Closed Bug 98179 Opened 23 years ago Closed 21 years ago

hsbc.co.uk - N6 not supported for secure operations at HSBC

Categories

(Tech Evangelism Graveyard :: English Other, defect, P1)

Product:
Tech Evangelism Graveyard
Component:
English Other
Platform:
x86
All
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: thayes0993, Assigned: tristan)

References

(
URL
)

Details

(Whiteboard: [DENY][BANK]) 

As posted from security flaw reporting system:

 Submitter name:                cleong
   Submitter email address:       charlesleongsc@netscape.net
Acknowledgement checkbox:      on
   Product:                       Netscape 6.x
   Operating system:              Windows NT
   OS version:                    NT4 ,SP6a
   Issue summary:                 Unable to be accepted as a secured browser

Issue details:
Some sites do not recognise Netscape 6.1 as a
secured browser, for example the bank below:

http://www.hsbc.co.uk/ebank/default.htm

Clicking the login and after a while, it says:

"Your browser does not meet the HSBC Internet
Banking security requirements..."

Thanks!


Additional computer info:
Same secured site access problem for the Linux
platform as well.
This does not occur with build 2001080110 on Windows 2000.

Can anyone verify with Netscape 6.1?  It sounds like HSBC may have relaxed their
requirements.
Just tried it again with build 2001091003.  It still gives the same message.
On linux 2001091008 TRUNK I am able to see the page just fine.  Netscape only maybe?

Taking QA from momoi.  This isn't critical btw.
Severity: critical → major
QA Contact: momoi → caillon
Summary: N6 not supported for secure operations at HSBC → hsbc.co.uk - N6 not supported for secure operations at HSBC
Whiteboard: [DENY][BANK]
When I click on the "login" buttion I just get a blank page loaded (with 0.9.4
on linux). It works on NS4.

Any idea why it's doing this?

Jeremy Sanders: the only thing I can think of is you didn't install the PSM xpi
module.  It handles SSL sites.  I can load it fine on linux trunk 2001091506. 
I'll get NS6 checked shortly.
Confirming that the site blocks Netscape 6.x but not Mozilla.  CC aruner who has
dealt with a few banks.
Component: European → West Europe
Putting priority to 1.
Priority: -- → P1
Blank page was caused by not removing my .mozilla directory when upgrading.
Sorry! Site works fine with mozilla.

Netscape 6.2 blocked on Win2K.  OS : All.
Accepting bug.

<<
 Your browser does not meet the HSBC Internet Banking security requirements and
you are therefore not able to use the Internet Banking Service using your
current browser version. Please access the Internet Banking Service using an
alternative browser version. If you require further assistance please call 0845
600 2290.>>

Other phone number mentionned somewhere else :  +44 1226 261226 (internet
banking helpdesk)
Severity: major → critical
Status: NEW → ASSIGNED
OS: Windows NT → All
found a page that suggest to contact helpdesk in case of browser questions:
(+44) 1226 261226. Lines are open from 8.00am to 10.00pm Monday to Sunday
(except for Christmas Day).

WFM with Moz096, but I still can't register with NS6.2...

Calling them... "There are security holes with Netscape 6 because it holds
password on your hard drive, which is an issue in case you share your computer
with other people, so we don't allow its use to connect to our secure website"

It looks like they have never heard about password manager and the master
password...

Trying to get in touch with the Systems department.

The guy I should try to reach, Darren Robinson, is out for the day. The young
lady will send him my contact details by fax.

Also foudn this addres hidden in some frame code : 
innovationtechnology@hsbc.com

It's when trying to reach this that the error message is displayed with NS6.2
(but not Moz !)...
https://www.ebank.hsbc.co.uk/loginindex.html

Sending short letter to darren.robinson@hsbc.co.uk (just guessing), and also
innovationtechnology@hsbc.com and webmaster@hsbc.co.uk, and a copy via their
feedback form...
Target Milestone: --- → Dec
webmaster@hsbc.co.uk bounces back :-(
Got phone call from Nick Walch <nickwalch@hsbc.com>. Nick is Senior System
Analyst, Internet Systems. Phone number : +44 114 25 28 533
They have concerns about NS6/Moz security. Waiting for his e-mail message
explaining this in details.
Removing Target.
Target Milestone: Dec → ---
Got Message from Nick Walch with their concerns about security perception :
1)   The message "you are viewing secure and non secure content" appears
frequently when using our service in Netscape 6.x.
2)   The padlock disappears occasionally on a secure service.
3)   Password storing can not be blocked. This is considered to be out main
issue.

