Domain: fund-market.lu
Stories and comments across the archive that link to fund-market.lu.
Comments · 8
-
Re:FireFox handles all my online bank sites.Hmm, somehow my comment got messed up with parts duplicated and jumbled (mess-up while copy-pasting the URLs?). Interesting how it still garnered a mod-point...
Here's a cleaned up version:
Please let me know which banks DON'T work with FireFox
Banque de Luxembourg and their Fund market (try using the "Direct Access" option menu on the left hand side to view one of their "colored" funds (profiles) and weep...).
The idiots have implemented a check for visual-basic support in the browser, and refuse access to any browser that doesn't have it. The funny thing, however, is that the application itself (display of fund graphs) doesn't need Visual Basic at all, and works just fine when you bypass the stoopid check by going directly to the final URL!
A similar thing exists in their homebanking application, even though the app itself, again, doesn't make any actual use of VB! However, in addition to the VB check, the homebanking also does a server-side User-Agent check, so you need to fake that one as well (for homebanking, but not for the fund graphs). Weird.
No IE, no VB, No service
:-( -
Re:FireFox handles all my online bank sites.Hmm, somehow my comment got messed up with parts duplicated and jumbled (mess-up while copy-pasting the URLs?). Interesting how it still garnered a mod-point...
Here's a cleaned up version:
Please let me know which banks DON'T work with FireFox
Banque de Luxembourg and their Fund market (try using the "Direct Access" option menu on the left hand side to view one of their "colored" funds (profiles) and weep...).
The idiots have implemented a check for visual-basic support in the browser, and refuse access to any browser that doesn't have it. The funny thing, however, is that the application itself (display of fund graphs) doesn't need Visual Basic at all, and works just fine when you bypass the stoopid check by going directly to the final URL!
A similar thing exists in their homebanking application, even though the app itself, again, doesn't make any actual use of VB! However, in addition to the VB check, the homebanking also does a server-side User-Agent check, so you need to fake that one as well (for homebanking, but not for the fund graphs). Weird.
No IE, no VB, No service
:-( -
Re:FireFox handles all my online bank sites.Please let me know which banks DON'T work with FireFox
Banque de Luxembourg and their Fund market (try using the "Direct Access" option menu on the left hand side to view one of their "colored" funds (profiles) and weep...).
The idiots have implemented a check for visual-basic support in the browser, and refuse access to any browser that doesn't have it. The funny thing, however, is that the application itself (display of fund graphs) doesn't need Visual Basic at all, and works just fine when you bypass the stoopid check by going directly to the final URL!
A similar thing exists in their Please let me know which banks DON'T work with FireFox
Banque de Luxembourg and their Fund market (try using the "Direct Access" option menu on the left hand side to view one of their "colored" funds (profiles) and weep...).
The idiots have implemented a check for visual-basic support in the browser, and refuse access to any browser that doesn't have it. The funny thing, however, is that the application itself (display of fund graphs) doesn't need Visual Basic at all, and works just fine when you bypass the stoopid check by going directly to the final URL!
A similar thing exists in their homebanking application, even though the app itself, again, doesn't make any actual use of VB! However, in addition to the VB check, the homebanking also does a server-side User-Agent check, so you need to fake that one as well (for homebanking, but not for the fund graphs). Weird.
No IE, no VB, No service
:-( -
Re:FireFox handles all my online bank sites.Please let me know which banks DON'T work with FireFox
Banque de Luxembourg and their Fund market (try using the "Direct Access" option menu on the left hand side to view one of their "colored" funds (profiles) and weep...).
The idiots have implemented a check for visual-basic support in the browser, and refuse access to any browser that doesn't have it. The funny thing, however, is that the application itself (display of fund graphs) doesn't need Visual Basic at all, and works just fine when you bypass the stoopid check by going directly to the final URL!
A similar thing exists in their Please let me know which banks DON'T work with FireFox
Banque de Luxembourg and their Fund market (try using the "Direct Access" option menu on the left hand side to view one of their "colored" funds (profiles) and weep...).
