activating (but not really being able to use) HSBC's online banking (private banking edition)

The online banking for HSBC's private banking is a read-only view -- fine.

It depends on one-time-codes over SMS, and there is no alternative mechanism for people who don't want everything to depend on their mobile phone -- bad.

The process so far was something like this:

 * get an html email with a link to HSBC's web-based messaging

 * follow link and try to log in to HSBC's web-based messaging

 * login button is replaced by swirly thing which swirls, but doesn't log me in

 * email point of contact at HSBC about swirly thing that never progresses

 * received reply from point of contact at HSBC about swirly thing

 * around 15 minutes later, notice that HSBC's messaging site has now deigned to log me in

 * follow link in message to online banking site ready to try and proceed with registration

 * enter one-time identifier supplied to me in message (fine), set usual "security question" type stuff, fight with a very badly-done and incorrect pasword-setting page.  This includes an error along the lines of "password must be at least 12 characters long, with at least one happy emoji, one sad emoji", etc, all of which requirements were met by my password.  I then had to guess what it was about my password (answer: a string of 4 identical characters in a row) that was upsetting it -- but this reason was not stated in their error message, nor even listed in the given list of possible reasons, though I had previously noted it in a different list elsewhere.

You could spend a whole lifetime just cataloging ways corporations fuck up simple password-setting web pages if you wanted, but of course, they should not be given the opportunity, were authentication in the world to be done properly.

 * transcribe an SMS code from my phone to the web page

Tada! At this point I was logged in for the first, and possibly last, time in my life, to the online banking facility of a private bank.  But there was something rather strange, related to authentication, popping out at the top:


That box saying "Sign in".  It's from the browser, not the page.  It's what the browser gives you when the web site, or some element thereof, wants HTTP Basic Authentication.  This is where a username and password is sent in a header called "Authorization" (oh dear), as opposed to the commonly-used approach where a form submission results in a cookie being set.

So seeing that box here presents the user with a conundrum.  It is certainly a basic mistake by  HSBC's online banking team, that it is there.  Is the best way to deal with it to re-enter the username and password (previously entered into a form and submitted, remember), to try and do HTTP Basic Authentication on some elements presumably being loaded by the main page, which appears to be authenticated and logged in, displaying my name and other details?  It does at least appear to be an okay domain to send it to.  Or should the user hit cancel, and risk mysterious breakage elsewhere?

I hit cancel.

I then proceeded to try and browse to find the most basic thing I wanted to be able to view.  There are 4 accounts here for which I have IBANs, in different currencies.  I have been given the account numbers, via a PDF in which the text was not selectable, but was done as pictures of text, so I had to transcribe all these IBANs and other identifiers by hand.  No, I am not shitting you.

How do I see the balances for the 4 accounts?  I thought I may as well explore the site, too.  Within two clicks, I think it was when I clicked on "Documents", I was logged out of the site again:


Why was I logged out?  "For security purposes", of course.

This is the world we live in.  You can spend months trying to log in to a web site, and the moment you are logged in, you can not find the one thing you wanted, and in any case you are immediately logged out again "for security purposes".


Comments

Post a Comment

Popular posts from this blog

the persistent idiocy of "privileged ports" on Unix

TCP and UDP have ports.  These are 16 bit; there are 65535 or so per IP address. These protocols don't care to differentiate between the ports.  Elsewhere, IANA presumes to operate a process to allocate "well-known" ports in the range 1-1023, "registered ports" in the range 1024-49151, and to reserve the remainder, 49152–65535, for "ephemeral" ports.  The caller end has to have a port, which is how replies get back within the virtual connection, and these are conventionally picked from the ephemeral range by the OS's networking stack. The whole idea of ports is ridiculous, because it allows ISPs to arse around presuming to decide which services they will "not allow".  Anything that allows IPSs to do anything other than shift opaque packets will allow ISPs to meddle and break things, and due to the Law of Meddling, if they can, they will.  I am currently working around an issue with Claro, a pretend ISP, blocking port 5060, allocated to SI
Read more

google is giving more and more 500 errors

Image
Total state capture and moral bankruptcy are not the only problems facing Google.  They are also giving an increasing rate of 500 Internal Server errors.  This is the sort that means they've messed up, but not in a way that they should have messed up.  On the other hand, they have drawn a lovely picture of a robot falling apart. Today's example is from Google Calendar under calendar.google.com.  I was trying to make an appointment, and now I'm doing this. I remember, in 2018, a friend trying to convince me that 500 Internal Server Errors no longer happened, or if they did it was my fault, and that they hadn't seen any for years, and some other things.  They assured me that they would love to see screenshots of such a rare specimen, which I bored them with for a while.  That friend happens to be a Google employee. Well, there are plenty of others posting about Google Calendar on twitter today, including screenshots of 500 Internal Server errors, so I doubt this one is en
Read more

Guernsey Waste in incorrect bag-rejection horror May 6th, 2024

Image
The rubbish collection folk at my new place seem pickier than at other places on Guernsey. Last week, they removed some card packaging that I'd included in the card and paper (plastic) clear bag, and left it on the lane.  This week, they have attached a rejection label entitled "Polite Notice".  Just like modern software-engineered error messages (see attached tag "extremely_general_error_handling"), this does not give a specific reason why the bag was rejected, but instead lists miscellaneous possible "reasons", leaving the victim guessing, or perhaps trying to follow a process of elimination. In this case, some possible reasons, which the label does not claim to be exhaustive ("was most likely because ..."), and of which none apply, are: (i) "did not have the required payment sticker" -- no, I applied to 90 litre sticker; or  (ii) (a) "too heavy" -- no, I estimate it was 3kg, and I easily supported the bag's weight o
Read more