Hacker News new | past | comments | ask | show | jobs | submit login
Is it OK to hold credit card numbers in cookies, Santander? (seclists.org)
364 points by Garbage on Oct 15, 2012 | hide | past | favorite | 189 comments



What sort of clowns stored the credit card number in a cookie? Seriously? What a breathtakingly stupid show of total incompetence.

Was considering switching my personal account to Santander, have been looking to move away from Natwest for a while now. Natwest are a dismal failure of a bank to the extent I'm always happy to go out my way and dissuade people from associating with them in any way. I'll be writing Santander off my list for sure now. How on earth can you trust them after seeing this?

For a business who HAS to take security seriously, for a business with a LOT of resources, for a business who hold YOUR cash this is utterly pathetic and inexcusable on their part.

Leaving them might be a good idea for your personal security, unfortunately the UK is a little short of good banks. Would love to see someone shake up banking like Stripe has shaken up online payments.


Maybe I'm an ignoramus, but what's wrong with storing your credit card number in a cookie, as long as it's encrypted? This is how session management is typically done, right? Your session information is stored encrypted in a cookie so that on subsequent page requests, the server still knows who you are, but the session information is encrypted and decrypted on the server, so that the client can't forge the session information.

If this technique is good enough to make sure that you still are who you said you were when you logged in, why is this not good enough for storing other sensitive information? And if it's not good enough for session management, then you're in deep trouble anyway, since someone else can now log in as you and funnel all your money into their Swiss bank account.

Edit: As it turns out, it seems that most cookie-based session data is only stored cryptographically signed, rather than encrypted. The reason for this seems to be that HMAC signing is up to 4X faster than encrypting with Blowfish.


The level of 'good enough' security for banking is higher than general web browsing. Even though a user input for their CC number would be encrypted in transmission, that encrypted value is not stored for a long period of time. A cookie, even if encrypted, would allow for a greater ease of access, in general, so now it may be possible for a malicious user who is targeting the site to possibly gain many encrypted values - which depending on the encryption algorithm could allow for finding a flaw.

For session management - that's not the only way to handle user information. Often the web server will store a unique hash value and temporarily store the users information on the server with the associated hash. Note: if you're not using sticky sessions on server connects or a distributed server side session object that users info will be lost on reconnect if they hit a different web head.

And no, it is not entirely good enough for session management, which is why when you're on amazon.com or other online sites and you go to your account you are prompted to reenter your password. It is another level of security, but nothing is perfect.

Amazon/ebay/etc would usually do this because they have unencrypted parts of their site you can be directed towards, or unencrypted services, which would expose the cookies in transmission for session information [although I'm pretty sure they've got secure cookies for some parts of their acct mgmt]. Online payment processing force https for cookies and for session management and sets server & client side session timeouts, expire the cookie to prevent any possible future session hijacking, as well as many other procedures to secure their online services. There's a lot to PCI compliance.

edit: as phil said, HMAC is good policy if you store information on users on the client side, but I wouldn't put anything more than user tracking or analytics info in there.


> Maybe I'm an ignoramus, but what's wrong with storing your credit card number in a cookie, as long as it's encrypted? This is how session management is typically done, right? Your session information is stored encrypted in a cookie so that on subsequent page requests, the server still knows who you are, but the session information is encrypted and decrypted on the server, so that the client can't forge the session information.

No, that's not how session tracking works. The server uses a cookie to assign you a temporary ID, and then creates a corresponding storage area "server side" which can contain data like credit card numbers.


That's how _some_ session tracking works. See Rails' CookieStore strategy for session storage for example: http://guides.rubyonrails.org/security.html#session-storage

> Rails 2 introduced a new default session storage, CookieStore. CookieStore saves the session hash directly in a cookie on the client-side. The server retrieves the session hash from the cookie and eliminates the need for a session id. That will greatly increase the speed of the application, but it is a controversial storage option and you have to think about the security implications of it:


That's not how secure session management works.


It's plenty secure in the sense that you can't forge a session. It's not secure in the sense that the data is inaccessible if you know how to base64 decode a cookie.

If you're using cookie sessions, you should know better than to store sensitive information in the session.


In other words, because they are holding sensitive information in their cookies encoded only via base64 it's not secure. In other words, what I said.


But it is not even encrypted. And AFAIK most (sane) sites do not store you account information encrypted in the cookie, they store a session id. This session id is then used to find the relevant session information which is stored on the server.


Well for starters, it's common practice (e.g. in Rails' cookie store, but many others too) to leave the cookie contents as plaintext and just append a HMAC so that you know they haven't been tampered with.


> it's common practice (e.g. in Rails' cookie store, but many others too) to leave the cookie contents as plaintext and just append a HMAC so that you know they haven't been tampered with.

This approach seems strange to me. Why is this approach taken? Why not encrypt everything?

I only really know anything about writing server-side web code from using Play Framework, which provides a "session" object for storing information in the browser using the cookies mechanism. Everything in the session object is kept encrypted on the client in a cookie.

The most common use for the session information is to store a user ID and/or a session ID, but I believe it not uncommon to use this to store additional small bits of information if this will take some load off of your database and/or cache, and to help the server be more RESTful/stateless.

Edit: It turns out that I was not quite correct about Play. Like Rails, it seems to only sign the session cookie, rather than encrypting it. From looking at some benchmarks for the performance of HMAC vs Blowfish, it seems that signing with HMAC can be up to 4X faster than encrypting with Blowfish.


It is based on the observation that most apps only store the user ID and other non-sensitive data in the session. Storing the session in the cookie then brings many benefits. It does not require any server side session store maintenance, it is very fast and scalable because no database lookup is required. The fact that this store should not be used for storing sensitive information is well-documented in the Rails security guide. For storing sensitive information, one can use many of the alternative session stores available, such as the ActiveRecord session store which saves session data into the database.

We at Phusion have created an encrypted session store in the past (http://blog.phusion.nl/2010/04/13/announcing-encryptedcookie...). However we've found it to be of limited use (and indeed, it doesn't look like many people use it). If your data is sensitive then you're better off storing it on the server. If your data is not sensitive then encrypting it doesn't help you.


I dont know either why is this the default in rails. In PHP you only have a session id in a cookie. When I first saw how it works in rails (ruby?) it blew my mind.

I don't want to think about how many rails user don't know this and send sensitive data to the client.


The advantage -- and it's often a big one -- is that you don't have to have a corresponding server component to translate session id to session state. The state is all in the client.

Edit: wouldn't have written this if I'd seen FooBarWidget's more detailed remarks first.


"Never trust the client"


The session information is cryptographically signed, so you don't have to trust it! These stateless server frameworks are just using the client as a state cache.


The information is usually already publicly available : for examples the facebook graph api uses the same setup for some of their basic api methods (such as letting a site log you in through facebook) - base64 encoded json user data and an hmac signed with a private key + timestamp. Since the data is already publicly available (it's your facebook user id and other publicly available data), there's no need to use a more costly encryption algorithm. The hmac is there to confirm to the server who manages whichever associated online service that also created a facebook app you just gave access your profile to that this is good data, since they've got the secret on their end that the staff registered with on facebook. HMAC is fast.


> HMAC is fast.

Ah, yes I see. I just found a benchmark that shows HMAC to be up to four times faster than Blowfish. Well, that explains things.


No, it doesn't. No one should be using Blowfish for anything (except its key scheduler for bcrypt) and Blowfish is known to be slow as hell. A SHA-2 HMAC is basically identical in speed to AES-CTR. Sure, you want an HMAC on that, too, but whatever -- get a modern processor or an AES coprocessor. I guarantee this is not your performance bottleneck.


