|
If you are good with Greasemonkey, you can override their stupid "no paste" javascript and make the page work correctly again.
Greasemonkey is a great tool for this.
|
|
|
|
|
It's a side effect of what they are doing with the keyboard handler which is removing any ability to hook it.
A lot of the common keyloggers AdvancedKeyLogger, KeyGhost, Absolute Keylogger, Actual Keylogger, Actual Spy,
Family Key Logger, GHOST SPY, Haxdoor, MyDoom all use that method.
The ability to cut and paste is unfortunately a side effect of the change but in some ways is a blessing.
So basically the bank is doing something Microsoft should have done which is when you enable a secured connection
cut the feed to all windows hooks which would have been the preferred option.
You won't be able to restore the function it's way lower than anything Java can reach the paste functions will
not take input from the normal button win32 messages if implemented correctly. The hint is you would have to
register the message with the class and for that you need the security key.
What you think of as a button isn't a button at all, its a bitmap that gets draw on from deep inside the security
sections. Think of a rolling counter on a website or even look at US debt clock. The screen drawing is totally
fictional the key message never come outside the application kernel.
In vino veritas
modified 24-Oct-16 8:14am.
|
|
|
|
|
leon de boer wrote: It's a side effect of what they are doing with the keyboard handler which is removing any ability to hook it.
That could well be it (and it's nice to know that there might be some kind of reason) but if it's going to compromise security in other ways, it seems like a rather bad idea.
This site was one of several that I've registered with in recent times in the same sector (UK turf accountancy/equine futures market) that have really astonished me with the inadequacy of their security systems.
The sites belonging to two of the largest high street names bounce between https:// and http:// with gay abandon.
One uses a pin number rather than a password. That, I find utterly unbelievable.
A couple have the old "password must be between x and y characters long" thing going on. Something that seems increasingly "last century" to me. Thankfully, this one does seem to be getting a bit rarer these days.
Every single one that has a "security question" (I guess I'm talking about 20 or so sites here) have the same default question - mother's maiden name: if you can't remember it you can always find it on your birth certificate or some genealogy website or other. Other people can find it, too, of course if they don't happen to know it already, but hey! Nothing's ever quite perfect ...
|
|
|
|
|
NEVER put in your mother's maiden name or any other information like that.
That totally exposes you and completely defeats any security, as that information is usually public knowledge. This a perfect example of astonishing incompetence by the site developers.
I make up a unique answer for every site.
For example, on one site, my mother's maiden name might be "aseej#$i70kKnP++-{F46^".
Which was actually amusing when I had to tell my bank that on the phone one day...
|
|
|
|
|
Basildane wrote: incompetence by the site developers. I doubt it is the developers making these decisions.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
leon de boer wrote: So basically the bank is doing something Microsoft should have done which is when you enable a secured connection
cut the feed to all windows hooks which would have been the preferred option.
I'm curious how you expect MS to be able to accomplish that. Setting aside that there's nothing they could do to affect the situation on people running Linux/MacOS/Android/iOS/BSD/etc, just getting enough visibility into 3rd party browsers to do it Windows wide would require a cluster-elephant of kernel mode snooping to try figuring out what's going on inside other peoples code.
Lastly, AFAIK low level user IO hooks are extensively used by accessibility software which means that to interfere with the crappiest common denominator of malware they'd be throwing everyone with disabilities under the security theater bus.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
I see this more and more. Really annoying.
I use KeePass and have it generate a password as my made-up ones are way too easy.
(What is wrong with HelloWorld42? )
There must be someone out there who came up with the idea and is spreading it to financial institutes.
Mongo: Mongo only pawn... in game of life.
|
|
|
|
|
There are worse, One of the banking sites I use has all that, PLUS they disabled the Tab key from moving to the next field too.
Not only do you have to key the id in using the KB (no paste on any browser, no auto complete), but then take your hands off the KB, use the mouse to click on the password box, and then hands back to the KB to enter that then back to the mouse to click OK.
After that use the mouse to select an option which then opens a new input box to enter the OTP,
use the plastic calculator thing to generate the OTP,
click on the OTP input field (because it doesn't put you there by itself),
key that in,
then use the mouse to click OK because again Tab/Enter does nothing.
