back to article Shifty scripts on Santander site prompt security fears

Parent firm Santander is reassuring customers that the website of its banking subsidiary Alliance & Leicester is secure despite the presence of JavaScript on its login pages served up from recently created sites of unknown provenance. Reg reader Matt Freeman said he was prompted with a SSL certificate warning from a domain …

COMMENTS

This topic is closed for new posts.

This post has been deleted by its author

FAIL

Third Party Javascript

So a bank is using 3rd party javascript on their site?

Sounds like a recipe for disaster.

4
0
WTF?

Analytics?

Why are they using analytics on the login page anyway? Do they not know who their own customers are?

0
0

Well, it's like this........

As a Santander customer who can only access my accounts by entering via the A & L web site (though no longer have an A & L account) I can say that from personal experience Santander have not a clue about who their customers are, what they want, or dare I say it why they should even think of trying to access their own money.

The only way I got some of my own money out of them was to keep going through the massed ranks of plonkers till one finally understood that they had set the whole thing up completely wrongly.

No longer the Abbey Habit, now simply Spanish Practices.

Unfortunately it is increasingly difficult to find a real bank.

Some day, I fear, the great Santander system will swallow cahoot too - the only part of their Empire which still has real working systems and real people to resolve issues rather than compound them.

2
0
Silver badge
Badgers

oh and dont get me started

They seem to want me to download some software shite EVERYTIME I log on. I have absolutely no intention of installing whatever crap you throw at me so GIVE ME A DONT PESTER ME AGAIN checkbox.

ta greatly.

3
0
Silver badge
Unhappy

Same retards at Chase

When I bank at JP Morgan Chase, their website tries to go to doubleclick.com, which I have thoroughly blocked at three levels: my firewall, my hosts file, and AdBlock+.

And since they've recently bought 3 failed banks, I'm sure they have no idea who their customers are. I signed up for their credit card 8 months ago, and yesterday I got no fewer than 3 applications for the same card in my snail mail.

1
0

Why does anyone use on line banking?

The terms and conditions are atrocious and they put all the responsibility on you without giving you the slightest way of finding out what's gone wrong...

2
1
Linux

Why oh why?

Online banking is indeed a fad, surprised anybody would want to use it. I Also find using that plastic cash a needless encumberment, too! And don't get me started on this paper-and-metal-coins malarkey, either.

For me it's pig iron ingots all the way, and animal hides for the change.

11
1

Paper money is definitely malarkey, but...

...half crown coins from before 1946 are worth almost six quid today, before 1920, eleven quid. That's just the value of the metal, no numismatic element.

0
0
Silver badge

Malarkey it may be..

...but it's a lot quicker than chip'n'pin! When I pay for fuel I take about a tenth of the time that the card payers do.

2
0

Quicker? Really?

Let's compare apples with apples eh?

1 if you use a card, then in many petrol stations now you can pay at the pump, thereby avoiding having to go into the booth, and join a hideously long queue at all.

2 if you go into the booth to pay, (and there's no queue) then it might be slightly quicker (takes me about 10-15 seconds) but you will have had to take the time and had the foresight to go to the bank/ATM first, in order to have that cash in your pocket in the first place, and how much longer does that take? 5 - 20 minutes?

So 5minutes to save maybe 10 seconds. Bravo!

That is unless you walk about with your wallet perpetually full of cash, in which case, you've got some balls on you - or too much money :-)

Personally I despise people who go to a pay-at-the-pump station, then dawdle off to the booth (and the queue) to pay, and I'm sat, finished and paid up, at the pump behind waiting to get out because they either didn't pull in close enough to the pump so I could get out, or the station is too narrow.

Grrrr!

1
2

yeah but....

If all you mugs hadn't signed up for the "rape me" terms and conditions they'd have been forced to introduce something more reasonable...

2
0
Anonymous Coward

A:

I've too much money

B: I do walk with my wallet stuffed with cash ( lopsided)

C: I live in a crime-free area

D : What's it to you ?

E : I pay at the pump anyway since I get cash-back on my credit card

F: I always use Internet banking ( with 20 digit passwords)

G: If I went to the booth I'd use credit card (see E)

0
1
FAIL

internet banking

absolute madness

0
1

Polycache.com blocked at firewall level and host files updated to redirect to localhost

now, where's my tinfoil hat..

