back to article HSBC brands EVERY Apple iPhone 'an insecure PC'

HSBC's iPhone app for online business banking warns customers that their reassuringly expensive Apple mobiles are in fact PCs - and insecure ones at that. In a surprising cock-up, the bank's app incorrectly identifies the shiny phones as Windows PCs, and scolds fanbois for not having security watchdog software Rapport …

COMMENTS

This topic is closed for new posts.
  1. My Alter Ego
    FAIL

    Not only iPhones

    I get it on Ubuntu too. If I have time, I might try calling HSBC and say I'm having difficulty installing Raport - some light entertainment for the afternoon.

    1. Mad Jack
      FAIL

      Re: Not only iPhones

      Any Linux in fact, but they've now made it worse as you have to get reminded every 8 days. I contacted them previously asking why they insisted on prompting me to download and install a product which doesn't run on my machine and they replied with some garbage about it being in the public interest. Are they telling me they can't set an opt-out cookie or detect my OS is one of those they provide the software for (assuming I don't refuse cookies and obscure my OS)?

      1. Peter Gathercole Silver badge

        @Mad Jack

        You're lucky they actually listened. When I tried to fix a problem with RBS's online banking a few years ago (it just kept refusing to allow me to log on even when using the correct credentials with someone watching over my shoulder to check I was doing it right), they just claimed that they did not support any OS other than Windows and OSX, and suggested I get another PC.

        Turned out to be a bug in their code causing buttons to be off the screen, and also mis-handling the return key as a form completion action.

        Eventually I did get put through to someone who knew a little about Linux (after having the access blocked and enabled at least three times), who was able to confirm that their login process was not working with Firefox on Linux. They did even fix it!

    2. Anonymous Coward
      Anonymous Coward

      And this comes

      From HSBC the money laundering bank.

      1. LinkOfHyrule
        Joke

        Re: And this comes

        No, it's the world's local money laundering bank!

        1. Anonymous Coward
          Anonymous Coward

          Their ads freak me out

          Not just the ones with the creepy Chinese kids planning world domination, but that they put the same adverts on all the world's jetways. So the last thing you see before getting on a plane is an HSBC ad, then ten hours later you emerge, shattered, apparently in the same place.

      2. JaitcH
        WTF?

        And the Euribor Interest Rate Fiddling Bank

        You have to give them credit, where credit is due, these b*stards have put aside NINE-BILLION POUNDS to clean up their laundry business and they haven't even started looking at Euribor.

        This is the world's largest criminal entity with branches all over the world''Now you can add blackmail, My Secure(sic)Key hasn't arrived so the said OK, you're OK until September.

        Imagine my surprise, and extreme annoyance when, last Friday I couldn't access my account. The InterNet Banking mob said no money until you use Secure(sic)Key - and I'm in the Far East.

    3. John Miles

      Re: Not only iPhones

      They did something similar in the last couple of years - I complained and was told it would stop pushing it after a few tries (IIRC I had to allow Firefox to save cookies for it to disappear).

    4. Dave 126 Silver badge

      Re: Not only iPhones

      A rough guess off the top of my head is that 90% of Linux users are IT literate enough not to be fazed by the message, and to see it as a bit of a giggle as did 'My Alter Ego'. No great worries.

      The other 10% might have a Linux box set up for them by a family member, for the purposes of online banking and maybe skyping grandchildren.

      (Terrible generalisations, I know)

  2. Shagbag

    Is this really worth reporting?

    C'mon El Reg. You've got better stories to report, I'm sure. Is it really that much of a slow-news-day?

    1. Anonymous Coward
      Anonymous Coward

      Re: Is this really worth reporting?

      And you work for ..?

      Yeah, thought so. Nice try, though.

    2. multipharious

      Re: Is this really worth reporting?

      Well it could serve as a good warning that the free fraud detection software being pushed is not even capable of identifying the client OS. I find this particularly interesting from an IT angle, not to mention that if people actually rely on this software and it stumbles at the low hurdle of stepping over the 1/2" threshold of installation then this is particularly worrying. Having worked in the software industry for a good while now, if your installation sucks donkey balls then your software is so full of bugs it probably cannot be considered a product.

      So let's call this article a review from the wild in case any security folks are considering a purchase. Purchase product, create false sense of security, and effectively increase fraud and support calls.

    3. Jamie Kitson

      Re: Is this really worth reporting?

      At least it actually has an IT angle.

    4. Ted Treen
      FAIL

      Re: Is this really worth reporting?

      "...their reassuringly expensive Apple mobiles..."

      "...the shiny phones..."