>The most common use for the session information is to store a user ID and/or a session ID, but I believe it not uncommon to use this to store additional small bits of information if this will take some load off of your database and/or cache, and to help the server be more RESTful/stateless.

Ah, another reason to hold REST in contempt...


Even if the cookies would be properly encrypted, it still violates PCI DSS mandatory requirements - you aren't supposed to store or send a full credit card number unless necessary for an actual transaction.

They could do without a (full) CC number there. Ergo, it's a violation.

It's simple defense in depth, and does reduce the risks - say, if the encryption you thought was secure really isn't, etc.


IANA security expert but I think session info is somewhat protected by the short TTL. The amount of time required to get at the session data should (hopefully) exceed its window of validity.


I've found Santander to be absolutely ghastly as soon as any exceptions to their core process occur. Anecdotal, but in my opinion you're probably better off avoiding them anyway.


I'll second that. We had a mortgage with them for a while and the general impression was one of a constant state of chaos and incompetence.


They seem to be laying off staff as a cost cutting exercise, the ones that are left mean well but are swamped.


Barclays online offerings are pretty good as well, depends on how much you can ignore their slightly shady ethics when it comes to investment banking. They also weathered the last financial meltdown a bit better than the rest, so there's that.

UK is definitely missing a trustworthy, ethically sound bank though.



Got there seconds ahead of me. Co-op (and Smile, their internet alter-ego) seem to be the ethically best choice. And their customer service is the best of anyone, ever.


Ditto. I have had an account with them for some years, and have always been incredibly pleased with their customer service.

As another commenter wrote, their online banking is "primitive", but it's usable.


I'm assuming it'll get upgraded when they move over to the lloyds tsb infrastructure. I have no idea how good that is.


I've heard negative things about their online banking and customer service, but those were a while ago so I'm not sure what the state of play is now. Could be worth a try, I do like their ethics.


Their online banking is fairly primitive, but it does the job. One thing which I find particularly funny is that if you want to have a standing order which continues indefinitely, you have to put a value of 999 in the "number of payments" field. I would have thought having a tickbox which says "Continue payments indefinitely" would be better from a user perspective.


Their (Smile) online banking is "not bad for a financial institution", and if that sounds like damning with faint praise ...

Particular nits are: - pressing the browser 'back' button triggers an immediate logout - they don't use email for anything except to tell you they've sent you a "secure message" that you have to log in and read - no data export (though there are greasemonkey scripts)

Their customer service I've found to be fine unless you want anything usual, complicated, or to be done in a timely fashion. Much like any large company, really


I've also found the customer service to be pretty good for the standard stuff but there is a blurry line between smile and The Co-operative Bank that confuses them.

For example, I can pay in a cheque or withdraw funds over the counter in a Coop Bank branch, but if I want to set up a foreign bank transfer I have to use the an online secure message. When I asked why I was told over and over "smile is an online bank". Which I suppose is true, up to a point.


The one almost inexcusable omission from their online banking is any way to download your statements. You have to scrape the data from the pages themselves, and infuriatingly, they display the page of most recent items in a slightly different format to older pages, making it a pain to merge data scraped from different pages.

In lesser annoyances, they make you do a stupid amount of typing to log in, about the only bit of which is actually secure is two randomly selected digits from your 4-digit PIN. All other info is insecure: account number, sort code, first school attended, yada yada yada. All in all they make you enter something like 30 characters spread across 3-5 input boxes and two pages, all for about 6 bits of actual entropy. Unless, of course, you're the sort of person who when asked to tell your bank what your first school was, replies "8EOHzxdO6QnJ".


I must admit I haven't personally used them so I can't comment on either of those things, but from a purely ethical point of view you are not going to get much better from a leading bank.


Could you elaborate? What makes the Co-operative Bank the best choice from an ethical standpoint?


(http://www.ethicalconsumer.org/buyersguides/money/bankingcur...)

> Another mutually-owned business, and a clear best buy in the report is the Co-operative Bank. Since 1993 – and in response to the kind of concerns shown above – it has been developing detailed public position statements on who it will and who it will not lend to. These now cover seven human rights areas, five environmental areas, four international development areas and five animal welfare issues. More details are available at www.co-operative.coop/corporate/ethicsinaction/ethicalpolicies. It also uses your money to campaign on key issues of the moment such as unconventional fossil fuels or the decline of bees. Although other banks have come up with similar policy statements, none come close to the Co-operative’s for clarity and ambition. One of the most frequently asked questions at Ethical Consumer is how the Co-operative can be a best buy when its score is much lower than other providers. Our answer is that its relatively low score is the result of it being part of the Co-operative Group which – as a supermarket – is involved in animal farming and other activities which its banking competitors are not. Best Buys are there for us to apply a sense check to our mechanistic, but largely useful, rankings. In other areas, we weight key categories for the sector when choosing the best buys – such as workers' rights and supply chain management for clothing. In banking, having a clear ethical lending policy is a prime concern, which is why the Co-operative tops the pile.


They're owned by their members (hence the name), and operate pretty much exclusively as an old-school retail bank without any of the other banking activity that tends to at least wander into ethical grey areas.


I used to think that Mutuals would have their members interests first and foremeost. Certainly they never tire of telling people that. But my actual experience is that it's not true. Mutuals, commonly, are like any business where the owner (the membership) isn't paying attention and the result is a business that puts the interests of the staff first. Service to members of a mutual society can be every bit as bad as any public listed company and is often worse because of the lack of a profit incentive means no one gives a damn


That's a bit of a strawman I think — surely by the logic you're using, the existence of a profit motive would mean that the company was interested only in serving its shareholders and would ignore its consumers? There are plenty of examples of this, but it doesn't mean it's true generally of profit-making companies.


apart from the massive loan (£40 million) they have given to the Labour Party.


On the subject of "slightly" shady, let's not forget Barclay's enabling (via a questionable naming rights deal) of neighborhood-killing, taxpayer-fleecing eminent domain abuse, either:

http://atlanticyardsreport.blogspot.com/2012/06/t-shirt-im-s...


What's the problem with the MTA receiving $200,000 in free money? Nobody even knew what Pacific St. was anyway -- it's a minor one-way street that doesn't even go through at Flatbush. (The station should have been called Atlantic/Flatbush or Atlantic/4th but the MTA doesn't really name stations that way.)

Barclays Center is built above a rail yard, which wasn't really doing much for the neighborhood either. All the hate for Barclays Center is completely misguided and the complaints are just the NIMBY types looking for something to whine about.

So I don't understand how anyone could possibly call redeveloping a rail yard into a stadium "shady". Maybe you don't want the foot traffic in your neighborhood, but it's hard to blame Barclays for that.


Does any country have one of those?


I think part of the incompetence has to do with what talented engineers want to work on. Most of us here on HN would never dream of writing mundane business logic software for a bank. Why would we, when we could be working on much more interesting problems, while earning a lot more money, working in a much more stimulating environment? This leaves mediocre programmers who can't get jobs at {Google, Facebook, Microsoft, Amazon, Startup X}. Talent goes where the money is, and the money is not in writing a bank web service.


the money is not in writing a bank web service

This is the real issue. Banks can certainly afford to hire qualified engineers; Santander apparently chooses not to.


> Santander apparently chooses not to.

because their customers chose not to care (at least, until shit hits the fan). A bank (or any conservative organization) will only really react, as it is too slow to become proactive (otherwise, it'd be by definition, no longer conservative! ala, google, facebook etc).


