Domain: bgl.lu
Stories and comments across the archive that link to bgl.lu.
Comments · 12
-
Re:Loophole?Sounds like a sane byproduct of a sanely limited feature of the license to me.
Not really. Under the old regulations, web sites could use open source software to write code that excludes open source browsers.
Granted, the new regulation doesn't really fix this (it is enough to publish source code... much of which is public anyways if it is client-side javascript), but it's a step into the right direction.
-
Re:FireFox handles all my online bank sites.Have you sent any feedback to them letting them know about the issues?
Sure I have. Told my financial adviser at that place about it (who obviously couldn't help much), but he helpfully redirected me to their helpdesk.
The Helpdesk was not very helpful when I phoned them, but somehow they were careless enough to tell me the phone number of the lead developper of the application (Vincent Friedrich, +352 49924-5550). So I phoned that guy. He was (understandably) rather astonished about how I "found out" his number... He gave me the usual bull about IE having 99.99% of market share and all that, and finally suggested that I send them my complaints in an e-mail... which I did (that mail contained all the technical details about Visual Basic checks, and server-based user-agent checks.)
The e-mail stayed un-answered for about a month, so I phoned Mr Friedrich again. He was not there, so a coworker of his took the phone. I was forwarded among three or four guys in the department. They re-assured me that those checks were certainly there for a reason (but couldn't tell me which one...), and that that reason was certainly not to shut out non-IE browsers. They promised to investigate and answer my mail (which they still had: one of the guys read me parts of my mail) for "Friday in a week". That day passed, without an answer...
I guess, I'll have to phone them again, or maybe send a paper letter about the issue to their top management.
I have found that some companies actually take this feedback quite seriously (there have been a few ignorent few).
Well, not so here in Luxembourg. The other bank, where I have my main account, also has a rather bizarre system. It does work with Firefox, which is good, but strangely enough it blocks Konqueror with a browser check (javascript based). This can be circumvented by setting up an alternate login page (copy of their code, minus the offending javascript browser check), which I did. This page was on a public web page (so that my fellow Konqueror or Safari users can use it too), but eventually the page got noticed by the bank, and I got a rather threatening call from them about this violation of their intellectual property....
Yet another bank has a link to a java applet that doesn't work (reference to non-existant class). A call to their help desk revealed that they are aware of the problem, and the guy even suggested me two alternate URLs, which both do work. After I asked him the obvious question "Why don't you put those on your main page", the answer was rather surprising: "if we put more than one web banking URL on our site, we would be hinting that our system has issues, and this would damage the trust that our customers place in us". I was baffled! What strange customer has more trust in a company that hides problems rather than putting them out in the open?
However, on the bright side, they (BCEE) did promise that "by end of 3rd quarter 2005" they would have a truely crossbrowser pure-HTML version. Let's wait and see...
I doubt that I was the only one who commented, but you need to start with one comment
:)Well, 1 1/2 years ago, we (Lux Linux user group) staged a complaint action at a national computer trade fair, where the banks were also present: each participating LUG member would visit the bank's stands individually, and complain....
As a result, at least 4 banks have improved, or are improving their ways (things are moving slowly though, the "fastest" still took about a year to get ready...).
The nicest success is ING, who is now running its " full com
-
Re:FireFox handles all my online bank sites.Then don't give them your business.
Problem is, their mutual funds are the best performing of the marketplace (and they know it...).
Ok, so I use a different bank for my day-to-day transactions (where homebanking is more useful), and use Fundmarket only for long-term storage of money (where homebanking is much less needed, because transactions are much rarer and will be made over phone or in person). Still, it's an eyesore...
-
Re:Dutch BanksIt's very easy for spyware/malware to do a man in the middle attack and insert any number of transactions which it will hide from you by sitting between you, your browser and your bank.
True. However, he will have to do it while the session is active, which makes it quite easy to trace him to the exact cybercafé where it happened. With more passive approaches, a thief could use sniffed codes a while later, making it lots harder to find out which of the many cybercafés from which you browsed your bank accounts when holiday sniffed your numbers.
Moreover, the more secure TAN code schemes guarantee that each TAN can only be used for one single transfer, meaning that a man-in-the-middle would need to "eat" a legitimate transfer to insert his own. So this legitimate transfer would not be done, guaranteeing that the victim will notice rather soon that something is off.
Since the programs are running on the endpoint of the SSL connection, SSL is not going to help you either.
Exactly. A couple of years ago, Banque Générale du Luxembourg had a flawed system which ignored this basic point.
Their system: a chip card reader which would encrypt the bank-to-customer communication on card. Their rationale was that this way, it would be virus proof, because the customer's private key would be stored nowhere on his PC, nor would the SSL engine run on the PC.
What they were forgetting however, was that the data to be encrypted (amounts, target account of bank transfer) were entered on the PC's keyboard, and could already have been clobbered by a Trojan before they even reached the chip card for encryption!
And no, the card itself didn't have a display, where it could display, for doublechecking, the data that it received (some German banks apparently use such systems, but obviously these cards are much more expensive to make than plain chipcards, so BGL opted for the less expensive solution).
Of course, the card reader was utterly dependant on Internet Explorer and a Microsoft OS running on the PC, so the end-effect was that the system was even less secure than it would have been without the card reader!