0
0

The day after tomorrow...

...or some other random time will see the brown stuff hitting the propelling device.

0
1
FAIL

Unfounded?

'worries to the contrary were "unfounded".'

This suggests an incomplete understanding of the English language. The security risk may not have been realised or exploited, but fears of a security risk were most certainly well founded.

6
0
Unhappy

Que? Mr Fawlty? Que?

Slap, slap, slap!

0
0

Not the first time

I raised questions about their third-party user tracking years ago and was brushed off.

I have all Javascript disabled on the site, which helpfully hides the Rapport crap too.

1
0
Coat

The title

All 3rd party scripts understood,

All customer data secure,

All pigs fed and ready to fly

1
0
Silver badge

Other domains in that script

Including Abbey National, HSBC, Yahoo and more banks including santander.cl.

Time to add polycache.com and advanced-web-analytics.com to the hosts file.

Santander's explanation doesn't wash.

0
0
Gold badge
FAIL

"...since this covered a fraud and security issue...."

So according to them it *is* a fraud and security issue but also nothing to worry about? How does that work then?

Unless of course it's not a fraud and security issue but a cockup and arse-covering one....

1
0
WTF?

It gets worse

The service that replaced the old Abbey online banking site encourages you to download and install "security" software to ensure the safety of your session.

Great. So I have to install local software to secure a single web app?

0
0

If it's the same as A&L ...

... Block Javascript, and the Rapport nags (irrelevant to me since I use an incompatible and significantly-less-vulnerable-to-start-with browser) will quietly vanish. The only downsides are that the PIN box doesn't auto-focus any more and the quick payment sidebar item doesn't do anything.

Of course, the Abbey features may be slightly different in the first place, but you get the idea.

0
0
Anonymous Coward

Paint me a stick-in-the-mud, but...

... I don't think it is appropriate for a bank to use third parties for their core business. Now-a-days, that does include online banking.

"Trust" never comes in convenient sixpacks, you know.

1
0
Thumb Up

Finally

someone else has clued up to whats happening here.

Most UK financial / media sites send stuff to third parties for 'analysis'

Not only that it happens within the ssl bit, ie when you have logged on.

Here is my log of the last 24hrs, of the organisations I block

64.236.79.229 4 80 ARIN US ATDN-ISP

62.41.70.122 1 80 RIPE NL NL-KPN-BBT-20000510

217.163.21.38 1 80 RIPE GB YAHOO-IE

62.41.70.170 1 80 RIPE NL NL-KPN-BBT-20000510

199.255.34.89 8 443 ARIN US CORE-DEN-01

204.77.29.128 2 443 ARIN US CORE-ATL-01

188.121.36.239 1 80 RIPE NL Prolexic Technologies Inc

87.249.105.28 12 443 RIPE EU NEDSTAT2

66.235.139.166 1 80 ARIN US OMTR-SJ1

212.118.226.91 1 80 RIPE GB UK-INTERNAP-20000530

77.72.113.58 1 80 RIPE NL NL-NEDSTAT

188.121.36.238 5 80 RIPE NL Prolexic Technologies Inc

66.235.133.33 1 80 ARIN US OMTR-SJ1

87.249.105.58 1 80 RIPE EU NEDSTAT2

63.140.40.27 10 443 ARIN US OMTR-SJ1

66.235.148.128 5 80 ARIN US OMTR-SJ1

Now the organisations will not tell you what they send as its commercially sensitive , but its all legal!!

0
0
Thumb Down

Change from Alliance and Leicester has caused problems

Over the past few days we had become worried that a large cheque deposited into our on-line account and which a confirmation of receipt was received had not appeared on our list of recent transactions. Calls (0844) to the bank were answered with "It has cleared and will be shown tomorrow" Today after pressing them and suggesting there had been a fault in the changeover they finally admitted that some transactions at the time of the takeover did not make it to the online listing. We subsequently discovered a missing payment from the listing. On checking, the balance however appears to be correct.

0
0
This topic is closed for new posts.

Forums