E pur si muove

When web pages check web-broswer compatibility

Saturday, January 27, 2007

I don't trust banks and definately not online banking since their log in procedures are laugable, at least in the UK (no complaints about my Belgian bank, although not all Belgian banks are good either). But somehow I managed to get an account which only allows transactions to my own accounts so the possible damage is rather limited. It also limits it's usefulness but hey, it's safer.

So I could happily use it to check my balance and move money between my accounts until a few weeks ago. They suddenly decided to show me a screen that tells me that my web browser is unsupported. Since I use Epiphany usually I decide to just try it with a more common browser and surprise, using Firfox running on Ubuntu Edgy it works. Next I use the Iceweasel from my Debian Etch but no, they don't like that either.

Then for the really dumb stuff. I go to about:config in Iceweasel, find the general.useragent.firefox.extra key and change it from "Iceweasel/" to "Firefox/2.0.0" and sure enough, it works. What a joke.

The only thing left was make it work with my Epiphany, so go to about:config and find general.useragent.epiphany.extra and change it to "Firefox/2.0.0". Doesn't help. Add the key general.useragent.firefox.extra and set it to "Firefox/2.0.0" did work perfectly fine though.

Someone go and beat that silly webmaster with a stick please.

It made me think though. Why can't webbrowsers not just say "I support HTML 4.01 and XHTML 1.0" or so? Then all a website needs to do is say "I need HTML 4.01 or ...". But I guess it's too easy to create web pages and to easy to make broken web browsers. And to top it off no one seems to have the attitude to just ignore people that can't read standards, instead they try and understand their garbage anyway. I know that's probably the only reason the Web managed to become what it is now, but still annoying.

Saturday, January 27, 2007 |


S.Lott said...

It may not be a "webmaster" that has this browser compatibility check. It's more likely the web banking application or the bank's in-house programmers.

Web banking applications in the US are required (by law) to do "multi-factor" authentication (MFA). In addition to passwords, they look at your computer, your IP address, and anything else that might indicate who you "really" are.

Clearly, spoofing the MFA is possible. However, there are many details of your browser (like protocols supported, screen size, etc.) which are approximate indicators of what equipment and software you are using.

Yes, it's spoofable. But, in aggregate, it gives a pretty clear picture of who you're likely to be.

Flat-out rejection is bad software design. It could be bad design in the web banking application. Instead, they should ask about your other factors: your mother's maiden name, you favorite color, the first place you had sex, your secondary school, your daughter's screen name in AIM, that kind of thing.

The web banking application is often customized by the bank. Consequently, it could be the bank's programmers that made the bad decision to reject browsers. Or the "users" who commissioned the web banking application in the first place. The users may have been confused, the programmers unable to clarify the use case, and they elected to reject when they could have asked for additional authentication.

Getting the MFA use cases right is hard, as you've pointed out.

New comments are not allowed.

Subscribe to: Post Comments (Atom)