
Is it OK to hold credit card numbers in cookies, Santander? - Garbage
http://seclists.org/fulldisclosure/2012/Oct/101
======
TomGullen
What sort of clowns stored the credit card number in a cookie? Seriously? What
a breathtakingly stupid show of total incompetence.

Was considering switching my personal account to Santander, have been looking
to move away from Natwest for a while now. Natwest are a dismal failure of a
bank to the extent I'm always happy to go out my way and dissuade people from
associating with them in any way. I'll be writing Santander off my list for
sure now. How on earth can you trust them after seeing this?

For a business who HAS to take security seriously, for a business with a LOT
of resources, for a business who hold YOUR cash this is utterly pathetic and
inexcusable on their part.

Leaving them might be a good idea for your personal security, unfortunately
the UK is a little short of good banks. Would love to see someone shake up
banking like Stripe has shaken up online payments.

~~~
nessus42
Maybe I'm an ignoramus, but what's wrong with storing your credit card number
in a cookie, as long as it's encrypted? This is how session management is
typically done, right? Your session information is stored encrypted in a
cookie so that on subsequent page requests, the server still knows who you
are, but the session information is encrypted and decrypted on the server, so
that the client can't forge the session information.

If this technique is good enough to make sure that you still are who you said
you were when you logged in, why is this not good enough for storing other
sensitive information? And if it's not good enough for session management,
then you're in deep trouble anyway, since someone else can now log in as you
and funnel all your money into their Swiss bank account.

 _Edit:_ As it turns out, it seems that most cookie-based session data is only
stored cryptographically signed, rather than encrypted. The reason for this
seems to be that HMAC signing is up to 4X faster than encrypting with
Blowfish.

~~~
pillock
> Maybe I'm an ignoramus, but what's wrong with storing your credit card
> number in a cookie, as long as it's encrypted? This is how session
> management is typically done, right? Your session information is stored
> encrypted in a cookie so that on subsequent page requests, the server still
> knows who you are, but the session information is encrypted and decrypted on
> the server, so that the client can't forge the session information.

No, that's not how session tracking works. The server uses a cookie to assign
you a temporary ID, and then creates a corresponding storage area "server
side" which can contain data like credit card numbers.

~~~
dgoodlad
That's how _some_ session tracking works. See Rails' CookieStore strategy for
session storage for example:
<http://guides.rubyonrails.org/security.html#session-storage>

> Rails 2 introduced a new default session storage, CookieStore. CookieStore
> saves the session hash directly in a cookie on the client-side. The server
> retrieves the session hash from the cookie and eliminates the need for a
> session id. That will greatly increase the speed of the application, but it
> is a controversial storage option and you have to think about the security
> implications of it:

~~~
chris_wot
That's not how _secure_ session management works.

~~~
cheald
It's plenty secure in the sense that you can't forge a session. It's not
secure in the sense that the data is inaccessible if you know how to base64
decode a cookie.

If you're using cookie sessions, you should know better than to store
sensitive information in the session.

~~~
chris_wot
In other words, because they are holding sensitive information in their
cookies encoded only via base64 it's not secure. In other words, what I said.

------
UnoriginalGuy
I actually quit Santander(UK) because of their security policies. They
essentially changed online banking so you had to give them a mobile number and
then had to get a code from a text message they sent you to login.

My question to them was "what happens if I don't have a mobile phone?" and
"What do I do when I am on holiday abroad?" and their responses were
(paraphrasing) "You won't be able to use online banking at all in either of
those cases."

In order to just get this response I got transferred between like four or five
different customer service reps. So I quit my bank of like ten years and when
I quit they didn't even care enough to ask my WHY I was quitting.

~~~
kule
Funny I actually prefer their system of texting to confirm new payees (on
business banking it's only to setup new payees not ones you've used before).

I almost always have my mobile handy, even abroad, however trying to find &
use that darn HSBC dongle every time I want to login or add a payee drives me
nuts.

I can certainly understand that it's a bit silly if they don't have a
workaround for when you don't have a mobile though.

------
iaskwhy
Slightly on-topic. I have been trying with some banks in the UK trying to find
the best online banking system and I am not happy with the results so far.

HSBC works quite well but the login system (with a RSA key) is annoying. I can
accept it for actions like transfers but most times I just login to check my
balance and transactions, requiring a token seems to much for me. Their
design, even if not great, works.

MetroBank seems great from the outside but their system has some issues.
First, to login you need your account number, a password and three digits from
a 8 digits PIN. After logging in, you can do everything without any other
measure. The systems fails to login most times unless you realise you can just
click on the link in the error message and logged in you are. A friend told me
to use the incognito mode in Chrome and it seems to fix this issue, probably
with sessions. Their design is not the best. On the transactionspage you can
only see 3 or 4 transactions on the screen at a time (without scrolling, that
is).

I am waiting to try Santander (which I will avoid now) and Northern Rock.

Any good experiences?

