HSBC Security

A while back I e-mailed HSBC because their site kept on sending me to a JSP error page whenever I used an “alternative” browser. (This was probably not a page they should send to the user—lots of juicy information for the crackers amongst us.) Their response was, “At this time, HSBC’s Internet Banking service does not support Konqueror for on-line access. The service requires Java, JavaScript, SSL 2.0/3.0, 128bit encryption and cookies to be enabled in order to access the service correctly.”

I don’t see Java anywhere on the site, and I can use their site with JavaScript disabled. Any browser that supports cookies and HTTPS should be able to handle the transactions.

I don’t like letting the world know what browser I use, so I have the UserAgent disabled. Unfortunately, this is unexpected and sends me to the aforementioned error page. After much trial-and-error, I’ve narrowed down the minimum UserAgent to ‘???/ ( )’. (The question marks can be any characters.)

Aside from their UserAgent checks, HSBC also has several checks for their customers’ usernames and passwords.

• The username has to be at least eight characters long, while the password can be a maximum of eight characters long. (Shouldn’t it be the other way around?)
• The username seems to be case insensitive, while the password is. (They employ JavaScript to convert the username to all caps when logging in, but with JavaScript disabled, it still works. Odd.)
• Both usernames and passwords are limited to being alphanumeric characters. They cannot contain spaces or any other characters, sadly. I guess this is one step up from the four numeric digit pin numbers ATMs use, though.

I find it disturbing that my money is handled by this kind of software.