank and standing in line for ages waiting for some surly wench to make me feel guilty for moving my money somewhere else is fine by me. I am also aware that there are many people out in the big wide world that like to do unscrupulous things to obtain money and/or goods.

Yesterday, I needed to go into internet banking to transfer some money around, credit card, extra savings, etc., and was greeted by the following login screen:
Flickr Photo


Last thursday, Westpac decided to roll out their new improved secure internet banking site. It is all the same as before except for this login page. It is good that they are trying to stop people stealing money from unsuspecting customers but this time they have gone a wee bit too far... plus there is no way to go back to the old-skool way of actually typing a password.

The only way to enter your password is to use the mouse to click on each of those graphical keys. Looking at the source behind the page, the buttons are just a series of form controls firing some javascript functions to enter your password into the locked text box at the bottom right. What used to take a couple of seconds to enter your password now takes up to 5 times longer because javascript is shit, thus the buttons don't respond to multiple clicks all that well.

I totally understand the reason why Westpac has changed the password entry to avoid key logging applications, but this new method opens up a few more issues that are just as bad. People can now easily see where you are clicking on the screen so checking your banking in a semi public place is now a rickier prospect. Also, writing a program that can obtain where you are clicking on a web page when at a certain domain (in this case 'olb.westpac.com.au') is a trivial task. Because of the layout and constant spacing of the buttons, you can build a map quite easily of the possible buttons pressed, reducing the number of passwords to try to a handful, especially if the password uses the buttons at the extremities. Alternatively, linking into the javascript engine to get the functions called and parameters passed isn't much more of stretch.

I really don't know the solution to this problem, but making it more cumbersome to use a service is not the right way to go about business.

2 comments:

Nick said...

I still think daily monitoring of your bank account is the best way to stop any unauthorised access. Making it harder like this (and CitiBank do the same) just makes the user experience more frustrating. But if it makes Mr & Mrs Joe Average fell more secure about online banking then the banks will be happy.

Craig said...

"But if it makes Mr & Mrs Joe Average fell more secure about online banking then the banks will be happy."

I think you missed a step there Nick...

"Buf if Mr & Mrs Joe Average feel more secure about online banking and put more money into that bank thinking it is more secure, then the banks will be happy."