[TEMP RESOLVED] XSS blocking online banking site

[ZenPup]

I recently installed NS 2.1.0.3 on my Firefox 4.0.1. I am thrilled with it. I also love my bank, but I have never been satisfied with their online banking set-up. They are decades behind the norm, and whatever company they are using (changes are frequent) is really doing them an injustice. Plus it's just annoying to always have the changes, whether UI or jumping to another site, which I then have to add to all my "allow" lists.

So I fully believe the problem is with the bank site trying to jump to their online banking site, even though I have both domains on my whitelist. But I cannot figure out how to work around their shabby programming because I am (shhhh!) not a programmer myself. I hate to admit it, but I had to open IE to pay my bills this month. (Let's not put me in such peril again!)

Can someone help me to either tweak NS or to tell the completely non-technical bank what they need to know to make their online banking contractor set it up correctly? What info do I need to gather?

Thanks!!

[Tom T.]

The first step would be for us to reproduce your problem. It appears from information available to Moderators that you are posting from the US, correct? If so, we have several US-based team members, so there's a reasonable chance that one of them may have an account at the same bank. Please provide the URL address or name of the bank involved, then we can work from there. If no one has an account, then we'll take a different direction.

For what it's worth, my experience is that banks have the worst IT, and some of the worst security, of any online sites, which you'd think should be the opposite. I ran into the same problem at one, but instead of using IE, I disabled NoScript for that one session. (I have other defense-in-depth measures, but still don't like to do that.) When you tell them, they usually don't care, even the IT teams. Many sites are optimized for IE for reasons we don't have to go into here. They say, just use IE, which proves how little they know of security. Sad.

[Giorgio Maone]

May I add, if you got a yellow XSS notification bar, could you please click its "Options" button, select "Show Console" and PM me any "[NoScript XSS] line you can find there?

[Tom T.]

So I fully believe the problem is with the bank site trying to jump to their online banking site,

May I add too, that the quickest fix for that is to bookmark the actual login page of the online site, rather than trying to log in from the homepage? It's unfortunate that entering your creds at mybank.com redirects you to online.mybank.com, but many do that. Sorry I didn't catch that the first time.

For example, if I enter user/pass at https://www.wachovia.com, it is sent to

Code: Select all

https://onlinebanking1.wachovia.com/myAccounts.aspx?referrer=authService.

So the actual bookmark, as copied from my Password Safe, is this:

Code: Select all

https://onlineservices.wachovia.com/auth/AuthService?action=presentLogin&url=https%3a//onlineservices.wachovia.com/NASApp/NavApp/Titanium%3faction=returnHome

A bit cumbersome to type, but by using an encrypted password manager that will auto-browse to that URL, it gets me directly to the Accounts section with no need for redirection.

Also, in case your bank *is* Wachovia, please note that their merger into Wells Fargo will include transferring online accounts to Wells Fargo, and eventually, the Wachovia online site will be shut down. So there is a good bit of redirecting back and forth during this process.

[therube]

My BoA link, https://sitekey.bankofamerica.com/sas/signonScreen.do.

(You do have to have some preliminary cookies set, but after that works fine. Also keeping JavaScript [& META redirects] disabled [you can use an extension called NoScript for that] lets you "stick it" to them, sometimes.)

[Tom T.]

<snip> (You do have to have some preliminary cookies set, but after that works fine. Also keeping JavaScript [& META redirects] disabled [you can use an extension called NoScript for that] lets you "stick it" to them, sometimes.)

Since I never store permanent cookies, I find that allowing session cookies is sufficient everywhere. However, disabling *all* JavaScript breaks most of my secure financial sites; their own scripts have to be allowed. But you can reject the live-chat scripts and third-party scripts, usually. One disgusting financial institution requires you to allow doubleclick.net. Sorry, I'll call a rep and waste your salary dollars and phone time before I'll allow that.

