Log in

Previous Entry | Next Entry

Halifax Online Banking

Recently, my bank, Halifax Bank, which is a subsidiary of the Royal Bank of Scotland, made some changes to their online banking login system.

The changes were purported to be an improvement in account security. I personally beg to differ, its just more security theater, that is, designed to look like an increase in security, when its not really. They are an act, at minimal cost to the bank.

What does this "increase in security" involve?

The OLD system, was a simple username/password login over HTTPS, it wasn't hugely secure, I will admit.

The NEW system prompts you to create an additional secret word. Then to log in you have to supply 3 letters from that word, selected at random. For example, letters 3, 5, and 8 of your word. You then select the relevant letters from dropdown boxes.

The dropdown boxes, if anyone actually uses them, will defeat some minor keyloggers.

I have some issues with this.

  1. When passwords are stored in a db, they are usually stored in the form of a mono-directional hash, so that people with access to the db, do not get access to your password. In order for it to select 3 letters of your secret word, the word has to be stored either in plaintext, or with reversible encryption. This means, that their own staff could in theory gain access to your secret word.

    True, if their own staff are that corrupt, then you have bigger problems, but what happens if you have reused that word elsewhere. Its bad practice, but a lot of people do it regardless.

  2. Its annoying.

    Some annoyances I can live with, especially those that actually do make my online life safer. This does not, its just theater. Whats so annoying about it? There are 3 dropdown boxes, with 37 possible selections each. Even on my big monitor, thats a LOT of scrolling up and down lists.

My solution? Greasemonkey. Since I can't avoid them, I can at least reformat the lists so they can be seen all at once, ratherh than having a lot of mousing around to drop them down, scroll down them, select...

// ==UserScript==
// @name           Fuck Off Halifax
// @namespace      http://www.fundungeon.info/
// @description    Force the select lists to display all at once, rather than having to drop them down and select one by one.
// @include        https://www.halifax-online.co.uk/CustomerAuthentication/SecondLevelPhrase.aspx?PSF=SecondLevelAuthentication:viewSecondLevelPhrase:*
// @version        0.1a
// ==/UserScript==

	var GM_SELECT = document.getElementsByTagName("select")
	for (counter in GM_SELECT) {



Latest Month

May 2015
Powered by LiveJournal.com
Designed by Tiffany Chow