The idiots have implemented a check for visual-basic support in the browser, and refuse access to any browser that doesn't have it. The funny thing, however, is that the application itself (display of fund graphs) doesn't need Visual Basic at all, and works just fine when you bypass the stoopid check by going directly to the final URL!
A similar thing exists in their homebanking application, even though the app itself, again, doesn't make any actual use of VB! However, in addition to the VB check, the homebanking also does a server-side User-Agent check, so you need to fake that one as well (for homebanking, but not for the fund graphs). Weird.
No IE, no VB, No service
:-( -
Re:FireFox handles all my online bank sites.Please let me know which banks DON'T work with FireFox
Banque de Luxembourg and their Fund market (try using the "Direct Access" option menu on the left hand side to view one of their "colored" funds (profiles) and weep...).
The idiots have implemented a check for visual-basic support in the browser, and refuse access to any browser that doesn't have it. The funny thing, however, is that the application itself (display of fund graphs) doesn't need Visual Basic at all, and works just fine when you bypass the stoopid check by going directly to the final URL!
A similar thing exists in their Please let me know which banks DON'T work with FireFox
Banque de Luxembourg and their Fund market (try using the "Direct Access" option menu on the left hand side to view one of their "colored" funds (profiles) and weep...).
The idiots have implemented a check for visual-basic support in the browser, and refuse access to any browser that doesn't have it. The funny thing, however, is that the application itself (display of fund graphs) doesn't need Visual Basic at all, and works just fine when you bypass the stoopid check by going directly to the final URL!
A similar thing exists in their homebanking application, even though the app itself, again, doesn't make any actual use of VB! However, in addition to the VB check, the homebanking also does a server-side User-Agent check, so you need to fake that one as well (for homebanking, but not for the fund graphs). Weird.
No IE, no VB, No service
:-( -
Re:FireFox handles all my online bank sites.Please let me know which banks DON'T work with FireFox
Banque de Luxembourg and their Fund market (try using the "Direct Access" option menu on the left hand side to view one of their "colored" funds (profiles) and weep...).
The idiots have implemented a check for visual-basic support in the browser, and refuse access to any browser that doesn't have it. The funny thing, however, is that the application itself (display of fund graphs) doesn't need Visual Basic at all, and works just fine when you bypass the stoopid check by going directly to the final URL!
A similar thing exists in their Please let me know which banks DON'T work with FireFox
Banque de Luxembourg and their Fund market (try using the "Direct Access" option menu on the left hand side to view one of their "colored" funds (profiles) and weep...).
The idiots have implemented a check for visual-basic support in the browser, and refuse access to any browser that doesn't have it. The funny thing, however, is that the application itself (display of fund graphs) doesn't need Visual Basic at all, and works just fine when you bypass the stoopid check by going directly to the final URL!
A similar thing exists in their homebanking application, even though the app itself, again, doesn't make any actual use of VB! However, in addition to the VB check, the homebanking also does a server-side User-Agent check, so you need to fake that one as well (for homebanking, but not for the fund graphs). Weird.
No IE, no VB, No service
:-( -
Luxembourgish banksHi, I'm not informed much about American and other foreign banks, but here in The Netherlands it works the following:
(Almost all) The banks over here use a kind of calculator device. You insert your pass into it. Your normal pass you use for withdrawal from ATM's....
Here is Luxembourg, banks are too cheap for handing out these calculator thingies. Instead they use a scratch-off plastic card with 16 alphanumeric digits on it. When logging in to their service, the site choses 2 (or some 3) positions out of the 16 possible, and you have to enter the corresponding digits.
This key is different every X seconds (I don't know the interval).
Well, here in Luxembourg, the "good" banks do it the same: the key (in our case: choice of scratch card numbers) is valid a set amount of time. However, some of the (less technically savy banks) propose you a different choice of digits each time you hit reload... so a thief who has sniffed some numbers (but not all) can just keep on hitting reload until the bank asks for numbers that he has... not good!
