Westpac, one of the big banks here down under, recently added some "features" to their online banking to "provide added password protection". As both their IT and security people are brainless monkeys on crack, the "added protection" is reducing both security as well as usability in a major way. Quite an achievement to fuck up that grandly, I'd say.

The new online banking login (have a look at its full broken glory) forces you to enter your password via an online keypad. With the mouse only. Keyboard entry VERBOTEN because it might aid the TERRORISTS. With the mouse cursor nicely visible to any bystander. With only 6 character long passwords allowed, and only caseless alphanumerics. No TAN system offered, BTW.

Their claim on the help page that "The online keypad was introduced to provide added password protection." is an especially bold slap in the face of anybody with at least a bit of security awareness.

Net Results: less usability, because the mouse entry takes ages compared to just typing 6 chars. drastically less security, because every fool can now see your mouse move around and where you clicked.

And the implementation is done just annoyingly enough so that making your own fronted html page that feeds the fucker is infeasible. Have a look at the javascript silliness in the source: every page load gets a distinct "malgm" and "halgm" string variable, the password chars control which chars from malgm are selected (different for every load again), the halgm is appended to the mess and all this is submitted via https. What they want to achieve with this is beyond me; the substitution makes no sense security-wise as an intruder sitting on the client's box will have both substituted data and the page describing the substitution. And https is an honourable^Wend-to-end encrypted protocol, so no eavesdropping needs to be countered.

Ah well, I sent my bank (who uses Westpac's backend) a complaint and will soon unearth just enough Perl DOM to extract all the crap from their login and build a safe frontend page again...

[ published on Thu 09.02.2006 14:26 | filed in interests/anti | ]
Debian Silver Server
© Alexander Zangerl