      Ms Leach is, yet again, attempting to be the one who mocks Apple most in what I can only imagine is some desperate attempt to be promoted to the role of journalist.

      Perhaps she should open a dictionary and look up "objective", and "unbiased" first.

      1. Spanners Silver badge
        Go

        attempting to be the one who mocks Apple most

        A very popular activity amongst the IT and IP literate.

        1. Ted Treen
          Trollface

          Re: attempting to be the one who mocks Apple most

          I assume by IT and IP literate you mean of course, those who just read about IT & IP (or have it read to them) rather than those who just happily get on using the technology...

      2. Magnus Ramage
        Stop

        Re: Is this really worth reporting?

        "Ms Leach is, yet again, attempting to be the one who mocks Apple most in what I can only imagine is some desperate attempt to be promoted to the role of journalist."

        And perhaps you might read The Register for a while longer and realise that they are equal-opportunities mockers. It's not just Apple - they'll mock anyone. It's their house style, just as much as trendy leftiness and muesli-knitting is the house style of The Guardian, or reactionary hating of minorities and foreigners is the house style of the Daily Mail.

        They could put it on the masthead: "The Register: They code. We mock." It's what makes it worth reading.

        1. This post has been deleted by its author

        2. Ted Treen
          Holmes

          @ Magnus Ramage (Re: Is this really worth reporting?)

          Disingenuous - even sophistry.

          So if HSBC assumes a PC running windows, cue mocking of Apple & Apple users.

          No mockery of Linux in its various incarnations?

          No mockery of Linux users?

          No mockery of Android?

          No mockery of Android users?

          Equal mockery?

          PS

          I've been reading The Register for over 10 years, so perhaps your patronising could be addressed at the same time as your sophistry.

          1. Magnus Ramage

            Re: @ Magnus Ramage (Is this really worth reporting?)

            Apologies for being patronising. I guess I've been reading the Register for about the same length of time. No harm intended. Nonetheless, I do think they're pretty even-handed in their mocking. But I don't use Apple products (not because I don't like them, I just can't afford them) so I'm not especially sensitive to their treatment.

      3. John Brown (no body) Silver badge
        FAIL

        Re: Is this really worth reporting?

        "Ms Leach is, yet again, attempting to be the one who mocks Apple"

        Maybe you missed the Reg motto at the top of the page?

        "Biting the hand that feeds IT"

  3. Matt 21

    In an surprising cock-up

    Indeed!

  4. Anonymous Coward
    Anonymous Coward

    Time for tubby bye byes...

    So HSBC want me to "download" some random software despite the fact that I have

    1. No idea if this will impact on any other software that I have installed (or indeed includes some unknown holes that will place other areas of my on line activity at risk, and

    2. ignores the fact that I have very good anti virus and anti spyware/malware software installed and with which I sweep my machine regularly.

    Not the first HSBC annoyance. the new generation ATM they installed at my local branch is the only one that I am aware of on our high street that DOESN'T have a facility for ATM Deposits. Inquiries in branch suggest that they have been told that deposit accepting machines are no longer available from the manufacturers... and the helpful suggestion that there is a lobby service 20 miles (and a toll bridge crossing) from me.

    HSBC is looking increasingly inept and disconnected from the real world - it is probably time for me to move my account to a better bank.

    1. Anonymous Coward
      Anonymous Coward

      Re: Time for tubby bye byes...

      LMFTFY

      HSBC is incredibly inept and disconnected from the real world - it is probably long past time for me to move my account to a better bank

      Funnily enough I was telling the missus last night that I was going to move the joint account to another bank. HSBC have been horrific for years now (especially when it comes to charges) so I've been moving everything over to other banks. They're all pretty poor, but some are worse than others.

    2. Anonymous Coward
      Anonymous Coward

      Re: Time for tubby bye byes...

      t is probably time for me to move my account to a better bank

      If you have a business a/c you should have done that long ago - any criminal can trick HSBC into giving your money away to them by simply changing your Companies House records - they don't even need to be on the account mandate..

      1. Ragarath

        Re: Time for tubby bye byes...

        the Question is, where do we move our accounts?

        I have moved mine twice in the last 2 years because of the crap service and silly charges certain banks impose. You then have others trying to fiddle things. Where would our money be safe?

        They also need a more standardised moving procedure. Yes I know it is much easier now than it was but I should be able to move it as if I was changing braodband suppliers.

        1. Yet Another Anonymous coward Silver badge

          Re: Time for tubby bye byes...

          Funnily enough the only British bank that hasn't managed to piss me off for the last 20years is First Direct - ironiclly owned/part of HSBC.

          ps. HSBC is even more incompetent here in the colonies. The world's favourite bank - in the same way that Malaria is the world's favourite parasite.