If you want to transfer money, you get another screen. You have to insert the number shown on the screen into the device. After you hit 'OK', another number is shown on the device, you type this in the inputbox of the website. After it is verified, the transfer will be processed.
Our banks do not have this additional security yet... (Apart from maybe Cortal-Consors. I know their German operation has such a system).
This is all done on HTTPS...
In Luxembourg too. No bank is foolish enough to use plain http. and works with most browsers.
Unfortunately, this is not the case in Luxembourg (although some progress was made over the course of last year).
The currently worst offenders have a gateway page which features a Rube-Goldberg like chain of Java Applets, Java Script code, and VB code which only works on Internet Explorer (the Java Applet is MS proprietary java (using the proprietary com.ms.util.SystemVersionManager class...). The output of this is fed, via the VB script, and then the Javascript (!) into a second URL, which gives you access to the Web application itself. Interestingly enough, once that gate is passed, there is no further dependancy on MS-ware, and you can cheat yourself access to the contents (graphs of their mutual funds) by entering that second URL manually.
For their homebanking they have the same "proprietary applet" hack, and in addition a server-implemented browser check. Manually enter the JVM=1 bit into the URL, and fake an Internet Exploder User Agent and you are in! What the hell are they thinking?
I believe this is one of the most secure methods I can imagine. It is not flawless maybe, but it works and there is much needed to hijack information from the sessions. Without the device, the pass and the account number one can do nothing. Without the PIN you still go nowhere....
Indeed, the number generated by the device makes it secure even against keystroke loggers that may be installed (but don't challenge your luck either...)
-
Luxembourgish banksHi, I'm not informed much about American and other foreign banks, but here in The Netherlands it works the following:
(Almost all) The banks over here use a kind of calculator device. You insert your pass into it. Your normal pass you use for withdrawal from ATM's....
Here is Luxembourg, banks are too cheap for handing out these calculator thingies. Instead they use a scratch-off plastic card with 16 alphanumeric digits on it. When logging in to their service, the site choses 2 (or some 3) positions out of the 16 possible, and you have to enter the corresponding digits.
This key is different every X seconds (I don't know the interval).
Well, here in Luxembourg, the "good" banks do it the same: the key (in our case: choice of scratch card numbers) is valid a set amount of time. However, some of the (less technically savy banks) propose you a different choice of digits each time you hit reload... so a thief who has sniffed some numbers (but not all) can just keep on hitting reload until the bank asks for numbers that he has... not good!
If you want to transfer money, you get another screen. You have to insert the number shown on the screen into the device. After you hit 'OK', another number is shown on the device, you type this in the inputbox of the website. After it is verified, the transfer will be processed.
Our banks do not have this additional security yet... (Apart from maybe Cortal-Consors. I know their German operation has such a system).
This is all done on HTTPS...
In Luxembourg too. No bank is foolish enough to use plain http. and works with most browsers.
Unfortunately, this is not the case in Luxembourg (although some progress was made over the course of last year).
The currently worst offenders have a gateway page which features a Rube-Goldberg like chain of Java Applets, Java Script code, and VB code which only works on Internet Explorer (the Java Applet is MS proprietary java (using the proprietary com.ms.util.SystemVersionManager class...). The output of this is fed, via the VB script, and then the Javascript (!) into a second URL, which gives you access to the Web application itself. Interestingly enough, once that gate is passed, there is no further dependancy on MS-ware, and you can cheat yourself access to the contents (graphs of their mutual funds) by entering that second URL manually.
For their homebanking they have the same "proprietary applet" hack, and in addition a server-implemented browser check. Manually enter the JVM=1 bit into the URL, and fake an Internet Exploder User Agent and you are in! What the hell are they thinking?
I believe this is one of the most secure methods I can imagine. It is not flawless maybe, but it works and there is much needed to hijack information from the sessions. Without the device, the pass and the account number one can do nothing. Without the PIN you still go nowhere....
Indeed, the number generated by the device makes it secure even against keystroke loggers that may be installed (but don't challenge your luck either...)