Because regulators don't do their job. Private customers shouldn't be responsible for auditing their bank - instead, regulators should enforce fines for banking privacy and security breaches that are an order of magnitude greater than the cost of implementing the systems securely.

The banking rules should be so that even an immoral Scrooge would see proper security as the cheaper, cost-efficient way compared to screwing their customers with shoddy systems.

If a bank teller violates financial privacy by leaking his customer's transaction lists, it carries criminal penalties in many countries. Why should a manager who intentionally violates banking privacy of thousands of customers face less prosecution?


In theory, I'd rather have it in a cookie than unprotected in a database. In practice, anyone doing something that stupid will have XSS exploits rendering that information available to anyone running an exploit.

While security and encryption are definitely not easy (and far less so when you're talking about adhering to PCI-DSS Level 1, which somehow actual banks never seem to do), there are plenty of well-tested libraries that make it significantly easier. Having said that, I'd prefer to see the data stored in plaintext - obviously bad - rather than using easily-broken encryption (short keys, re-used keys, bad key storage, poor algorithm, etc) which looks OK at the surface but provides a serious false sense of security.

What really blows my mind is that Visa and Mastercard never seem to require PCI certification for their issuing banks. Being deep in the industry I realize how many middlemen and layers of misdirection there are with this kind of thing (usually to get around these security requirements), but Visa's diligence process is actually quite thorough - at least in the US. I've been interviewed by PCI auditors, and my experience was that they were actually asking the right questions, and required demonstrations to prove your claims. But for all I know, that varies widely from auditor to auditor.


I don't know if you saw Bank of Dave [1] but it showed how difficult it is to start a new bank in the UK, even if you are going to be run responsibly and in a small way.

I find it difficult to imagine someone new entering this market place, other than "people" like Virgin and Tesco with deep pockets to back them.

[1a] http://www.guardian.co.uk/tv-and-radio/tvandradioblog/2012/j...

[1b] http://www.ft.com/cms/s/0/2ba372d4-d80b-11e1-80a8-00144feabd...

[1c] http://www.burnleysavingsandloans.co.uk/about-us/


Metro Bank managed to open recently, apparently it took some time but was entirely feasible


It also cost around £15 million to do, before the first branch opened!


Apparently it is the best capitalised bank in the world... its expensive to open a bank now.


First Direct consistently scores highly on customer service, you might want to try them.


Their online banking interface is a bit old and crummy. I don't believe they take security seriously either.

They force a 640px popup window that deliberately hides addressbar, so you can't easily check if it's HTTPS.

My browser warns me that their site still has SSL renegotiation vulnerability unpatched.


Would you consider doing everyone a favor and link the results of the https://www.ssllabs.com/ssltest/ Qualys SSL labs test for that site?



Do you have any grounds for this disbelief or do you just a go around changing the subject to make unsubstantiated assertions? FD's customer service (the subject of the parent comment) is beyond excellent, they set the standard to which all others should aspire. The comment about hiding the addressbar is simply tinfoil hat-ism.

You are the first and only person to mention the SSL issue so far as I can see, given the quality of your other comments I am inclined to disregard this as you not understanding what you were being told or because you are using a defective browser.

EDIT: I've just logged in, my popup window (Firefox, OS X) does have an address bar. My instinct was correct, you have no clue.


Firefox simply does not respect firstdirect's wish to hide the addressbar, which doesn't mean they're not trying.

Safari obeys their wishes fully.

Run this in JS console before clicking "Internet Banking"

    window.open = function(){console.log(arguments)}
and you'll see:

    ["/1/2/pib-service", "pib", "toolbar=0,location=0,directories=0,status=1,menubar=0,scrollbars=1,resizable=1,width=780,height=510,top=0,left=0"] 
Note "toolbar=0,location=0,menubar=0" which is a quite strong attempt to hide all window chrome.


FYI: It's possible to open that popup in a new tab.


I switched to FD over a decade ago after many cock-ups by NatWest (my previous bank for ~6 years), been happy since. A few minor problems, but they have always been fixed quickly to my satisfaction.


If they bank does not have a two token security system, its is not secure. A single password should never, ever, anywhere, be enough to legally prove identity or validate a bank transfer.


Natwest are a dismal failure of a bank to the extent I'm always happy to go out my way and dissuade people from associating with them in any way.

Just as a countering data point, I've been with NatWest for 14 years both for personal and business banking (plus a business credit card) and have had nothing but an excellent experience with them (the only negative I can think of is their online banking goes down for maintenance at 2-3am sometimes for an hour or two).


I would agree with you. I have been with them for 20 years and I have never had one problem with them. They even let me off with some overdue charges (which were my fault) when I asked them nicely.


A little bit off-topic, but in what way(s) is Natwest a "dismal failure of a bank"? I had a Natwest account a few years ago when I was in the UK, and I was happy with it at least in relation to the other bank I had an account with.


I graduated 5 years ago with a maxed 2K overdraft. Last year I went to the bank to reduce the limit and the nice lady informed me I hadn't been paying interest the whole time on it, she promised to not to tell.


Doesn't seem too awful to store obfuscated credit card details in a short-lived cookie with httponly and secure set. (Say, in a checkout flow where you have to hold the credit card details somewhere for a couple minutes).


It's terrible

- I have no idea if it's PCI compliant (I would hazzard a no here)

- Obfuscation is such weak security it should be considered as pretty much worthless

- It's vulnerable to cookie jacking over non HTTPS

- It's vulnerable to theft if you have access to a computer where someone has logged on

There are other ways of doing it, putting it in a short live cookie is one of the worst ways


> Obfuscation is such weak security it should be considered as pretty much worthless

Say obfuscation = encrypted.

> It's vulnerable to cookie jacking over non HTTPS

That's why you use the secure and httponly flag for the cookie.

> It's vulnerable to theft if you have access to a computer where someone has logged on

Pretty much everything is vulnerable to theft if you have access to a computer where someone else has logged on.


If you encrypt it, either you use a different key for each user's data, which means you're storing per-user session data on the server so you may as well store the cc number there, or you're not storing per-user keys on the server which (and I'm not a crypto expert here) probably opens you up to known plaintext attacks if an attacker gains access to many users cookies.

Are there any actual crypto experts reading who'd comment on the dangers of encrypting multiple credit card numbers with the same key? Keep in mind for a single bank the first 4 digits of a credit card will all be one of two choices (their Visa or Mastercard prefix) and for a single branch I think the first 6 digits will be the same for every customers Visa card, which only leaves 9 digits (and the checksum).

Surely a naive approach like:

  $encrypted_cookie_text = any_encryption_function($sixteen-digit-cc-number,$global_key);
could be brute forced pretty readily, with a knowledgeable guess at the first 6 digits and an understanding of the checksum algorithm, you're only left with one billion possible numbers. (In fact, I wonder if rainbow tables already exist for this for various values of any_encryption_function()?


If you encrypt it, either you use a different key for each user's data, which means you're storing per-user session data on the server so you may as well store the cc number there

I don't see how that follows. Storing credit card details on the server is generally a bad thing to do and takes a lot of work to get it to be PCI compliant.

What would be wrong with a different key/salt per user stored on the server, with the credit card number stored in a short-lived, secure, httponly cookie?


Obfuscation is not the same as encryption. Do not make that mistake!


True, but encryption is merely a computationally unfeasible form of obfuscation


I don't trust a site that stores my CC information in a cookie to always serve HTTPS pages.

Also you didn't address the most important point, PCI compliance.

The method Santander employs is unquestionably a bad way to do things.


If the cooke is set to secure it won't be sent in a non https request.


