2017-04-05

Barclays on-line banking bug

I reported a bug to Barclays months ago and they just ignored me. I have now complained about the time taken to respond to a complaint, and they are looking.

The bug is pretty simple, and very stupid.

The business accounts summary page shows "Last night's balance"


But it is not in fact last night's balance, it is in fact the current cleared balance. The actual last night's balance is shown when you go in to the account.


It is a stupid bug, and should be very easy for them to find and fix.

What got me was , now they are looking in to it, is that they have asked me:-
  1. Computer details - e.g. Windows/Mac and what version of OS
  2. Browser details, and what version
  3. ISP used
Now, this is a web page, via https. Why would the computer or browser matter. At a stretch, they may format the content differently for different browsers or operating systems, perhaps. Seems unlikely to me, but that could be the case, just maybe. So OK, ask that I suppose.

But why ask about the ISP?

Surely they do not think that the ISP can, in any way, influence the content of a secure web site? If they do, then why do they trust the use of secure web sites in the first place. Why ask the question? I have asked why and not told them as I suspect it would confuse them.

10 comments:

  1. Probably just a standard response in response to issues reported with online banking, prior to it being sent to a more technical team.

    For example, you might be reporting that online banking doesn't load at all, and you might reply to the ISP question that you're using it from work, and then it might turn out they are doing HTTPS MITM monitoring (as my work do, via a root cert they install on their machines).

    ReplyDelete
    Replies
    1. Really? There are companies that do MITM attacks on their own employees? I suspect that may be illegal in the EU, I thought the courts had ruled it's OK to use work systems for a small amount of personal use and it is reasonable to expect privacy on that. Or am I mis-remembering something?

      Delete
    2. This is legal as long as people are aware it is happening and many companies do it. I am aware of some companies who pass through without MITM the traffic to financial services, healthcare, some charities etc. as a courtesy to their employees.

      Delete
    3. You say that, but this is intercepting communications. Does the other end of those communications (the web site) know that it is happening and have they consented? If not, are you sure it is legal? Consider the case reversed where web site knows some isp does mitm for profiling or something without end user knowing?

      Delete
    4. That's a good point: is the consent of one of the two ends of a communication sufficient for this? I'm not at all sure it is; certainly with phone calls, *both* parties must be made aware of the surveillance and its purpose for it to be legal, which is why call centres state explicitly that calls are recorded for stated purposes.

      Based on the phone rules, I would say SSL MITM should *not* be legal, and certainly shouldn't be tolerated generally; better to disable connectivity than to spy on it with dubious legality.

      It's apparently possible (at least some of the time) for the server to detect this interception (I think the usual giveaway is that each browser has slightly different SSL/TLS parameters, so of course the intercepting device won't match exactly).

      It's also quite possible not all their assets are served from the same server, with static content from a different hostname than dynamic. They've probably had problems in the past with crappier ISPs blocking the CDN or similar.

      (I had a client - government agency in fact - having problems with their "firewall" tampering with content. It turned out to be shoving a Javascript comment into each JS file downloaded, at the end of the file or X kb, whichever came first - so on larger files, it broke the Javascript. Switching to HTTPS fixed that, but other similar "security" products do HTTPS interception too...)

      Delete
    5. With the increasing number of services using SSL, almost all solutions where web filtering is required (schools, public sector etc) are MITM now. It's the norm unfortunately.

      Delete
  2. In case your isp is Verizon, some lying scumbag outfit that intentionally perverts data sent upstream.

    ReplyDelete
  3. It may just be standard questions for all troubleshooting. Remember its first line RevK. Having worked in FirstLine (for O2 Broadband before it went away) a lot of folk who are hired don't know that a Mac Address isn't where you get a burger.

    Typically what passes as training is a scattergun approach of solutions without any actual diagnosis, followed by a standard template where they're expected to fill it completely.

    So thats why.

    ReplyDelete
  4. Couldn't help but think of this blog entry while on the phone to Metro Bank a few minutes ago. Something minor has gone wrong in their system and has blocked one particular feature of one of my accounts. The same feature works fine on the other two accounts, so we know the browser is capable of handling this feature without problems. They are flat out refusing to accept the problem report unless I give them the browser version. So stalemate then! "No stupid bank rules" is their motto.

    ReplyDelete
  5. This will be a great website, might you be interested in doing an interview about how you developed it? If so e-mail me! second chance banking peoples bank

    ReplyDelete

Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

Hot tubbing...

I have a hot tub, it came with the house over 3 years ago. Managing a hot tub is complicated, and expensive. The expensive part is the power...