~~~
georgespencer
HSBC have been an absolute NIGHTMARE for my business. I'd urge anyone in the
UK to avoid them for anything. Below is the rant I sent to their complaints
department after I had decided to ditch them after one foul-up too many.

tl;dr: It took me weeks to register; they refused to expedite new codes to me
after a cockup at their end; then when they eventually allowed me to use the
service they declined EngineYard and Google apps payments every single month
for over a year for "fraud prevention reasons".

In the process of switching… not sure who to yet.

\--

Over a year ago I began the process of opening a business bank account with
HSBC over the telephone. I'd already completed incorporation of my business
and had a provisional acceptance from HSBC via their online application
system. Someone was to phone me to ask some cursory questions. Through this
conversation it emerged that one of the directors in the business had somehow
mistaken his gender when filling out his paperwork, and there was a pause
while we waited for Companies House to update their records.

A few days passed, and with the records amended, I ventured into the Fulham
Broadway branch of HSBC to complete this process. I explained to the gentleman
hovering menacingly near the doors what I needed to do.

"I see. Come with me to The Business Centre," he said solemnly, visibly
annoyed that I was wearing yesterday's jeans and no socks.

He deposited me in a chair and assured me that someone would be over to see me
shortly. Instantly, another gentleman arrived and inquired as to what I
needed. I explained my situation again. Ah, yes, of course. I needed to see a
Business Advisor. Did I have an appointment? No, but the office was empty. Ah,
yes. Right this way.

The second gentleman led me to a third representative of HSBC's towering
capacity for inefficiency. A portly lady squeezed into a too-tight uniform,
tucked inside a glass livestock enclosure; she motioned wordlessly to a chair.
I ventured that I had a reference number. She pecked away with her exquisite
fingernails on the tiny plastic keyboard in front of her and then abruptly
stood, and stalked to a printer, rolling and heaving her monstrous body
against a uniform visibly weakening at the seams.

"What," she said, looking at her screen and then, for the first time, at me,
"did you hope to do today?"

I explained, for the third time, that I needed to conclude the opening of my
business account–a process I'd started over the telephone and had been assured
I could pick up in a real life, physical, open-now-on-Sundays-thanks-to-Nat-
West retail bank. She nodded.

"So all we need really is to physically ID the other directors and we're
done."

Nobody had mentioned of this, and one of them was in France.

"Sorry, there's nothing we can do until then."

Could I just drag them into another branch and have them sign something? I
could. Splendid.

Thus resolved, Director #1 and I went to the London Bridge branch of HSBC a
few days later. He was clutching a disparate range of proofs of his identity,
from bank statements to utility bills.

We explained to the 'Customer Host' what we needed to do. He ushered us up
some stairs to The Business Centre, a grandiose term for two offices, a
deserted reception area and a jolly looking woman stationed in a narrow glass
booth.

After being left alone for several minutes, with no more obvious option, I
approached her and, for the second time that day and the fifth overall,
explained what Josh and I needed to accomplish. She motioned to the first
office, which had an open door. "My colleague will be able to help you with
that."

We went into the office. The man behind the desk looked up from the screen,
creating the illusion of progress.

"Can I help yeh?" He asked, through the indolent, Americanised drawl of an
east London schoolboy.

Once more I explained. Keep count.

"Yeahyeah, if you just take a seat, someone else will help you widdat."

Widdat, we sat and chatted about central American politics for a few minutes.

Another man, with a hole where it seemed obvious an earring usually was,
walked past us into the office with Widdat in it. He gesticulated in our
direction and then cast a wary glance over his shoulder at us.

He approached us and, as you might have expected, asked us what it was we were
there to do, in a mumbling approximation of Widdat's voice which might have
seemed like a parody if the intellectual bar set by HSBC's staff so far hadn't
been so terribly, terribly low.

He explained, in a roundabout way, that he had to do some work and had an
appointment coming in ten minutes, but that a lady would be along to see us
very soon indeed, and that if she wasn't, he'd take care of us.

We resumed our discussion for what seemed like a very long time–and not
because of Josh's constant oversimplification of the complexities of US
paternalism. Eventually, Widdat #2 came back out and invited us into his
office, muttering about the receptionist not being at her desk.

Instead of asking what we wanted to do, he began to faff about with his
computer. I trotted out the most succinct version of my mission to date.

"I started the process of opening a business account with you. I was told I
needed to bring in ID for the directors so you could verify them. I have one
of them with me, with his ID."

"Right yeh but there's loads of paperwork to do to conclude and everything,
it's maybe 25, 30 minutes and I have appointments and that."