At the very least, the data (encrypted or no, but it should probably be encrypted) on the server related to a session lives outside the webroot, whereas in a cookie, even if it is encrypted, it's still essentially public. If there's no reason to have that data, explicitly, exposed in the client then why put it there?


Maybe a naive question/response on my part but why not rather encrypt it and hold it in a session? Or if you have to put something in a cookie, just a reference that points to some data on the server like an id, which has no real meaning to the end user?


I may be missing something, but what does it mean to "hold something in a session" if not to either (1) store it in a cookie (encrypted or not) or (2) store it server-side with a token stored in a cookie pointing to it?


I meant storing it on the server - just preferring not to have any actual cc data on the cookie, even obfuscated or encrypted. It may be a distinction without a difference, though, I honestly have never dealt with anything more complex than your basic 'hash username and password and check the hash when they login' scheme.


That means holding the credit card information on the server. Seems safer to hold it temporarily on the client.


https://www.simple.com/ your wish has just been granted. Or close, perhaps. :)


I actually quit Santander(UK) because of their security policies. They essentially changed online banking so you had to give them a mobile number and then had to get a code from a text message they sent you to login.

My question to them was "what happens if I don't have a mobile phone?" and "What do I do when I am on holiday abroad?" and their responses were (paraphrasing) "You won't be able to use online banking at all in either of those cases."

In order to just get this response I got transferred between like four or five different customer service reps. So I quit my bank of like ten years and when I quit they didn't even care enough to ask my WHY I was quitting.


Funny I actually prefer their system of texting to confirm new payees (on business banking it's only to setup new payees not ones you've used before).

I almost always have my mobile handy, even abroad, however trying to find & use that darn HSBC dongle every time I want to login or add a payee drives me nuts.

I can certainly understand that it's a bit silly if they don't have a workaround for when you don't have a mobile though.


You can still receive texts when you're abroad for free from your bank (I rely on this..) . As for not having a cellphone.. I'm kinda puzzled they didn't give you other option.


In Turkey all the banks are required to use SMS validation while logging in, by law. You can receive SMS for free while you are abroad. You can use Skype or Google Voice, but yeah I know it is more expensive.


Slightly on-topic. I have been trying with some banks in the UK trying to find the best online banking system and I am not happy with the results so far.

HSBC works quite well but the login system (with a RSA key) is annoying. I can accept it for actions like transfers but most times I just login to check my balance and transactions, requiring a token seems to much for me. Their design, even if not great, works.

MetroBank seems great from the outside but their system has some issues. First, to login you need your account number, a password and three digits from a 8 digits PIN. After logging in, you can do everything without any other measure. The systems fails to login most times unless you realise you can just click on the link in the error message and logged in you are. A friend told me to use the incognito mode in Chrome and it seems to fix this issue, probably with sessions. Their design is not the best. On the transactionspage you can only see 3 or 4 transactions on the screen at a time (without scrolling, that is).

I am waiting to try Santander (which I will avoid now) and Northern Rock.

Any good experiences?


I have account with both HSBC and smile (online branch of the Cooperative Bank).

HSBC is as you describe - seems pretty secure, but enormously frustrating that you need the dongle just to check balances etc. They'll only provide a single dongle, which is annoying as I want to access my bank from both work and home. The dongle is small enough that you could fit it in a wallet if you wanted to avoid that, but then you're more at risk of losing it.

For Smile, to login you just need your numbers, including 2 digits from a 4-digit PIN selected via drop-down. I guess this is to avoid keylogging but seems a bit odd as a shoulder-surfer could see quite easily. For any new/ unusual payments, the card-reader is needed. They were happy to provide me with a second reader so I can bank from home and work. The reader is too bulky to carry around though, so this is necessary.

The other thing Smile do is heavily plug "Trusteer" software on every login. Fortunately this is not yet mandatory.

On the whole I prefer Smile's approach, though I'd be happier if they could provide a smaller dongle that would be easier to travel with.


I just keep the HSBC dongle on my keyring. Initially I was doing this so that it would break and I could order another one in disgust at how fragile it proved to be, and repeat until they got the idea.

I have been utterly thwarted in this plan. The damn thing refuses to stop working.


FirstDirect is better than HSBC, while still being part of the HSBC group. Their phone service is a lot better, with lower time-to-human, and Scottish accents instead of Indian ones. Their web usability is still pretty bad, though.

There's no ridiculous calculator-shaped hardware token. To log in, FD requires 3 characters from your password, and a "secret answer" — effectively, another password. Infuriatingly, they disable the Enter key in the log in form, so a mouse click is necessary.

FD's web UI is stuck firmly in the 90s, with nested menus, cramped screens, and plentiful transitions. Even the log out button redirects to another screen, in order to ask for confirmation.

Finally, FD give you £100 as an incentive to switch, and an additional £100 if you switch back out.


Erm, I can login into my HSBC bank account (to check balance, etc) with 3 chars from my password

I just need the token if I'm doing 'something' with money

And no Indian accent on phone service

Another bank I know uses your card as a token, requiring you to have your card + a card reader. Better in some aspects, worse in others.


I still use my HSBC bank account from time to time, so I stand by what I said. In fact, I just checked this for you.

Logging in to HSBC's web UI requires me to "Generate and enter the six digit security code", using my hardware token, which I never have when I need it.


Oh, I'm not saying you are wrong, it may be a difference of accounts/account type.


HSBC US allows login w/o dongle. HSBC UK requires it, at least for me.


> Infuriatingly, they disable the Enter key in the log in form, so a mouse click is necessary

You can hit Tab (will select proceed) and then hit Enter. Much less annoying :)


HSBC have been an absolute NIGHTMARE for my business. I'd urge anyone in the UK to avoid them for anything. Below is the rant I sent to their complaints department after I had decided to ditch them after one foul-up too many.

tl;dr: It took me weeks to register; they refused to expedite new codes to me after a cockup at their end; then when they eventually allowed me to use the service they declined EngineYard and Google apps payments every single month for over a year for "fraud prevention reasons".

In the process of switching… not sure who to yet.

--

Over a year ago I began the process of opening a business bank account with HSBC over the telephone. I'd already completed incorporation of my business and had a provisional acceptance from HSBC via their online application system. Someone was to phone me to ask some cursory questions. Through this conversation it emerged that one of the directors in the business had somehow mistaken his gender when filling out his paperwork, and there was a pause while we waited for Companies House to update their records.

A few days passed, and with the records amended, I ventured into the Fulham Broadway branch of HSBC to complete this process. I explained to the gentleman hovering menacingly near the doors what I needed to do.

"I see. Come with me to The Business Centre," he said solemnly, visibly annoyed that I was wearing yesterday's jeans and no socks.

He deposited me in a chair and assured me that someone would be over to see me shortly. Instantly, another gentleman arrived and inquired as to what I needed. I explained my situation again. Ah, yes, of course. I needed to see a Business Advisor. Did I have an appointment? No, but the office was empty. Ah, yes. Right this way.

The second gentleman led me to a third representative of HSBC's towering capacity for inefficiency. A portly lady squeezed into a too-tight uniform, tucked inside a glass livestock enclosure; she motioned wordlessly to a chair. I ventured that I had a reference number. She pecked away with her exquisite fingernails on the tiny plastic keyboard in front of her and then abruptly stood, and stalked to a printer, rolling and heaving her monstrous body against a uniform visibly weakening at the seams.

"What," she said, looking at her screen and then, for the first time, at me, "did you hope to do today?"

I explained, for the third time, that I needed to conclude the opening of my business account–a process I'd started over the telephone and had been assured I could pick up in a real life, physical, open-now-on-Sundays-thanks-to-Nat-West retail bank. She nodded.