I'll answer his questions by mail.

The Halifax and Lloyds TSB (the other two online banks I use) have no problem
blocking password saving.

Looking at the code for this on https://www.halifax-online.co.uk/ then you see:
<form name='...etc...' method='post' AUTOCOMPLETE='off'>

The autocomplete='off' being the important bit.






Thanks a lot David for pointing this out !

I have sent a letter to the bank to tell them, along with more specific
information on what it does.

TArget : January.
Target Milestone: --- → Jan
Hello,

when browsing to https://www.gandi.net/admin/domain/change?l=en
Mozilla (Build ID: 2001122108) says the page is insecure, but
Netscape 4.77 says it's secure (128 Bit, Thawte). Platform:
Debian Linux, something between potato and woody (i386).

Best,
--Toni++
Blocks: 124594
Another report was received around 3/15/2002.  When queried the bank replied
with this information.  This problem appears to be unresolved.

>  Please accept my apologies for the problems you have experienced when 
> attempting to log on to our service via the Netscape 6 series of browsers. 
> 
> We at HSBC have taken the steps to block this browser because of its built 
> in ability to store customers confidential details. I am sure you can 
> appreciate that security is of the utmost importance to us and
> anything that could compromise our customers details should not be used. 
> 
> We are still in discussions with Netscape so that a fix may be identified 
> and put in place, but at present, we have no indication of when this will 
> be available. 
> 
> Once again, thank you, I hope I have been able to reassure you that we 
> will continue to develop and enhance our Internet Banking service in 
> order to meet our customers needs. 
Mozilla itself was never blocked, it appears they looked for Netscape6/ in the
UA string as Netscape 7b1 isn't blocked either.

Lets hope they leave it as is and not decide to block Netscape 7, otherwise I
think a change in banks is in the works. It looks like Netscape doesn't ask to
save the passwords for https requests anyway, because HSBC is still not using
"autocomplete=off" like the Halifax does and I've not been asked to save my
password.

If some previous version of Netscape 6.x wants to save passwords on https
connections then they should just add that line like the Halifax do, all it
takes is a few seconds and is quicker than answering emails from even just one
annoyed customer.
It looks like they've started blocking Mozilla. I'm using Moz 1.0 and it told me
that my browser didn't meet the security requirements. Does anyone know how to
persuade them to turn off the password remembering feature?
I just did a quick check using Netscape 7 PR1 (Gecko/20020512).  i can access
the login screen, and the input fields for the account number and PIN both have
autocomplete="off"
If you read the original report, Netscape 6 was blocked on purpose. 

It is also blocked in New Zealand. 

Tristan, now that newer builds have fixed padlock issues etc could you see if
they will test and unblock us now? Merci.
I'm getting conflicting information from HSBC. I complained that mozilla wasn't
usable, but they sent me an email saying mozilla was blocked because NS 6.2.1
was blocked, as it was able to store security details in the PSM. They thought
this was a security risk so they blocked it. (paraphrased due to legalise
claiming I can't reproduce the email) Is NS 6.2.1 also blocked? I thought they'd
turned off autocomplete for this form.


both fields have autocompleate="off".

I don't see any bad massages - of you this only happen after login?
Actually the problem seems to have gone away now. I think this was because I had
to mess around with my browser identifier to fix a broken website, and I left it
set to Netscape 6.2 when I had this problem.
should we close this bug now ?
Does anyone have the latest NS, so we can check that works too?
This bug's URL now redirects to
http://www.ukpersonal.hsbc.com/public/ukpersonal/internet_banking/en/logon.jhtml
and works for me in both Moz 20030421 and NN 6.2.2
Severity: critical → major
WFM.
Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.3) Gecko/20030312

as said - there's a bug within Netscape 6.x, for what that is blocked. Newer
builds are fixed and let in. So bug can be closed
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → WORKSFORME
tech evang june 2003 reorg
Component: Europe: West → English Other
Target Milestone: Jan → ---
Product: Tech Evangelism → Tech Evangelism Graveyard
You need to log in before you can comment on or make changes to this bug.