Wells Fargo: https://online.wellsfargo.com/login
JP Morgan Chase, for former Chase customers: https://chaseonline.chase.com/Logon.aspx
JP Morgan Chase, for J. P. Morgan customers:

Code: Select all

https://www.chase.com/ccp/index.jsp?pg_name=ccpmapp/shared/marketing/page/pcs

The ones for some online-only banks, or for brokerage houses, get even longer and more complex. But those are two or three of the largest surviving banks in the US, along with therube's Bank of America link.

Incidentally, I was able to get something very close to therube's URL, even without a BofA account, by going to the home page, bofa.com, selecting a state, and entering "joeblow" as username. Of course it returns a mismatched UserID, but at this address:

Code: Select all

https://sitekey.bankofamerica.com/sas/signon.do?&detect=0

So one way to find out the *actual* login site is to enter bad credentials into the home page. No guarantees, but it might take you to the site that you want to bookmark, the one that requires no further redirection.

[ZenPup]

Yes, I'm in the US.

FYI, The bank I use is a small, local bank (which is why I like it--"where everybody knows your name"). The bookmarked URL I start from is https://www.middleburgbank.com/personal/. After logging in, it redirects to https://www.middleburgbankonline.com/on ... anking.cgi. This is the jump that gave NS conniptions.

HOWEVER, tonight when I just went to gather info using IE & then FF with NS, IT WORKED ON FF! No idea what's different today than yesterday. I haven't done anything using NS except allowing a specific site or maybe one temporary allow-all-on-this-page. If I accidentally turned something on/off, I may never know what did it. And if the bank made an upgrade overnight, I won't know either because I didn't write down the target website yesterday.

But basically, my problem has evaporated, for now at least. I DO appreciate all the speedy & detailed & enthusiastic help! If it acts up again, I will give a yell.

Thank you all!

[Tom T.]

As an experiment, try bookmarking and logging in at this address:

Code: Select all

https://www.middleburgbankonline.com/onlineserv/HB/Login.cgi

I got there by using the method described in one of my posts above: entering bad user/pass and seeing where it takes me. It "looks" like a logical login site for their online banking, but their site is presently down for maintenance , so if you get a chance, perhaps give it a shot and let us know.

One reason to prefer this site, even if the homepage worked, is that if you had to temp-allow the entire page to log in, you're giving up some protection against 3rd-party scripts and code that you might not want running. (privacy invasion). So see if the above site lets you login with everything blocked, except perhaps middleburgbankonline.com and middleburgbank.com. Aside from the site being down, I couldn't find out which are required, because I don't have an account there. Generally, the less you have to allow, the better.

For now, I'll mark this as resolved. You're very welcome for the assistance!

[ZenPup]

Tom,

When I use the site you suggested, it just redirects me to the usual starting place, https://www.middleburgbank.com/personal/. Is that what you expected or not??

I have allowed googleanalytics and digitialinsight as well as middleburgbank.com and middleburgbankonline.com. I generally try to allow as little as possible, and temporarily allow only one item at a time when troubleshooting a site. However I have been leaving my windows up lately, which may mean that "temporarily" is still in effect somewhere. When I get a couple more cycles in my life, I will shut everything down & try again to login to my bank with FF+NS & see what happens. I'm still curious about it even though it's working ok for now.

Thanks again!

[Tom T.]

When I use the site you suggested, it just redirects me to the usual starting place, https://www.middleburgbank.com/personal/. Is that what you expected or not??

Um, no, I was hoping it would take you directly to your accounts page. See the post above about my Wachovia account, and the very lengthy bookmark (you have to slide the scrollbar to see it all, or just "select all" and copy/paste to a text doc) that succeeds in doing just that.

I have allowed googleanalytics and digitialinsight

No need to allow googleanalytics. By default, if you block it, NoScript will run a Surrogate Script that will make them happy and prevent the page from breaking, while not giving out your personal info to GA.