We didn't need to do the paperwork. Could he just scan or photocopy the ID and
say that he had seen it?

"I can take the ID from you but I can't give it back to you. We have to keep
it. Sorry. You can either go into another branch and try to get it done or
come back here and see me."

There is a box on the form for HSBC's Business Banking application which asks
you how much you intend to deposit into the account. I assume Widdat #2 hadn't
seen it, because I wouldn't ordinarily expect to fight someone to give them or
their business several tens of thousands of pounds.

I lost interest. I told him it was ludicrous. He didn't disagree. We left. As
a last chance I dropped into their deserted Clerkenwell branch and spoke to a
business advisor who told me the previous HSBC employees I'd dealt with were
all idiots and that it was very simple. We had the account opened in minutes.

Internet banking is very important to me because A) it's 2012, and I don't see
a very good reason for highstreet banks to exist and B) I quite like the
internet. So we registered for internet banking (which you have to do
separately: is there really anyone who doesn't have or use the internet
nowadays?). There are three parts of the verification system for this. HSBC
posted me a 25-digit activation code, a cryptographic dongle thing, and
another shorter code.

Ignoring the fact that a 25-digit activation code = 25! possibilities, which
means HSBC have leave to create, I don't know, a BAJILLION online bank
accounts, it's a fucking usability nightmare. Typing this stupid code into a
computer, it's absolute overkill.

Oh, and they sent me two. Neither of which worked. The second one canceled the
first, apparently (although they arrived at the same time), so I had to wait
for a third code to be sent out. Nobody can do anything over the phone. You
have to wait for the codes to arrive by post. They can only send them to the
business address, meaning that you have to be in the office to pick them up. I
spoke to a manager on the phone and politely asked what they could do to speed
up the process of getting the code to me, since it was their mistake. Nothing
at all, as it happened. They couldn't give it out over the phone, they
couldn't send it recorded delivery, they couldn't courier it to me. Thanks for
making amends for your mistake!

So after entering this 25-digit code, and another code which was a mix of
alphanumerics, and picking a unique username, and specifying a password, and
using my secure key dongle to generate a unique entry code, I finally get
access to online banking about five weeks after the process begins, and I can
finally pay our providers who have been patiently waiting (because they
understand our pain–they also bank with HSBC).

~~~
georgespencer
Now, all this is pretty bad but manageable. Shitty customer service, a shitty
system, and no attempt to make amends for failing to provide a decent standard
of service. But we're set up, right? Not quite. HSBC is the only bank I know
that actively prevents you from using your funds by periodically just
declining your card.

We're a web business. Every month we pay a bunch of money to our web hosts
(the brilliant EngineYard), Google Apps, AWS, etc. WE DO THIS EVERY MONTH. THE
SAME AMOUNT OF MONEY. And every month an Indian dude calls me in the middle of
my lunch, asks me to confirm a load of security questions, and then asks me to
confirm the same transactions that I confirmed with him the month before that,
and the month before that and EVERY MONTH SINCE OUR JOURNEY OF PAIN WITH HSBC
STARTED.

Meanwhile EngineYard are sending us polite emails saying "Please pay us, your
card was declined." The upshot is that we have a bad relationship with our
hosts. I'd imagine that HSBC's website is hosted internally, because I know
for sure that if it was hosted externally it would GET TURNED OFF ONCE PER
MONTH BECAUSE YOUR FRAUD PREVENTION TEAM STOPPED PAYMENT FOR IT.

Three months ago I called HSBC and pointed out that this happens every month.
"Ah yes Mr. Spencer, I can see that in your account. I can confirm that we
will not phone you again about these transactions." Bull. Shit. Two months ago
when they called back I brought it up again, in a slightly more irate manner.
"Ah yes Mr. Spencer you need to speak to my colleague about that, hang on." I
spoke to his colleague and explained it all AGAIN.

Then they called back a few weeks ago. I explained it all again. Everything
was fine, again; no fraud or unusual activity (SO WHY DID YOU CALL?). The card
is fine and working, the EngineYard payment will go through, I'm told. I
explain to the guy that if I ever have a phone call like this again where I
have to explain, for the millionth time, why my business uses American hosting
providers, I will change banks and never look back. "No, no Mr. Spencer, I'm
trying to help you. You just need to speak to my colleague..."

No, I don't. I've spoken to everyone. Nobody I have ever dealt with at HSBC
has any respect for my time. I've repeated myself dozens of times with HSBC to
no avail, at every step of the process, to different staff members who can't
pass a message along to save me from having to explain it again.

I tell the Indian guy that I'll leave him to resolve it. If he can't then
that's fine, we'll switch banks.

He calls back to say it's all resolved. A week later, an email from
EngineYard. Card declined.

Cheerio, HSBC.