-
Re:It's false advertisingImagine if your bank advertised no charges on all bank accounts on their website, so you sign up for several accounts and all your friends an family do too. At the end of the month, you get your statements and find that you've been charged a lot in bank charges. So you notify the bank about it and also let the local banking assocation know. The banking assocation also notifies the bank about it but still the bank does nothing to correct the obvious error, such as having the page removed or shutting down the site.
I have news for you: a bank can do this, and it doesn't even need to be a web site. It can be magazine ads too! Case in point, last April a large Luxembourgish Bank was running a campaign for their platform-independent web banking. Such a campaign seemed believable since:
- Most banks of the country were IE-only (at that point in time). I understand however that the country as a whole was lagging behind (abroad, most banks have been browser independent since much longer than that)
- Some early birds, such as CCP did indeed move to a browser independant software.
So, now imagine Joe Average Linux User believing the ad, cancelling his account at Foobar Bank, and moving to BGL. He connects to BGL Web banking, and, oh surprise!, he his harshly told off that the system only works with Internet Explorer! (N.B. Since then, things have somewhat improved. Since December, they also allow Firefox. But that was not yet the case for the period when the ad ran, and even today, many other popular browsers such as Safari, Mozilla and Konqueror are still excluded.)
Do you think it's wrong to fine the bank in that situation?
Now do you think something bad happened to them? Nope, not at all! The reason is simple: while annoying, the matter is still trivial enough that most customer don't bother to sue!
-
Re:It's false advertisingImagine if your bank advertised no charges on all bank accounts on their website, so you sign up for several accounts and all your friends an family do too. At the end of the month, you get your statements and find that you've been charged a lot in bank charges. So you notify the bank about it and also let the local banking assocation know. The banking assocation also notifies the bank about it but still the bank does nothing to correct the obvious error, such as having the page removed or shutting down the site.
I have news for you: a bank can do this, and it doesn't even need to be a web site. It can be magazine ads too! Case in point, last April a large Luxembourgish Bank was running a campaign for their platform-independent web banking. Such a campaign seemed believable since:
- Most banks of the country were IE-only (at that point in time). I understand however that the country as a whole was lagging behind (abroad, most banks have been browser independent since much longer than that)
- Some early birds, such as CCP did indeed move to a browser independant software.
So, now imagine Joe Average Linux User believing the ad, cancelling his account at Foobar Bank, and moving to BGL. He connects to BGL Web banking, and, oh surprise!, he his harshly told off that the system only works with Internet Explorer! (N.B. Since then, things have somewhat improved. Since December, they also allow Firefox. But that was not yet the case for the period when the ad ran, and even today, many other popular browsers such as Safari, Mozilla and Konqueror are still excluded.)
Do you think it's wrong to fine the bank in that situation?
Now do you think something bad happened to them? Nope, not at all! The reason is simple: while annoying, the matter is still trivial enough that most customer don't bother to sue!
-
Re:There's nothing wrongOr your bank listing out of date interest rates?
Ironically enough, the bank would be able to get away with it. Last year, a large Luxembourgish bank was advertising platform-independant web banking in magazine and billboard ads, while at the same time their software was refusing any customer who dared to connect with something else than Internet Explorer. Since then (8 months later...) they're allowing at least Firefox, but other browsers such as Safari, Konqueror and certain versions of Opera are still excluded.
But do you think anything bad happened to them? No, of course not! Nobody is gonna waste time and money on a lawsuit about such a "trivial" matter, and thus large companies can do whatever they damn please. Maybe things would be different if we had US-style class-action suits here.
-
MSIE-only banksCan you give any examples or support for your statement?
Sure, here is one example: Banque Générale du Luxembourg. Click on the Web Banking link, chose a language, and weep
:-(If you read French (or German), click FR or DE, and look at their slogan (top left of page), and snicker
;-) (The English version is less funny).Actually, most banks in Luxembourg are MSIE only (or do need some trickery and/or alternative login pages to get access).
-
Can you also change its name to Internet Exploder
for those obnoxious sites that somehow don't understand what "abuse of monopoly power" means...
-
Re:Not how it works, but how it looks.Regardless of how much security this, in reality, will provide, it will provide a tremendous APPEARANCE of security.
Reminds me of the security philosophy of one large Luxembourgish bank:
What matters is not whether our IHB (Internet Homebanking) service is secure, but rather whether our customers think it is secure...
I guess that's why they are "safekeeping" their customers private SSL keys on the server, and sending them to the client browsers after a simple password-based login. Non-repudiation? Hello?
Result: an overly slow and cumbersome system that does not any security at all over the much simpler systems of the competition. But at least, it looks very secure.
-
Re:Something to keep in mindAt the same time, the company has consistantly achieved success against great odds and remained out of chapter 11, even as more established enterprises like K-Mart, Montgomery Ward or even Enron have hit hard times.
Yeah, Amazon didn't make the mistake that Enron made: they successfully kept the Arthurs out. Once the Arthurs invade a company, it is doomed.
-
HP OpenmailTigerPlish,
At my old employer's we used HP-Openmail (running on HP/UX) as a mailserver, and Outlook on the client. This was a very Micro$oft-oriented company, only 2 Linux boxes for 2000 employees, and very "standardized" desktops, where even getting Cygnus Developer's kit was no easy feat. Thus,if HP-Openmail could happen there, I think it won't be a problem in other Micro$oft-centric shops either.