I wasn't familiar with Digital Insight, but according to that source, it appears to be a legit provider of online banking, bill pay, etc. for the type of small, independent bank you described, where it's not economical to do it in house like the big guys (might) do. So I'd say, yes, allow that.

I generally try to allow as little as possible, and temporarily allow only one item at a time when troubleshooting a site.

Correct.

However I have been leaving my windows up lately, which may mean that "temporarily" is still in effect somewhere.

Best Practice: Before engaging in sensitive activities like financial management, close *all* browsers, tabs, windows, whatever. Then re-open a fresh browser, do your banking, and *close it* before resuming non-sensitive browsing. Even some of the financial institutions themselves, in spite of my negative first post, warn you to close that instance of your browser after logging out. And clear your history, cookies, etc., either manually, Private Browsing mode, or by, say, configuring Sandboxie to empty completely every time the browser is closed. Then you start with a fresh, clean browser, with no traces left for snoopy sites and adverts to sniff out.

When I get a couple more cycles in my life, I will shut everything down & try again to login to my bank with FF+NS & see what happens. I'm still curious about it even though it's working ok for now.

So am I. Is there any way at all that you can create a second online access, that has *no* access to your actual accounts, and no money or anything, and PM me the login credentials, so I could play with the site and see how we can get you logged in directly, without the back-and-forth? I' have a 100% track record, except for one stubborn site that just doesn't seem to care about supporting Firefox at all. ("Use IE". Gee, thanks, guys. )Then close that one permanently, of course.

Thanks again!

You're welcome. Is the avatar part of the appreciation? No reward necessary, but a nice pic. Cheers.

[ZenPup]

When I get a couple more cycles in my life, I will shut everything down & try again to login to my bank with FF+NS & see what happens. I'm still curious about it even though it's working ok for now.

So am I. Is there any way at all that you can create a second online access, that has *no* access to your actual accounts, and no money or anything, and PM me the login credentials, so I could play with the site and see how we can get you logged in directly, without the back-and-forth? I' have a 100% track record, except for one stubborn site that just doesn't seem to care about supporting Firefox at all. ("Use IE". Gee, thanks, guys. )Then close that one permanently, of course.

:\ Can't do myself, and not sure that the technophobic bank would understand why/how to do that.

Thanks again!

You're welcome. Is the avatar part of the appreciation? No reward necessary, but a nice pic. Cheers.

Sure, why not? Enjoy! And thanks for not treating me like just some dumb blonde girl.

[Tom T.]

When I get a couple more cycles in my life, I will shut everything down & try again to login to my bank with FF+NS & see what happens. I'm still curious about it even though it's working ok for now.

So am I. Is there any way at all that you can create a second online access, that has *no* access to your actual accounts, and no money or anything, and PM me the login credentials, so I could play with the site and see how we can get you logged in directly, without the back-and-forth? I' have a 100% track record, except for one stubborn site that just doesn't seem to care about supporting Firefox at all. ("Use IE". Gee, thanks, guys. )Then close that one permanently, of course.

:\ Can't do myself, and not sure that the technophobic bank would understand why/how to do that.

Not surprised, but it was worth a shot. If you have time and want to, have another look at the post where I diagnosed the direct get-you-there login page for Wachovia, and see if those kinds of steps help you locate the secret keys to the castle.

I don't suppose that calling *and asking specifically for online support* would get you an answer? Again, a long shot, but worth a try... they don't really care about your time; they want you to see the ads for all their products and services.

Thanks again!

You're welcome. Is the avatar part of the appreciation? No reward necessary, but a nice pic. Cheers.

Sure, why not? Enjoy! And thanks for not treating me like just some dumb blonde girl.

Well, we like to treat all of our users properly, and not stereotype, but you've already shown above-minimal tech knowledge by the statements about basic diagnostic procedures, etc. I agree that it's often difficult for non-tech users to get things explained to them in language they can understand, but not here, of course.