"So all we need really is to physically ID the other directors and we're done."

Nobody had mentioned of this, and one of them was in France.

"Sorry, there's nothing we can do until then."

Could I just drag them into another branch and have them sign something? I could. Splendid.

Thus resolved, Director #1 and I went to the London Bridge branch of HSBC a few days later. He was clutching a disparate range of proofs of his identity, from bank statements to utility bills.

We explained to the 'Customer Host' what we needed to do. He ushered us up some stairs to The Business Centre, a grandiose term for two offices, a deserted reception area and a jolly looking woman stationed in a narrow glass booth.

After being left alone for several minutes, with no more obvious option, I approached her and, for the second time that day and the fifth overall, explained what Josh and I needed to accomplish. She motioned to the first office, which had an open door. "My colleague will be able to help you with that."

We went into the office. The man behind the desk looked up from the screen, creating the illusion of progress.

"Can I help yeh?" He asked, through the indolent, Americanised drawl of an east London schoolboy.

Once more I explained. Keep count.

"Yeahyeah, if you just take a seat, someone else will help you widdat."

Widdat, we sat and chatted about central American politics for a few minutes.

Another man, with a hole where it seemed obvious an earring usually was, walked past us into the office with Widdat in it. He gesticulated in our direction and then cast a wary glance over his shoulder at us.

He approached us and, as you might have expected, asked us what it was we were there to do, in a mumbling approximation of Widdat's voice which might have seemed like a parody if the intellectual bar set by HSBC's staff so far hadn't been so terribly, terribly low.

He explained, in a roundabout way, that he had to do some work and had an appointment coming in ten minutes, but that a lady would be along to see us very soon indeed, and that if she wasn't, he'd take care of us.

We resumed our discussion for what seemed like a very long time–and not because of Josh's constant oversimplification of the complexities of US paternalism. Eventually, Widdat #2 came back out and invited us into his office, muttering about the receptionist not being at her desk.

Instead of asking what we wanted to do, he began to faff about with his computer. I trotted out the most succinct version of my mission to date.

"I started the process of opening a business account with you. I was told I needed to bring in ID for the directors so you could verify them. I have one of them with me, with his ID."

"Right yeh but there's loads of paperwork to do to conclude and everything, it's maybe 25, 30 minutes and I have appointments and that."

We didn't need to do the paperwork. Could he just scan or photocopy the ID and say that he had seen it?

"I can take the ID from you but I can't give it back to you. We have to keep it. Sorry. You can either go into another branch and try to get it done or come back here and see me."

There is a box on the form for HSBC's Business Banking application which asks you how much you intend to deposit into the account. I assume Widdat #2 hadn't seen it, because I wouldn't ordinarily expect to fight someone to give them or their business several tens of thousands of pounds.

I lost interest. I told him it was ludicrous. He didn't disagree. We left. As a last chance I dropped into their deserted Clerkenwell branch and spoke to a business advisor who told me the previous HSBC employees I'd dealt with were all idiots and that it was very simple. We had the account opened in minutes.

Internet banking is very important to me because A) it's 2012, and I don't see a very good reason for highstreet banks to exist and B) I quite like the internet. So we registered for internet banking (which you have to do separately: is there really anyone who doesn't have or use the internet nowadays?). There are three parts of the verification system for this. HSBC posted me a 25-digit activation code, a cryptographic dongle thing, and another shorter code.

Ignoring the fact that a 25-digit activation code = 25! possibilities, which means HSBC have leave to create, I don't know, a BAJILLION online bank accounts, it's a fucking usability nightmare. Typing this stupid code into a computer, it's absolute overkill.

Oh, and they sent me two. Neither of which worked. The second one canceled the first, apparently (although they arrived at the same time), so I had to wait for a third code to be sent out. Nobody can do anything over the phone. You have to wait for the codes to arrive by post. They can only send them to the business address, meaning that you have to be in the office to pick them up. I spoke to a manager on the phone and politely asked what they could do to speed up the process of getting the code to me, since it was their mistake. Nothing at all, as it happened. They couldn't give it out over the phone, they couldn't send it recorded delivery, they couldn't courier it to me. Thanks for making amends for your mistake!

So after entering this 25-digit code, and another code which was a mix of alphanumerics, and picking a unique username, and specifying a password, and using my secure key dongle to generate a unique entry code, I finally get access to online banking about five weeks after the process begins, and I can finally pay our providers who have been patiently waiting (because they understand our pain–they also bank with HSBC).


Now, all this is pretty bad but manageable. Shitty customer service, a shitty system, and no attempt to make amends for failing to provide a decent standard of service. But we're set up, right? Not quite. HSBC is the only bank I know that actively prevents you from using your funds by periodically just declining your card.

We're a web business. Every month we pay a bunch of money to our web hosts (the brilliant EngineYard), Google Apps, AWS, etc. WE DO THIS EVERY MONTH. THE SAME AMOUNT OF MONEY. And every month an Indian dude calls me in the middle of my lunch, asks me to confirm a load of security questions, and then asks me to confirm the same transactions that I confirmed with him the month before that, and the month before that and EVERY MONTH SINCE OUR JOURNEY OF PAIN WITH HSBC STARTED.

Meanwhile EngineYard are sending us polite emails saying "Please pay us, your card was declined." The upshot is that we have a bad relationship with our hosts. I'd imagine that HSBC's website is hosted internally, because I know for sure that if it was hosted externally it would GET TURNED OFF ONCE PER MONTH BECAUSE YOUR FRAUD PREVENTION TEAM STOPPED PAYMENT FOR IT.

Three months ago I called HSBC and pointed out that this happens every month. "Ah yes Mr. Spencer, I can see that in your account. I can confirm that we will not phone you again about these transactions." Bull. Shit. Two months ago when they called back I brought it up again, in a slightly more irate manner. "Ah yes Mr. Spencer you need to speak to my colleague about that, hang on." I spoke to his colleague and explained it all AGAIN.

Then they called back a few weeks ago. I explained it all again. Everything was fine, again; no fraud or unusual activity (SO WHY DID YOU CALL?). The card is fine and working, the EngineYard payment will go through, I'm told. I explain to the guy that if I ever have a phone call like this again where I have to explain, for the millionth time, why my business uses American hosting providers, I will change banks and never look back. "No, no Mr. Spencer, I'm trying to help you. You just need to speak to my colleague..."

No, I don't. I've spoken to everyone. Nobody I have ever dealt with at HSBC has any respect for my time. I've repeated myself dozens of times with HSBC to no avail, at every step of the process, to different staff members who can't pass a message along to save me from having to explain it again.

I tell the Indian guy that I'll leave him to resolve it. If he can't then that's fine, we'll switch banks.

He calls back to say it's all resolved. A week later, an email from EngineYard. Card declined.

Cheerio, HSBC.


My wife has a horrible time with HSBC, and I always get a bit aggitated when I see people recommend them, so I'm glad to see other people sharing their horror stories about them.

Her situation is that she visits family in Canada once a year. They won't make a note of her being out of the country if she calls them beforehand. The fraud people then call her if she needs to use her card at unsociable (for Canada) hours and never leave answerphone messages. When they do get her, they require her to answer security questions without identifying themselves first. If she calls them, the person she speaks to has no way of knowning if anyone has been trying to call her for any reason.

They are, in my opinion, the "Worlds worst Bank"


The problem is that they all suck. In the UK, I've tried NatWest (RBS), Lloyds, Barclays and HSBC and so far, and HSBC are the least worst... they are by no means good, but they're better than many of the others. They still have numerous problems though: customer service agents that disagree with each other and provide inconsistent information, that annoying online banking dongle, payments being declined at random (particularly embarrassing in shops).

