I absolutely HATE banks because they don't employ me to write their web applications. Bank webapps are the worst I've ever
used. They're so shoddy. And there's no excuse for it. Banks earn so
much money from me and everyone else that they're customer service
experience (especially the web one) ought to be tip top. But they
seem to employ people completly ignorant of web architecture.

The way banks SHOULD do authentication is with client certificates
because they would be practically unspoofable - you could maybe
spoof the DNS and present a different banking front end to the user
but to what end?. Without passwords it's not going to do you much
good.

Instead they choose to do authentication like this. With multiple
tokens and other rubbish they have dreamt up themselves. Do they
actually employ someone who considers themselves an expert to come
up with this crap?

Fortunately, hackers can fight back with Greasemonkey.

This asks for your PIN and password and then puts the characters
that the page is asking for in the correct boxes.

Amusingly I was told by the Natwest people that the whole reason for
this page was to stop programs from watching keypresses. It worked,
they explained, because computers can't understand the words
"first", "second" or "fifth".

Well, this program won't work then.

As I say, idiots.

This program is only a first step. I hope that I'll be able to make
an infrastructure that can apply client certificates to bank
authentication thus solving the problem premanently.

0 fans