Let us know if you find out anything else, and in that sparse commodity called "spare time" I might try a little more myself, but of course it's very difficult without an actual account. Cheers.

[Tom T.]

@ Giorgio: From https middleburgbank.com, the XSS notification was:



Console was:

Error: ps_setDoCookie is not defined
Source File: https://www.middleburgbank.com/
Line: 193

Error: ps_setDoCookie is not defined
Source File: https://www.middleburgbank.com/personal/
Line: 382
*********************

@ ZenPup:

Reading the fine print below the box:

This online banking service works best with these browsers.

Which takes us to:
https://www.middleburgbankonline.com/on ... d_browsers

RECOMMENDED BROWSERS FOR INTERNET BANKING

* Microsoft Internet Explorer 7.0 or 8.0
* Mozilla Firefox 3.0
* Safari 3.0

This proved to be irrelevant, as did the recommended settings (SSL 2.0? Waay obsolete. Java applets? Not necessary.) And so forth for the rest of that page. (No support for Windows 7? lol)

3. From the Keep Cookies dropdown list, select "until they expire".

Bad advice. Some expire forty years from now. Use either "Session only" or "Ask me every time", and my answer is always "For this session only". Suppose you have the lifetime cookie. It's possible that merely browsing to the login site logs you in automatically. Very convenient. Also convenient for the burglar who comes in while you're at work or whatever, fires up your machine, checks the Bookmarks for financial sites.... Does my opening rant make any more sense yet?

OK, I went to

Code: Select all

https://www.middleburgbankonline.com/onlineserv/HB/Signon.cgi 

with Fx 3.6.16 with the RequestPolicy add-on, and did NOT allow any of the cross-site requests that show when you click the RP icon and get the menu.

In NoScript, I allowed (temp for me, whitelist for you)

https://cbr.digitalinsight.com
https://www.middleburgbankonline.com

But *not* middleburgbank.com !!!
Or the "blocked object", a Flash video with annoying slide-show ads.

and when RP said it wanted to redirect to the home page, I clicked "Deny". That left a User ID box, a Password box, and a Login button that might actually work! I entered some made-up credentials, got the proper error message, but was still at a close relative,

Code: Select all

https://www.middleburgbankonline.com/onlineserv/HB/Login.cgi

, with another login box and with no attempt to redirect back to the home page. You may yet need to add the middleburgbank.com script, but If this works for you with RP preventing the redirection, this almost qualifies as a hack, in the formerly honorable sense of the word: A workaround for someone else's incompetence or inflexible programming.

OK, tried that again with Fx 4.01, also with RP add-on, same steps, same results. So the "recommended browsers" page is totally obsolete, counter-productive, and anti-security. Ignore it. (And RequestPolicy is another excellent addition to your defense-in-depth arsenal, and I'm grateful that Giorgio recommended it to me a long time ago.)

These results were a good sign. I'm afraid I can't go any farther than that without genuine creds, and that's a responsibility I'd rather not have, thanks.

ANY-way, see if all of that makes a difference, and let us know. And by the way, this is *not* necessarily due to the everybody-knows-your-name small bank. As mentioned above, I deal with Wachovia, but also with a local credit union that covers only a few counties. At Wach, all deposits after 2pm are not posted until the next day. And all transactions are not visible online until the day after the posting date, whatever that is, because they apparently update the server only once a day, at midnight local, I think. So a deposit at 2:02 pm Friday isn't posted until Monday, and isn't visible online until Tuesday. Or since next Monday is a holiday, until the following Wednesday. But at Small Credit Union, a few blocks from home, I can make a drive-thru deposit, go straight home in 45 seconds, log in, and see the deposit online. Real-time updates of *everything*.

So regardless of whether it's done in-house or contracted out, it's each institution's choice what specifications and standards they want for their online servcie, and clearly, "size doesn't matter". Cheers.