Still, at least unlike NatWest, it didn't take 3 weeks of dealing with different customer services staff to withdraw some cash, and I never got their online banking to work at all... after repeated attempts. Every customer service staff member would make excuses about not being able to help me due to their security restrictions.


HSBC is one of the only banks to have a section on their Online Banking where you can tell them your travel plans and which cards you will be taking. Has always prevented fraud calls for me.


> They won't make a note of her being out of the country if she calls them beforehand.

I've done this both online and via the phone.


I don't know what the hell you do in real life, but you need to write books. Seriously your 2 comments were engaging, hilarious, and just fun to read. It's like a mini-story in a comment.


Thanks! In real life I run a startup which came about as a result of similar righteous indignation in a different field.


Out of all the incompetent people you mentioned, why did you feel the need to refer to another incompetent, who happened to be Indian, as the Indian dude. :( ... little things like this constantly remind me of our perception in the world.


It's because all those big corporations outsource their customer service to India and surrounding countries, and whenever we get a call from those outsourced agent, they're always unable to do anything because they're not given access to the big corps network. So specifying 'Indian' most likely meant that - the typical outsourced customer service - instead of being a specific rant about the nationality. It could be any other nationality if the Call Centre of this World were held somewhere else.

Now I'm not saying this is appropriate or not, I'm just explaining the reference.


This 1,000x ! I'm always friendly to the indian guys, but it's really really frustrating that they can't answer questions for you.

+ there is a cultural gap, so sometimes it's hard to communicate about certain things; even though their English is good.


The Indian guys I speak to are never incompetent. They're always super helpful and friendly. I pointed out that he's Indian because it shows, for me, that HSBC cares more about bottom line than they do the user experience. It doesn't mean that the guy can't provide the same level of support than someone in the UK, but it does mean that a whole bunch of users are going to phone up and have problems with the accent or feel that the support team is disenfranchised from the bank, and misattribute a negative outcome of the incident to the fact that the person is Indian. Whilst I'm super cool about Indian CS I really hate phoning Sky's customer team which is based in Scotland. My family is Scottish and even then I find some impossible accents up there.


Hey, at least you're not fat. He hates fat women even more than Indian dudes.


Thanks for reminding me, I've been meaning to switch from them for a while. Their telephone banking works until you want to ask them anything unusual (like more than ordering a new card, they just can't tell you any information - it's totally shit.


This has been exactly my experience with HSBC. I moved to First Direct half a year ago, and so far, no fraud prevention Indians. Or Scots, for that matter.


unrelated, except an HSBC rant:

i opened an account online (US) in ... 2006? Transferred some money in - maybe $500? I don't know for certain because... read on.

In 2008 I went to check my balance. Whoops... can't remember my password. Whoops - you tried 3 times and we locked you out. Whoops - our 'internet banking people' aren't available 24/7. 3 days later - whoops - we'll have to sent you something via the postal mail to reset your password (after I'd already answered 5 ID questions on the phone). 7 weeks later... nothing in the post. Call up - resend via post. 6 weeks later - nothing. "Sorry, there's nothing else we can do for you." "Can I have my money back?" "Sorry, we can't confirm who you are".

2010 - Letter from HSBC closing my account for inactivity. So... they know how to get a physical letter to my house. They know who I am. They know how much money I have (and have reported $1 interest to the IRS for 1099 tax forms filed every year), but they can not see fit to actually deal with me as a customer, even after holding my money for 6 years.


Did you, y'know, go into a branch and try to resolve this?


closest branch was... 180 miles away, iirc.

My experience with going in to big megabanks is that the 'internet' and 'branch' worlds are two completely separate worlds. I would expect HSBC at a branch to sit me down at a phone to talk to someone on their 800 number, like BoA does when I have a problem there.

If it would have helped, why would HSBC people on the phone not have suggested I go to a branch to resolve things?


I'm not sure we're yet at a point where we can have an online-only relationship with our banks. They just fundamentally don't work that way.


I'm in New Zealand and haven't been into a bank once in 6 years (well, I did once but then found I could do what I wanted on the phone, so did). My wife and I have bought 2 houses and sold one 1 in this time. Papers signed at home by roving bankers and everything else by phone, email etc. Some things might require contact (business stuff?) but my stuff doesn't.


I'm another happy banking Kiwi. Sometimes it's easy to forget how lucky we are.


And here I thought Bank Of America was crappy for sending me a letter about fraud on my Home Equity Line of Credit which I do not have. And I did check, I still don't have one, and have refinanced since then which would definitely have turned one up if someone had committed identity theft.


I like the Barclays mobile app. You authenticate it once using a pin sentry device, and give it a pass code, and from then on you can just use that pass code to get your balance using the app. The app also acts as a pin sentry when you want to access your account using a computer.


That sounds like the same workflow as the HSBC app. I like it a lot and use it all the time to check my balance but it does not show many transactions, maybe ten only?


I've used quite a few over the years, Lloyds TSB was probably the best in terms of usability (but others will likely disagree). If I were choosing a bank though, I would be more interested in their ethics, hidden charges - which usually means avoiding PLCs.


HSBC refuses to allow me to login. I am unable to use their online banking. HSBC have been unable to fix this for me, despite months of trying. I gave up two years ago. I might try again.


Well someone has badly violated PCI-DSS 2.0.

This is bad in such an amazingly awful way on a "secure" banking website that I'm surprised that this bank even has an IT team, let alone a development team!

How did this not get picked up in QA testing, or even in a cursory audit?!?


I wonder what is the PCI DSS audit committee doing? I mean the world is fool of idiots that need policing and that's why such organs exists at a first place.

Shit like this just shows that being a PCI DSS level 1 certified means absolutely nothing in the real world.


The great benefit of PCI DSS is that a huge number of places choose not to store CC numbers when given a choice of trying to get an expensive PCI DSS certification and not storing CC numbers. We get less of small, random places handling data that they won't ever be able to secure (since it really is completely prohibitively expensive for a small shop to do it properly), and that is a good thing. Of course, the fact that certified places still often fsck up in some way is a bit sad, but at least there are less of them.


You got that right. Most IT shops I've noticed (at least in Australia) used to ask software vendors if their software was "PCI-DSS 2.0 compliant".

Stupid thing to ask. The only key things a software vendor can really answer is that they don't store credit cards in their database, or if they do then they don't display them to anyone. Everything else (well, almost everything else) can be dealt with on the infrastructure side of the equation.


> I wonder what is the PCI DSS audit committee doing?

Creating a racket. PCI is designed to control merchants and extract money, not for security.


I have to disagree with you most emphatically. PCI DSS was a response to a very bad issue, which was and is credit card fraud.

If you look at the DSS, it's eminently sensible and in fact if you implement it properly you will most definitely have a secure environment for credit card transactions. If you do not follow it, then you are leaving yourself at significant risk to be being breached and credit card data being stolen.

I'm curious though: what part of the PCI-DSS merely creates "a racket", and what parts "extract money"?


Actually I'm not sure which of the twelve requirements are being violated here. They could be compliant with part 3 ("Protect stored cardholder data") in their network. If the cookie is secure and only transmitted via SSL, they have a case for being compliant with part 4 ("Encrypt transmission of cardholder data across open, public networks"). Part 9 doesn't really apply here. Part 6 might or might not.


Actually, you aren't meant to store credit card data when it's not necessary. And credit cards are meant to be encrypted at rest - in other words, on encrypted storage, with a split key management system.

None of these things are being done.