      2. TonyHoyle

        Re: Time for tubby bye byes...

        They don't even need to do that - they just phone up pretending to be a director and give information freely available from companies house as 'proof'.

        I know a company this happened to.. I'd not be suprised if it was common.

    3. Anonymous Coward
      Anonymous Coward

      Re: Time for tubby bye byes...

      Go with the Co-op. I switched to them years ago from HSBC, and have been immensely impressed. Although, they do still bug me about that Rapport crap. I'm not installing a pointless, deeply-rooted resource hog with low-level access on my machines. Good basic AV + non-IE browser + big pile of common sense = safer banking. And if anyone mentions Linux I'll slap them.

      1. Anything Goes
        Childcatcher

        Re: Time for tubby bye byes...

        However, as a loyal Coop/Smiler for the last decade, they've been promoting Rapport every time I log in. Did so once on my Mac and the spinning ball of death was a constant companion until i disabled it. Surely easier to suggest people have good virus protection and go banking over Tor or something of that ilk??

        1. src

          Re: Time for tubby bye byes...

          Skip the front page and go straight to:

          https://banking.smile.co.uk/SmileWeb/start.do

          Avoids the annoying Rapport nags.

        2. Ted Treen
          Thumb Up

          Re: Time for tubby bye byes...

          I use a Mac Pro, and have had Rapport installed since it was first recommended by the Co-Op. Naturally I checked it out thoroughly before installing it, but I'm happy to do so as any assistance given in keeping assorted Romanians, Russians etc., away from my hard-earned is welcome.

          No, it seems to have no adverse impact at all on the operating speed of my Mac - but of course, YMMV according to your individual config.

    4. TonyHoyle

      Re: Time for tubby bye byes...

      Indeed.. they tout rapport as the saviour of your bank account but don't for one moment say what it actually is or does. It's not getting anywhere near any of my machines without that. I'm guessing it's something like a cookie-less browser.

  5. Unlimited
    FAIL

    +https fail

    The update also seems to include https://www.hsbc.co.uk using javascript to load resources over http. Which causes Firefox and Chromium to show some "page not secure" type warnings.

    I tried to use their complaint and contact forms to tell them, but they just gave error messages.

  6. Fred Flintstone Gold badge

    At least a bank..

    .. where IT delivers for the business: both equally inept.

    wonder if they have taken on staff recently. RBS staff :)

  7. David Gosnell

    Is this the same Rapport...

    ... that was flagged up for having some gaping security flaws itself a few months back?

    Santander nag about it too, but a little more smartly by the sounds of it, so on my desktop I have (for their site) been able to set the browser agent appropriately so as for them to believe it incompatible - which strictly speaking it is anyway, since AFAIK Rapport does not run on Iron, only pukka Chrome.

    1. Fred M

      Re: Is this the same Rapport...

      Yes. I was at a security conference last year where there was a session on it. Avoid Rapport like the plague. I'd change banks rather than install it.

      1. TeeCee Gold badge
        Mushroom

        Re: Is this the same Rapport...

        What they don't tell you is that most of the shitheads pushing this POS have a little trick up their sleeves. Once they've detected it being used the first time, any subsequent attempt to connect from a machine lacking it gets the Foxtrot Oscar treatment. Trying to get your account "unblocked" afterwards is like attempting to climb the North Face of the Eiger in clogs and mittens.

        Or in other words:

        1) It's a bloated, poorly written clog.

        2) It hides itself deep in the OS.

        3) You can't uninstall it without breaking something important.

        4) Trying to uninstall it merely proves that the uninstall process is b0rken.

        5) It throws false positives around like confetti. All time favourite example of this was when a relative who'd been strongarmed into using it found it flagged and disabled the BT Broadband client driving their old skool ADSL modem at the time. So they could access their bank "safely", if they'd been able to access the internet at all......

        Ticks all the boxes to qualify as malware for me. Makes Sony's world-famous DRM system look like a shining beacon of best practice by comparison.

        As Trusteer seem to have managed to get many of the major banks to sign up to their shit, I can't help thinking that if they spent half as much money and effort on their software as they obviously do on sharp-suited sales weasels, schmoozing clients and backhanders, they might have a decent product......

    2. Anonymous Coward
      Anonymous Coward

      Re: Is this the same Rapport...

      Yep it is annoying that Santander do this too.

      It shows on Linux and even if I hit the main site on a Nokia Symbian phone (not the m. mobile site).

      I can't install it on the work machine, I wish there was an option to not show this message again.

      According to the pedia of wiki (ie. pinch of salt but nonetheless...):

      "Some users have reported problems with Rapport, including high CPU utilisation and difficulty in removing the software.[10] Recently, updates made to Rapport have caused user machines to fail at boot-up with a Blue Screen of Death; the problems are resolved by renaming the file RapportEI.sys.[10]

      In a recent presentation given at 44con, bypassing Trusteer Rapport's keylogger protection was shown to be relatively trivial."

      1. Crisp
        Coat

        Re: Is this the same Rapport...

        The Rapport software checks that you are using the real HSBC website and not a fake.

        But what checks that you're using the real Rapport software and not a fake?

        They obviously haven't thought this through!

  8. Gordon Pryra
    Flame

    "it is probably time for me to move my account to a better bank"

    Why? If they can keep the mafias money safe then they are probably a better bet than any other bank.

    RBS goes down, we pay them out and they get 6 figure bonuses.

    HSBC goes down they end up face down in the river

    Hmmm, I wonder who has the best incentive to do their bloody job right?

  9. Anonymous Coward
    Anonymous Coward

    Rapport indeed!

    A nightmare to uninstall as it blocks VNC to a black page the moment you attempt to uninstall it...

    Avoid and change banks..... they'll soon learn.. or not....

  10. DrXym

    Hardly seems like the end of the world

    I assume they have some kind of user agent sniffer which looks for some string which says rapport is there and if it's not redirects the user to a warning page. Of course, if the sniffer was doing its job properly it would ignore people whose OS was not Windows or Mac, or at least direct them to a more relevant warning to their platform.

  11. Mark Dempster
    FAIL

    Crapport

    I've had to uninstall this POS software from several customer PCs simply because it slows them to a crawl - even a recent quad-core machine was almost unusable. Once the software was removed it felt like a new PC.

  12. Test Man
    Stop

    This Rapport software is awful. I had it - system slowed to a crawl. I'd rather have malware - at least I could still use my system.

  13. Adrian 4
    WTF?

    @mad jack

    Just tried this (firefox/debian) and although it offers Rapport it doesn't force me to dismiss it, or even nag excessively. It's just some of the noise in the advertising border.

    Can't really see why it's a problem.

  14. Jemma
    FAIL

    *sigh*

    You know it surprises me that on even this site no one has realized that this probably isnt actually a problem.

    Its very likely that the browser on the phone is set up to identify itself as a desktop browser (most probably IE). If it apes IE like the Symbian 7.3/7.4 browser then rapport is probably pulled down to install because of the numerous security problems with IE and the fact the server side equipment cannot tell the difference between an idiotOnSlab device (or Symbian or Android) masquerading as desktop IE and the real thing.

    I have the dubious joys of banking with the "Worlds Local Mafia Front" and I use Opera on both desktop machines and phones/handhelds. I have never run into this 'rapport' request and it is not installed on my netbook running Windows 7.

    Maybe someone from HSBC should clarify *exactly* what the usage cases are for this 'rapport' client and when and on what systems it is installed?

    ** Historical side note, Israel, for the last 1880 years has been referred to as 'Zion'. To be classified as a 'Zionist' for the majority of that time means nothing more than 'Jewish person wanting to go back to the 'home'land that Cyrus nicked for them'. Calling a piece of software that is written and produced in that country 'Zionist' is therefore entirely correct, if inflammatory, just the same as calling agrochemicals manufactured by Makteshim Agan the same thing is therefore entirely correct (just dont mention to the BASF sales director that you are buying from them...). The fact that every commentard on this thread has fallen for it, and claimed membership of the 'tinfoil hat brigade' for the person who mentioned it shows the usual lack of knowledge of the situation. Oh, and please remember, Israel are not the most popular country in that neck of the woods, something to do with the odd pre-emptive attack, being funded by the USA (well known for their respect for national boundaries), not to mention the odd 'what, other countries have legal rights over and above our thirst for revenge, who knew?' illegal extraction of wanted war criminals.

    1. Loyal Commenter Silver badge

      @Jemma

      "Historical side note, Israel, for the last 1880 years has been referred to as 'Zion'. To be classified as a 'Zionist' for the majority of that time means nothing more than 'Jewish person wanting to go back to the 'home'land that Cyrus nicked for them'"

      I think the operative word in that quote, is majority. Words chage their meaning over time, and since the early 20th century, the implication of the word 'Zionist' is that of a Jewish conspiracy. Whilst accusing the Jews of various crimes was historically a favoured past-time amongst the Christian peoples, it has fallen out of favour somewhat in the last century or so, along with the use of the swastika as a symbol of peace.

      Therefore, to write about 'zionism' these days implies that the author believes there is a worldwide Jewish conspiracy, beyond the legitimate interests of the modern state of Israel. The author has duly earned his (or her) tinfoil headwear as a result of this misapprehension.

      1. Jemma

        Re: @Jemma

        Actually no - all it means in the purest form of the word 'meaning' is Zionist as I stated previously.

        You are making the assumption that because some people floating around in the 18th, 19th century who were using the 'Zionist' label as an excuse for political troublemaking - that this person is trying to resurrect the same thing. Not to mention the fact of those lovable rogues known to history as the NSDAP.

        90% of the people outside right-wing-nutjobs clubs, historians and the Jews (for whom it is a large part of their recent history) would have the faintest clue what 'Zionism/Zionist' actually means.

        Heres a different thought - since the events of 33-45 - people dont like using the term 'Jewish' because of its connotations of racial abuse. Since 'Judean' is a little too retro, and Ashkenazi/Sephardim too confusing for the average chav.. using the term 'zionist' has no racial connotations.

        Don't label people with your own assumptions and point of view when you know nothing about them.

        1. Anonymous Coward
          Anonymous Coward

          Re: @Jemma

          'Judean' is a little too retro

          Ah, but the Monty Python references you could collect would be massive.

          Sorry, couldn't help myself.

    2. Bush_rat
      Facepalm

      Re: *sigh*

      If I may direct your attention to the beggining of the article and the only image, you'll quickly notice that it is an iPhone. Which (normally!) uses this useragent:

      Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3

      Depending on you version of iOS, 5.0 in the case of this particular useragent. To avoid this misshap all that needs to be checked for is the word "Mobile" and possibly "iPhone" if you want to be clever and doubly sure.

      What I think has happened is somebody is just checking for "Mac OS X", "Windows" and "Desktop" and ignoring everything else. If I'm not mistaken there is a lovely little piece of JavaScript you can get that will not just tell you the kind of device (phone, laptop, desktop, tablet) but also the OS and particular device in most cases.

    3. RICHTO
      Mushroom

      Re: *sigh*

      And not forgetting their terrorist activities including such pleasantries as deliberately targetting and and shooting children, using children as human shields, targetting medics and hospitals, shelling public beaches and civilan areas in general, numerous extrajudicial targetted excutions and murders - and using white phosphorus on civilians....

  15. LaunchpadBS
    Facepalm

    Obviously IT was to blame...

    It's funny that HSBC are so obviously cutting back in departments that actually count and yet they're making billions laundering money for middle eastern dictatorships(or not)...typical upper management..."Testers...surely the developers we outsourced in India do enough testing!" Even though their contract clearly stipulates they are responsible for development only.

    Just speculating...and yes I'm a dev in a department who's just had our budget slashed by those 'up there' because they don't think it's necessary. Apparently quality control is so 20th century.

  16. Ommerson
    FAIL

    Active-X

    First direct (HSBC's internet banking offshoot) also makes some perverse choices.

    They offer a downloadable money manager app to accompany their accounts. Windows Only. For security reasons it's implemented in Active-X. Other platforms apparently not good enough.

  17. Alexis Vallance

    I get this on Mac OS X too.

    1. RICHTO
      Mushroom

      Well OS-X is even more insecure than IOS - No surprise HSBC want to warn you!

  18. Anonymous Coward
    Anonymous Coward

    Of course what they should have done is remotely wipe your iphone to render it secure!

  19. John A Blackley

    A failed attempt

    by the DEA to install malware on the phones of members of Mexican drug cartels

  20. Anonymous Coward
    Anonymous Coward

    HSBC for Android works fine.

    I have had the HSBC banking app on my Android (using 4.0.4) for some weeks now.

    It downloaded and installed simply without a hitch and is very useful.

  21. RICHTO
    Mushroom

    Well they got the insecure bit right - circa 300 known vulnerabilities in IOS according to Secunia. Quite amazing for such a simple product. Compare that to 1 known (non critical) vulnerability in Windows Phone, or even circa 200 in Windows 7.....

  22. Ascylto
    Big Brother

    23456

    From your World's Favourite Wank!

  23. Christopher W
    Facepalm

    Rapport? Repugnant

    Bloated, inefficient, insecure and wholly unnecessary. Trusteer's known for having done deals with some of the UK's major banks (and some overseas) to push their Rapport security software. It probably works OK on an unprotected machine with no antivirus/internet security package but I've only ever seen it cause problems on a patched, protected machine.

    Usually on those machines there's some fundamental loss of functionality - inability to access the Internet, error messages or crippled behaviour. Guess what fixes it? Removing the Rapport software. Terrible piece of sloppy programming which achieves nothing except infuriating the user.

This topic is closed for new posts.

Other stories you might like