Now you can finally do what you came for, but the whole site is almost all like that, no tab, some later fields can be pasted but woe betide you accidentally paste a no-no character (including accidental trailing spaces on/in numbers - phone number(s) too). Think for too long and it tosses you right out - no warning.
(Even the "feedback form" that is reqest you to fill after you've finally done is like that, and it includes fields to key in basic info like name, phone, which account(s) you have as if they didn't already know that.)
Thank you, please come again. - Well not if I can bloody help it.
Sin tack ear lol
Pressing the "Any" key may be continuate
|
|
|
|
|
PeejayAdams wrote: that they had disabled pasting into the password and confirm password fields. Some websites have been that way for many years. I'm sure it is so that you are forced to re-enter your password. If you mistype and then paste it you'll send support a complaint that your new password does not exist. This way, you are more sure to type it in right.
Some websites don't even bother with the confirm password.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
|
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
|
I find it a PITA. Generally, they want two confirmations: Email and password.
So I have to type my email in twice - instead of copy'n'paste from my password store. Then I have to do the same with my password. And since I try to use a fresh Guid as my password each time I don't even know (or care) what it is, so typing it is more likely to give a problem than not.
And don't even get me started on "what is a valid password" - some insist on upper and lower case, some must have a number, some won't allow special characters, some want 8 letters, some want 10. And they never tell you their arbitrary rules in advance either...
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
|
|
|
|
|
OriginalGriff wrote: And they never tell you their arbitrary rules in advance either That's the real pisser. They wait until you've clicked the submit button, then clear half the fields (for "security purposes" obviously).
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
The point hair who shoved the idea down the developers throats probably assumes the only password manager people would ever use is called passwords.xls (because that's what he uses) and is making the system more secure as a result. To @NathanMinier the ctrl+v loophole you found is probably the developers protesting by slipping something past their PHB knowing he can only copy/paste using the context menu.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
Dan Neely wrote: probably the developers protesting by slipping something past their PHB knowing he can only copy/paste using the context menu
So sad because it is so true.
"There are three kinds of lies: lies, damned lies and statistics."
- Benjamin Disraeli
|
|
|
|
|
Was it to keep the bots from being able to paste IDs and passwords?
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|
DavidCrow wrote: Was it to keep the bots from being able to paste IDs and passwords?
Bots can just do SendKeys. It's extremely easy.
As a matter of fact, Norton Internet Security has a onscreen keyboard which allows you to type via SendKeys which is a security safety net in case you have a keylogger and dont know it. SendKeys doesn't generate the keypresses that your keyboard does and keyloggers wouldn't be able to trap your password if you use the Norton onscreen keyboard. I think Kaspersky has this too.
|
|
|
|
|
Years ago, I made an OSK for precisely that (I was sure that the company had installed keyloggers, but I couldn't install anything or use anything off a disc to find out, so I pretended it was needed within a project).
I'll have to see if it still works, in this post-win'95 world.
[update] heh. It needs the VB4 runtimes.
[update 2] {sigh} now it's all "Error accessing the system registry". I'll have to update the project files, which will probably take longer than it took to write it in the first place.
I wanna be a eunuchs developer! Pass me a bread knife!
modified 24-Oct-16 14:35pm.
|
|
|
|
|
Mark_Wallace wrote: Years ago, I made an OSK for precisely that
Very cool that you did that. Especially back in the day (win95).
|
|
|
|
|
Piece of cake. Just a load of buttons and a sendkeys command based on button number + modifier (Shift only; I didn't need Alt or Ctrl). It took longer to make and line up the buttons than to code.
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
I'd love to hear the 'logic' from the devs themselves.
Hand them a shovel before they start the explanation. And some dynamite.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Eddy Vluggen wrote: I'd love to hear the 'logic' from the devs themselves.
It will almost certainly be some variation of "because our PHB told us we had to".
This isn't a feature some dev has decided to add on their own initiative. It's a management-level decision that's been forced on the devs, because it's what other sites in the sector are doing, so therefore it must be the right thing to do.
If you ever query it with the customer support drones, you'll be told it's to increase the security of the site, and they'd "lose their certification" if they changed it.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
That is what I meant; there is no reasonable argumentation to defend the decision.
Happens a lot if decisions are made by people who aren't qualified to do so.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|