Preaching security to banks

Mozilla.org

I feel somewhat lucky in that my bank supports, to some extent, browsers other than MSIE. My one complaint is that printing in any other browser sucks.

There is a "print" feature offered following transactions (e.g., bill payments, transfers) that prints a nice transaction report. Attempting to use this feature in Mozilla Firefox or any other Mozilla browser may cause it to hang or at best simply leave you with a bad print job in your print spooler. Printing the entire webpage works of course, but I end up with a lot of garbage on multiple pages which I would prefer to avoid. Because of this small issue I usually just switch to IE for my online banking. No More!

So I submitted a message on the customer service page (for the second time, the first time being over a year ago) requesting that they fix the print feature so that it works in Mozilla based browsers. I got a predictable response about their service not having been tested with Firefox but that I should not worry about their service being insecure even with this browser. I simply had to respond to this statement.

Here is my response, which I am posting on the off chance that the links I reference may be of use to others requesting support for an alternative browser from their bank.

Thank you for taking time to respond to my message.

Please be aware that I have very little concern about the security of Easyweb when using Firefox. In fact, I would be far more worried if I were using Microsoft Internet Explorer given the fact that it has a large number of exploitable security vulnerabilities which Firefox does not suffer from.

Secunia.com, a security tracking website which US-CERT (United States Computer Emergency Readiness Team; http://www.us-cert.gov/) refers to, lists 18 currently unpatched security vulnerabilities in the latest version of Internet Explorer, one or more of which are "Extremely critical" in nature.

http://secunia.com/product/11/

This USA Today article, published in July 2004, describes how Internet Explorer was exploited to capture and transmit login credentials to another website whenever the user went to one of 50 targeted financial institutions.

http://www.usatoday.com/tech/news/2004-07-01-cyber-threat_x.htm

Here is a quote from the article: "A Citibank spokesman says the bank, with 2 million online users, took steps to protect its Microsoft Web servers several weeks ago. However, the only thing banks can do to stop the most recent kind of attack is recommend that customers stop using Internet Explorer, says Joe Stewart, a researcher at security firm Lurhq."

I apologize for having to point out these facts since it is your job (or at least the job of someone in your organization) to know this and perhaps you already do. I also regret the need to defend my choice of web browser but it seems I have little choice.

Regarding the "print" function, the browser compatibility list you give below shows Netscape Communicator 7.0 as a supported browser. This is a Mozilla based browser (any Netscape product newer then 4.x is) which means that if your print function works in Netscape Communicator 7.0 then it should work in any other Mozilla browser like Firefox. I believe I tested the feature using Netscape 7.0 over a year ago though and found that it didn't work. I have a feeling that it still doesn't but I have no desire to install it just to find out. I hope that you will follow up to confirm this yourself.

My enhancement request would be that you add Mozilla Firefox to your list of supported browsers since it is functionally equivalent to Netscape Communicator 7.0 from a web application development perspective. I hope you will give this request the attention it deserves in light of Internet Explorer's deficiencies.

Cheers, Chris