Yes, that's true. But the letter of part 3 only talks about encrypting data at rest on your own systems; it mentions nothing about client systems. There's a huge discussion about whether or not the user's browser is within scope for PCI-- this is what systems like Stripe and Braintree are gambling on, that the browser _isn't_ within scope (Braintree actually makes this a big selling point; if you use their system, your platform is no longer in scope for PCI-DSS).

The PAN data -- the cookie -- is encrypted in transit, and if it's encrypted at every point in Santander's network then technically they could be compliant to the letter of the rules. I have no doubt that a company so dumb as to store your PAN data in a cookie is probably breaking a myriad number of PCI-DSS rules, but the card-data-in-cookie may not be one of them.


Does "You are only as strong as your weakest chain" mean anything here? It seems like the letter of the law here is not expressing the intent of the law. Sure, Part 3 didn't explicitly mention don't store it on a client machine because its such a stupid thing to do there wasn't a point to expressing it. Doing such a thing completely undermines the entire PCI documentation because who cares how it's stored,transmitted, etc at the trusted source if it's written out to significantly less secure sources. Just go steal it from the least significant secure source. I fail to see how this language argument has any real point.


Santander ALSO stores your passwords in plaintext, or at least has access to them in that form.

My password used to include special characters, until a transfer to their new web interface year ago. After they did it,I could not log into my account - it kept telling me that my password was incorrect. So I rang them up,and a lady on the phone asked,if I had any special characters in my password. I said yes - and then she told me to try logging in without them,as the new system does not accept them and they were automatically stripped during the transition to new interface.

At first I was like - ok, at least now I can log into my account. But then it hit me - how the holy fuck could they remove special characters from my password???? The only way they could do that is if they had access to its plaintext, which is completely unacceptable.

I complained to Santander about it,only to receive a letter stating that they appreciate my concerns but their system is safe.

I've got all the correspondence with them if anybody wants to see.


I believe NatWest and Halifax must do the same as they both ask you to "input characters x, y and z from your password" which I don't see how they could do without needing plain text storage. Of course I await being told how I am wrong with this!


Yup. Logging in to NatWest requires that you know your customer number, 3 numbers from a login PIN and 3 letters from a password.

They do use 2-factor authorisation for any new payees, so it's not totally insecure.

On the other hand, their recent 'get cash from the nearest ATM with a code we send to your phone if you've lost your wallet' app was soundly compromised by criminal gangs within days, and the service had to be pulled entirely. They're still advertising it on the homepage, but when you click through it says "We're sorry. Get Cash is not available at the moment. We are currently updating this service to increase the level of security around it."

Reading the blurb for the Get Cash service made a likely compromise route immediately obvious to me: it seems very likely that anyone who's had sight of your debit card could register an arbitrary phone & extract cash from your account, because the only details needed to verify your phone were on the card, or easily guessable (NatWest customer numbers are extremely predictable unfortunately).

If there was anyone obviously better I'd be dumping NatWest, but it's not obvious that any of the other major banks are much of an improvement :(


This is a separate code to your password, and there is no reason each letter could not also be stored as a hash after being salted with some personal information.


> there is no reason each letter could not also be stored as a hash after being salted with some personal information.

There's no technical reason, but you may as well just store it as plain text.

Even assuming everyone used all the available Unicode symbols (~110,000 according to Wikipedia) an eight character password would only require calculating 880,000 hashes in order to brute force every character.

Assuming a more realistic A-Za-z0-9, an eight character password is an absolutely pathetic 496 hashes. A 1,024 character password (good luck remembering that) is still a paltry 63,488.

For comparison, hashed as a whole that same A-Za-z0-9 at eight characters is 218,340,105,584,896 (62^8).

Hashing the characters individually changes adding more characters from exponentially increasing the work involved to linearly. It's good as useless.


Can confirm that cookies on my laptop did (don't anymore, and I won't be using their online banking anymore) contain sensitive information about my santander account that I last logged into over 24 hours ago.

Going to go email them and tell them I'll be closing my account if they don't start taking their security seriously.


If you take that post at face value, it's not really going to do much. Sounds like the guy was on at them for a while.


It's not just this alone that's pushing me away from them, I don't like them much anyway.

Their security practices for online banking are pathetic in comparison to HSBC. HSBC gave me a one time key dongle which breeds more confidence than the various articles about santander's lax security I've read.


HSBC are also (or at least were very recently) in the habit of calling customers and launching immediately into security questions without even identifying themselves first, which is wrong for all sorts of reasons.


I can confirm that First Direct (a subsidiary of HSBC) would also do this.

The caller would say "I'm calling from First Direct" and then get confused when I asked for proof of this.


I like the Barclaycard (I think) fraud thing.

You get called by a computer that asks you to identify yourself by picking a piece of personal information from a list. It might ask for the month and date of your birth, for example, and give you 5 options.

Because there are 365 possible month + date combinations, and yours appears in the list, you know they already have this information so you're safe to confirm it, and they also get to confirm that you are (likely) who they're intending to talk to.


Yeah, I was pleasantly surprised by this too! I had the birthday, an address, and something about one of my standing orders that I had to pick from. It was nice to not have to explain yourself to a real person either. You just had to confirm whether the transactions were real ones. I just have a normal Barclays account, too, nothing special.


That's easy to solve, if they get confused when you ask for proof, just ask them for a number you can call them back on and the reason they're calling. However, it's easy enough to type, but harder to remember to do in practice though.


Oh, I call them back on the number that I have in my address book. I just want them to never do it again. To anyone. It s a bad practice that serves only to condition users into giving out personal information to any random person calling up and pretending to be from a bank.


If enough users start making a fuss it could trigger action, it seems like a good idea to protect all of the users who don't know about this vulnerability


And submit it to news outlets. I've emailed BBC News and suggest others do the same to other outlets.


I don't know how things work in the UK, but apparently you can report them to ICO so they take action:

http://www.ico.gov.uk/complaints/handling.aspx


I remember a bank I used to work at got bought out by Suntrust. After we had been migrated over, for some reason I had decided to check out the cookies they were using. Sure enough I saw my full SSN there. They don't do that now, but even as a junior developer at the time, I was pretty taken aback.


What's really annoyed me about Santander's website is when you click 'log-out' you might think you have logged out - but no - you are taken to the 'are you sure you want to log-out' page.

With banking websites I just want to click that link and be sure I am logged out. I don't mind logging in again if I clicked by accident.


From a practical attack point of view:

1. As explained in the original email XSS attacks now lead CC exposure, very bad

2. If the cookies are not session cookies. It's horrible, then anyone who got access to that computer later can read the cookies and Credit Card. But also don't forget tons of websites still keeps auto-complete enabled!!!! in freaking CC fields.

3. If the cookies are not marked as "secure" (or issued over HTTPS) then it's totally messed up and invalidates PCI etc. directly. Now your credit card transmitted over HTTP.

4. Other than this even though it's rather pointless thing to do, there is not any more direct attack I can think of.

Put it this way, this is not worse than a XSS vulnerability in a website as an XSS can lead more serious issues directly.


Confirmed for my santander account. I have not got a credit card, but the NewUniversalCookie cookie does contain my passcode (in all caps, just discovered it is case insensative!).

The data is not just one base64 chunk, but multiple space separated chunks that base64 -d chokes on after a bit. I am probably missing a step.


wowzer. I just checked for my business account with santander and found my password as you mention.

Edit: although when you get logged out for inactivity or you click log out it seems to get rid of this cookie.


These hacks better be glad this industry isn't regulated like other professions where the individual professional is liable for his work. If these developers were doctors or engineers they personally would be liable for damages. Right now we have laid blame at the feet of the company, but this company doesn't seem to understand they don't have the technical know how to be building websites for their customer base.


