Thursday, 11 February 2016

Why am I not surprised a bank's website is rubbish?

Recently I decided to finally do something about my rubbish Alliance & Pester / Santander bank account that pays no interest, and go through the hassle of opening a new bank account that pays a better rate of interest. TSB offer quite a good rate, so I applied to open an account with them online. Their sign-up / security process is pretty bad though:

As you can see, it didn't like my username containing non-alphanumeric chars. Underneath the username section it says Your user IS must be between 9 and 30 characters long and can include letters, numbers and special characters (see the tip section above for ideas on which special characters to include). (emphasis mine).

Yet when you look at the tip section, it makes no mention of special characters. And with alphanumeric only password but 'special chars' in my username I was not able to continue. But without 'special chars' in the username I could continue onto the next page. So clearly special characters are not allowed in the username.

As well as giving incorrect information on the signup page, the fact that they don't allow special characters and also make the username / password case insensitive is bad for security. The smaller the number of possible character combinations, the easier it is for someone to make a brute force attack and guess a correct user ID / password combination.

It wouldn't surprise me if the user id and password are also ASCII only. While this also decreases security, it's more of a problem from an accessibility standpoint. If I was Chinese, my preferred User ID may well be something in Chinese. But you'd be forced to use something in ASCII. It's not a big problem - you could still use the same keystrokes combination, but you'd see a jumble of random letters rather than the Chinese characters, making identifying typos a bit more difficult.