They’ve gone ahead and been idiots. On screen, mouse activated big keyboard. Signing into online banking when other people are even remotely around (think conference, think at home, think anywhere really) is no longer secure.
Go get a clue Westpac.
Ramblings
Ramblings which occasionally resemble reality. This is the blog of Stewart Smith.
Did you complain (again)? Can you call them and ask for an email address at which I can register my complaint (again)? And, who’s writing the Greasemonkey script?
OK, so I tried their feedback page, which timed out. Then I rang them and was told that “there’s a new type of virus around, called a ‘trojan’…”. The reaction to “Linux” was that “we can’t cater to individuals”. Ooops!
The poor data-impoverished script-reader on the other end advised me to use my hand (on my sensitive flat screen? not likely!) to shield the keyboard while I moused if I was concerned about being overseen. I asked him about visually-impaired users who had to blunder around on the page to find the letters, and whose browsers read out what they clicked on. He had no answer to that.
OK, got a callback from a lass trading as “kkwhelan” who says that this was put together with extensive involvement from the Blind Society, and JAWS will work with it after one setting change. Will post my email to her after it’s sent.
Good afternoon, K! (Katrina? Karen? Kristi? Kaliope?)
Herein, concerns and suggestions for your new signin page.
Keystroke loggers are pretty much limited to Microsoft Windows; why not offer an alternative if the browser identifies itself as being run under Mac, Linux, etc?
I have a problem with shading the screen on my laptop to hamper spying, since touching the screen too firmly will permanently damage it. An obvious sheilding action would also draw attention to me, which is pretty much the last thing you want to do when entering private information.
Anyone with enough access to install a keylogger also has enough access to read the browser’s DOM, particularly for MSIE, and/or snatch a copy of the HTTP traffic before it’s SSL-wrapped, and/or watch the entry via any of a number of remote-management technologies. While this does make snatching a password harder, it’s not *that* much harder and hardly seems a worthwhile trade for the inconvenience entailed in the on-screen form.
Since MSIE is easier to bug than any other browser, have you considered recommending other web browsers as a security measure? Most of them are free, and comply better with the WWW standards than MSIE.
Since only Microsoft Windows has a pandemic of keyloggers, have you considered recommending non-Microsoft operating systems as a security measure? A free copy of, for example, an Ubuntu Live CD would eliminate keyloggers and other malware at, hah, a stroke and you could brand the CD so that it announces Westpac as it starts up and launches a browser aimed at your login page. Ubuntu Live is also free, one of many free “LiveCD” distributions.
While on the topic of alternatives, I’m wondering why Westpac have not offered an alternative, non-mouse-based login to people who ask? The reasoning behind this is that people who don’t have a problem with the mouse-based input (most of your customers) won’t ask, but people who do have a problem with it aren’t left high and dry.
I’m also curious about the absence of email addresses from Westpac’s site. Email is a simple, well-understood way of communicating and it has a kind of built-in audit trail which makes referencing past conversations easy. Putting addresses on your site so that they are invisible to spambots but work for real visitors is simple.
If you’re afraid of viruses, simply don’t use MS-Outlook (or Express) to read it. If Westpac are _terrified_ of viruses, copy Ubuntu Live onto a memory stick and boot from that to read it, storing any email worth keeping back onto the stick (or I’d be delighted to set up a machine for Westpac which is totally immune to viruses, just email me and ask).
References:
Browsers – http://www.opera.com/download/
http://www.mozilla.com/firefox/
http://www.konqueror.org/
Ubuntu – http://ubuntu-releases.optus.net/5.10/
Cheers; Leon
It looks like you have violated Westpac’s link terms and conditions.
http://www.westpac.com.au/internet/publish.nsf/Content/WIICCICULW+Link+to+Westpac+Terms
Greetings A. Mouse!
You’ve just violated them too.
In fact, linking to http://www.westpac.com.au is a violation.
They are less smart than a mentally retarded spoon.
I too have had a number of issues with these jokers, which have been documented here:
http://lutrov.com/blog/45/
I notice that if you goto their website, they finally support Firefox, as long as it’s the older V1.07 and not the current one. Although I haven’t tried accessing their “feedback” page with Firefox 1.07, I can confirm that it still doesn’t work with 1.5.03, so their web developers must be busy little beavers.
If you look at the blog link I posted, you’ll see that they confirm my complaint to be legitimate and promise to fix their browser issues at least.
As for that javascript keyboard for the login: it’s better than what they used to have. A little.
BTW: You can contact them on “online@westpac.com.au”.
BTW:
what can you expect?
the www is still running on iis 4.0.
whats that? NT4?
pfft.
I wouldn’t bother hoping that westpac thinks about using opensource software or catering for non microsoft products…
the westpac head of IT is one of the Microsoft Board of Directors…
so yeah nothing going to change there anytime soon.