The company certainly should be responsible. The alternative (which I'd say would be good for us seasoned software professionals, bad for the companies, and not very good for the indie software profession) is Computer Software Creators get their own professional, gov't-approved certifications, a large pay increase to go with the risk increase, and a legal requirement for these businesses to only hire certified Computer Software Creators.

Ain't capitalism grand?


Please don't give the government ideas


Well it might not be your government that institutes this idea. Given this is a bank in the UK you or I might not be allowed to vote on this type of thing, but if general populous begins to see the choice of technical decisions are more in the hands of the professionals and not so much the company it could very well change. And it might be companies that push legislation like this if they feel they don't want to bear the legal risk.

Now usually there is professional insurance that consulting companies have to purchase for liabilities just like this. If you are consulting firm implementing systems for banks they will require you carry $2 millions/dev of insurance should there be a screw up like this.

Maybe this is the best option because I'm not exactly behind supporting measures to certify or regulate our industry, but I fear bad behavior like this might force it. This is a hack rookie mistake. I'm fully aware of the ramifications of doing something like this, but I'm not immune to mistakes that could result in the same damage. However, a law like this would treat me the same way as these hacks.


For anyone interested, if you want to see the information it is storing then take the NewUniversalCookie and seperate it by the #'s then you can see two base64 strings which are easily decoded

The scary part is that the 'alias' id is actually one of the 2 passwords needed to log into the account. So in fact if someone had that and my card number all they would need is the 5 digit numerical code to log in


Slightly off topic but I bank with Natwest.com and I have gone to their homepage today and am AMAZED as to what I saw.

If you navigate to their homepage - in prime view you'll see a section that says:

"Great ideas come from great conversations"

Under this is feedback from customer - 90% of the feedback is incredibly negative. For example:

""Tell your customers the truth how bad a silver account is. Premium numbers to contact and register, cannot register mobiles for ..."

"Natwest is an embarassment, you have lost a customer for life".

This just sums up how out of touch banks are today with the internet. Don't advertise this sort of feedback! Especially on a homepage! What are they thinking?


How often do happy customers leave positive feedback compared to unhappy ones?

Sounds like they're pretty brave to me :-)


I don't bank with Santander, but I was in Barcelona a few weeks ago and I passed by a Santander ATM that was rebooting IBM OS/2 Warp.


IBM OS/2 warp is still a very viable solution for always on terminals and is more common than you may realize. While not officially supported anymore, for a price IBM will still support it. While I wouldn't choose it for a new solution, I wouldn't run out and create new ATM software, if it is working well, just because of the OS. Would you be more comfortable if they were running windows?


It's been rebranded ecomstation and it's sold through another vendor now.


I was actually more surprised to see a reboot on a customer-facing ATM screen. I don't think I've seen that in the US. Maybe I lead a sheltered life.


Or maybe you just don't frequent ATMs a lot. I've definitely seen OS/2 Warp reboot screens on ATMs in the US.


Same name, but different banks. I don't think Santander (the Spanish bank) changed all systems of Santander UK (formerly known as Abbey) so your experience with a Santander ATM in Barcelona is probably irrelevant.

EDIT: typo


I was wrong. It looks like they share code in their on line services.


I'm curious about responsible disclosure.

WhiteHat finds a security vulnerability. They tell the company. But, with banks, it's pretty hard to find the right person to tell. What steps should WhiteHat take to satisfy responsible disclosure? Just a printed letter to banks registered address is enough? (Banks, and everyone really, should have a "please use this address for responsible disclosure" - that would reassure me as a customer that they are taking security seriously).

But then, in England, we have a potential further step with the regulatory bodies. There's the ICO (information commissioner's office) who are overworked and will do nothing about this. And then there are the card companies who will, I'd have thought, be keen to protect their customers from fraud. Would responsible disclosure include a step to involve these third parties, if only to provide some clue pressure to the insecure site?


Sometimes the media can help. If you have a contact, they can put pressure on the company by calling them to interview about the vulnerability they are going to write a story on.

Back when I used to read the disclosure lists, I'd see people ask "I need a security contact as XYZ Inc." all the time.


On top of all the other issues, add the fact that some browsers no longer delete sessions cookies when you close the browser. Notably, Chrome and Firefox.

http://dalevisser.wordpress.com/2012/07/18/how-to-fix-firefo...


Holy wow. I expect that from Chrome, which is basically spyware, but not from Firefox.


Really? Wow, I'm surprised to see someone with that sort of attitude. What makes you say that Chrome is spyware?


I don't use Chrome myself, I use Chromium for testing when doing web development. Apparently you can't get the exact Chrome binary form Chromium source code, so I don't know if there are remarkable differences... but I find these quite amusing: http://i.imgur.com/Mq3pH.png

It is correct that these options are in "Privacy". The good thing is that you don't need to worry about tracking cookies because your browser is already tracking you ;)

(I'm half joking / half serious here; this is off-topic anyway)


i guess no-one else here cares, but i had a quick look and santander.cl seems to not do this (but i just logged in and looked at cookies, which all seemed to be opaque).


I expect the UK online banking site is a decendant of Alliance & Leicester's site.

Santander bought A&L a few years ago when they got into trouble during the credit crunch. Before then, Santander was not trading in the UK.


Small correction: they were trading in the UK, just not under the name "Santander" - they had owned Abbey (formerly Abbey National) for a few years before they bought A&L and then merged them under the new (to the UK) Santander name.


You're right, they bought abbey first. Completely forget about that. It's probably a descendant of the abbey online site then.


It was Abbey, no?


The site is identical in except for the name change to the previous Abbey site. (Which I have used for years) They changed the log in process to the current username/number/passcode setup about 2 years ago if I remember correctly.


Betteridge's law?

Given the recent IEEE clear text passwords stored on an FTP server fiasco we need to transition from shock and outrage and switch to resignation and ennui.


for what it's worth, i use sovereign bank who was recently acquired by santander. the sovereign online banking contains the NewUniversalCookie, which contains an XML document (LOL) with 3 nodes: name, username, and userID. seemingly no intensely sensitive data in my cookies, but also seems to be some crossover with Santander's security system.


I've seen error messages in Spanish, which would seem to indicate (since Sovereign was originally a New England-based company) that some backend services are shared. Luckily, I barely use the account, and I will continue to do so now that this post has come to light.


Yep, checked the Spanish Santander online services and I couldn't reproduce the problem described here.

I got the XML with an userID field, but that's all. Also the cookie was removed when I logged out. Seems fine to me.


A huge irony in all this is that Santander pulled out of a deal to buy a large number of branch offices from a rival bank because apparently the computer systems of this rival bank weren't up to scratch and merging would have been an issue.

This bank probably didn't believe in storing sensitive information in publically accessible places clearly

/sarcasm


I bet they have a padlock icon somewhere?

No really, whenever I think there is no display of utter incompetence in software systems programming that will surprise me, here's another big name, ready to make standards sink to a new low. I wonder who and how much they paid for such a nicely done job.


Here in the states, MA, I use Sovereign Bank who had just got acquired by Santander.

I was able to reproduce the NewUniversalCookie which showed my `username` and `userid`.

I'm a rather young adult (22) and had used Sovereign solely because my parents had used it, but now I'll be happily moving elsewhere.


I've been today to Santander, and they told the only way for me to put money in my account is by using their online service. This is because I have an eSaving account type...


I don't see what's much different about this than Stripe giving you a token for the customer/card and storing it in a cookie.


Holy cow!




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: