back to article Shifty scripts on Santander site prompt security fears

Parent firm Santander is reassuring customers that the website of its banking subsidiary Alliance & Leicester is secure despite the presence of JavaScript on its login pages served up from recently created sites of unknown provenance. Reg reader Matt Freeman said he was prompted with a SSL certificate warning from a domain …

COMMENTS

This topic is closed for new posts.
  1. This post has been deleted by its author

  2. Patrick O'Reilly
    FAIL

    Third Party Javascript

    So a bank is using 3rd party javascript on their site?

    Sounds like a recipe for disaster.

    1. Bilgepipe
      WTF?

      Analytics?

      Why are they using analytics on the login page anyway? Do they not know who their own customers are?

      1. Andy Livingstone

        Well, it's like this........

        As a Santander customer who can only access my accounts by entering via the A & L web site (though no longer have an A & L account) I can say that from personal experience Santander have not a clue about who their customers are, what they want, or dare I say it why they should even think of trying to access their own money.

        The only way I got some of my own money out of them was to keep going through the massed ranks of plonkers till one finally understood that they had set the whole thing up completely wrongly.

        No longer the Abbey Habit, now simply Spanish Practices.

        Unfortunately it is increasingly difficult to find a real bank.

        Some day, I fear, the great Santander system will swallow cahoot too - the only part of their Empire which still has real working systems and real people to resolve issues rather than compound them.

        1. Danny 14 Silver badge
          Badgers

          oh and dont get me started

          They seem to want me to download some software shite EVERYTIME I log on. I have absolutely no intention of installing whatever crap you throw at me so GIVE ME A DONT PESTER ME AGAIN checkbox.

          ta greatly.

      2. Gene Cash Silver badge
        Unhappy

        Same retards at Chase

        When I bank at JP Morgan Chase, their website tries to go to doubleclick.com, which I have thoroughly blocked at three levels: my firewall, my hosts file, and AdBlock+.

        And since they've recently bought 3 failed banks, I'm sure they have no idea who their customers are. I signed up for their credit card 8 months ago, and yesterday I got no fewer than 3 applications for the same card in my snail mail.

  3. JimC

    Why does anyone use on line banking?

    The terms and conditions are atrocious and they put all the responsibility on you without giving you the slightest way of finding out what's gone wrong...

    1. Marvin the Martian
      Linux

      Why oh why?

      Online banking is indeed a fad, surprised anybody would want to use it. I Also find using that plastic cash a needless encumberment, too! And don't get me started on this paper-and-metal-coins malarkey, either.

      For me it's pig iron ingots all the way, and animal hides for the change.

      1. Apocalypse Later

        Paper money is definitely malarkey, but...

        ...half crown coins from before 1946 are worth almost six quid today, before 1920, eleven quid. That's just the value of the metal, no numismatic element.

        1. sabroni Silver badge

          Malarkey it may be..

          ...but it's a lot quicker than chip'n'pin! When I pay for fuel I take about a tenth of the time that the card payers do.

          1. DRendar

            Quicker? Really?

            Let's compare apples with apples eh?

            1 if you use a card, then in many petrol stations now you can pay at the pump, thereby avoiding having to go into the booth, and join a hideously long queue at all.

            2 if you go into the booth to pay, (and there's no queue) then it might be slightly quicker (takes me about 10-15 seconds) but you will have had to take the time and had the foresight to go to the bank/ATM first, in order to have that cash in your pocket in the first place, and how much longer does that take? 5 - 20 minutes?

            So 5minutes to save maybe 10 seconds. Bravo!

            That is unless you walk about with your wallet perpetually full of cash, in which case, you've got some balls on you - or too much money :-)

            Personally I despise people who go to a pay-at-the-pump station, then dawdle off to the booth (and the queue) to pay, and I'm sat, finished and paid up, at the pump behind waiting to get out because they either didn't pull in close enough to the pump so I could get out, or the station is too narrow.

            Grrrr!

            1. Anonymous Coward
              Anonymous Coward

              A:

              I've too much money

              B: I do walk with my wallet stuffed with cash ( lopsided)

              C: I live in a crime-free area

              D : What's it to you ?

              E : I pay at the pump anyway since I get cash-back on my credit card

              F: I always use Internet banking ( with 20 digit passwords)

              G: If I went to the booth I'd use credit card (see E)

      2. JimC

        yeah but....

        If all you mugs hadn't signed up for the "rape me" terms and conditions they'd have been forced to introduce something more reasonable...

  4. Anonymous Coward
    FAIL

    internet banking

    absolute madness

  5. Sampler

    Polycache.com blocked at firewall level and host files updated to redirect to localhost

    now, where's my tinfoil hat..

  6. Anonymous South African Coward Silver badge

    The day after tomorrow...

    ...or some other random time will see the brown stuff hitting the propelling device.

  7. John Wilson
    FAIL

    Unfounded?

    'worries to the contrary were "unfounded".'

    This suggests an incomplete understanding of the English language. The security risk may not have been realised or exploited, but fears of a security risk were most certainly well founded.

    1. Gary F
      Unhappy

      Que? Mr Fawlty? Que?

      Slap, slap, slap!

  8. David Gosnell

    Not the first time

    I raised questions about their third-party user tracking years ago and was brushed off.

    I have all Javascript disabled on the site, which helpfully hides the Rapport crap too.

  9. Matthew 25
    Coat

    The title

    All 3rd party scripts understood,

    All customer data secure,

    All pigs fed and ready to fly

  10. Dan 55 Silver badge

    Other domains in that script

    Including Abbey National, HSBC, Yahoo and more banks including santander.cl.

    Time to add polycache.com and advanced-web-analytics.com to the hosts file.

    Santander's explanation doesn't wash.

  11. TeeCee Gold badge
    FAIL

    "...since this covered a fraud and security issue...."

    So according to them it *is* a fraud and security issue but also nothing to worry about? How does that work then?

    Unless of course it's not a fraud and security issue but a cockup and arse-covering one....

  12. Anonymous Coward
    WTF?

    It gets worse

    The service that replaced the old Abbey online banking site encourages you to download and install "security" software to ensure the safety of your session.

    Great. So I have to install local software to secure a single web app?

    1. David Gosnell

      If it's the same as A&L ...

      ... Block Javascript, and the Rapport nags (irrelevant to me since I use an incompatible and significantly-less-vulnerable-to-start-with browser) will quietly vanish. The only downsides are that the PIN box doesn't auto-focus any more and the quick payment sidebar item doesn't do anything.

      Of course, the Abbey features may be slightly different in the first place, but you get the idea.

  13. Anonymous Coward
    Anonymous Coward

    Paint me a stick-in-the-mud, but...

    ... I don't think it is appropriate for a bank to use third parties for their core business. Now-a-days, that does include online banking.

    "Trust" never comes in convenient sixpacks, you know.

  14. Anonymous Coward
    Thumb Up

    Finally

    someone else has clued up to whats happening here.

    Most UK financial / media sites send stuff to third parties for 'analysis'

    Not only that it happens within the ssl bit, ie when you have logged on.

    Here is my log of the last 24hrs, of the organisations I block

    64.236.79.229 4 80 ARIN US ATDN-ISP

    62.41.70.122 1 80 RIPE NL NL-KPN-BBT-20000510

    217.163.21.38 1 80 RIPE GB YAHOO-IE

    62.41.70.170 1 80 RIPE NL NL-KPN-BBT-20000510

    199.255.34.89 8 443 ARIN US CORE-DEN-01

    204.77.29.128 2 443 ARIN US CORE-ATL-01

    188.121.36.239 1 80 RIPE NL Prolexic Technologies Inc

    87.249.105.28 12 443 RIPE EU NEDSTAT2

    66.235.139.166 1 80 ARIN US OMTR-SJ1

    212.118.226.91 1 80 RIPE GB UK-INTERNAP-20000530

    77.72.113.58 1 80 RIPE NL NL-NEDSTAT

    188.121.36.238 5 80 RIPE NL Prolexic Technologies Inc

    66.235.133.33 1 80 ARIN US OMTR-SJ1

    87.249.105.58 1 80 RIPE EU NEDSTAT2

    63.140.40.27 10 443 ARIN US OMTR-SJ1

    66.235.148.128 5 80 ARIN US OMTR-SJ1

    Now the organisations will not tell you what they send as its commercially sensitive , but its all legal!!

  15. Anonymous Coward
    Thumb Down

    Change from Alliance and Leicester has caused problems

    Over the past few days we had become worried that a large cheque deposited into our on-line account and which a confirmation of receipt was received had not appeared on our list of recent transactions. Calls (0844) to the bank were answered with "It has cleared and will be shown tomorrow" Today after pressing them and suggesting there had been a fault in the changeover they finally admitted that some transactions at the time of the takeover did not make it to the online listing. We subsequently discovered a missing payment from the listing. On checking, the balance however appears to be correct.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019