~~~
SpoonMeiser
My wife has a horrible time with HSBC, and I always get a bit aggitated when I
see people recommend them, so I'm glad to see other people sharing their
horror stories about them.

Her situation is that she visits family in Canada once a year. They won't make
a note of her being out of the country if she calls them beforehand. The fraud
people then call her if she needs to use her card at unsociable (for Canada)
hours and never leave answerphone messages. When they do get her, they require
her to answer security questions without identifying themselves first. If she
calls them, the person she speaks to has no way of knowning if anyone has been
trying to call her for any reason.

They are, in my opinion, the "Worlds worst Bank"

~~~
cameronh90
The problem is that they all suck. In the UK, I've tried NatWest (RBS),
Lloyds, Barclays and HSBC and so far, and HSBC are the least worst... they are
by no means good, but they're better than many of the others. They still have
numerous problems though: customer service agents that disagree with each
other and provide inconsistent information, that annoying online banking
dongle, payments being declined at random (particularly embarrassing in
shops).

Still, at least unlike NatWest, it didn't take 3 weeks of dealing with
different customer services staff to withdraw some cash, and I never got their
online banking to work at all... after repeated attempts. Every customer
service staff member would make excuses about not being able to help me due to
their security restrictions.

------
chris_wot
Well someone has badly violated PCI-DSS 2.0.

This is bad in such an amazingly awful way on a "secure" banking website that
I'm surprised that this bank even has an IT team, let alone a development
team!

How did this not get picked up in QA testing, or even in a cursory audit?!?

~~~
martokus
I wonder what is the PCI DSS audit committee doing? I mean the world is fool
of idiots that need policing and that's why such organs exists at a first
place.

Shit like this just shows that being a PCI DSS level 1 certified means
absolutely nothing in the real world.

~~~
aneth4
> I wonder what is the PCI DSS audit committee doing?

Creating a racket. PCI is designed to control merchants and extract money, not
for security.

~~~
chris_wot
I have to disagree with you most emphatically. PCI DSS was a response to a
very bad issue, which was and is credit card fraud.

If you look at the DSS, it's eminently sensible and in fact if you implement
it properly you will most definitely have a secure environment for credit card
transactions. If you do _not_ follow it, then you are leaving yourself at
significant risk to be being breached and credit card data being stolen.

I'm curious though: what part of the PCI-DSS merely creates "a racket", and
what parts "extract money"?

------
gambiting
Santander ALSO stores your passwords in plaintext, or at least has access to
them in that form.

My password used to include special characters, until a transfer to their new
web interface year ago. After they did it,I could not log into my account - it
kept telling me that my password was incorrect. So I rang them up,and a lady
on the phone asked,if I had any special characters in my password. I said yes
- and then she told me to try logging in without them,as the new system does
not accept them and they were automatically stripped during the transition to
new interface.

At first I was like - ok, at least now I can log into my account. But then it
hit me - how the holy fuck could they remove special characters from my
password???? The only way they could do that is if they had access to its
plaintext, which is completely unacceptable.

I complained to Santander about it,only to receive a letter stating that they
appreciate my concerns but their system is safe.

I've got all the correspondence with them if anybody wants to see.

~~~
ookware
I believe NatWest and Halifax must do the same as they both ask you to "input
characters x, y and z from your password" which I don't see how they could do
without needing plain text storage. Of course I await being told how I am
wrong with this!

~~~
bruceboughton
This is a separate code to your password, and there is no reason each letter
could not also be stored as a hash after being salted with some personal
information.

~~~
nucleardog
> there is no reason each letter could not also be stored as a hash after
> being salted with some personal information.

There's no technical reason, but you may as well just store it as plain text.

Even assuming everyone used all the available Unicode symbols (~110,000
according to Wikipedia) an eight character password would only require
calculating 880,000 hashes in order to brute force every character.

Assuming a more realistic A-Za-z0-9, an eight character password is an
absolutely pathetic 496 hashes. A 1,024 character password (good luck
remembering that) is still a paltry 63,488.

For comparison, hashed as a whole that same A-Za-z0-9 at eight characters is
218,340,105,584,896 (62^8).

Hashing the characters individually changes adding more characters from
exponentially increasing the work involved to linearly. It's good as useless.

------
Lockyy
Can confirm that cookies on my laptop did (don't anymore, and I won't be using
their online banking anymore) contain sensitive information about my santander
account that I last logged into over 24 hours ago.

Going to go email them and tell them I'll be closing my account if they don't
start taking their security seriously.

~~~
zachinglis
If you take that post at face value, it's not really going to do much. Sounds
like the guy was on at them for a while.

~~~
Lockyy
It's not just this alone that's pushing me away from them, I don't like them
much anyway.

Their security practices for online banking are pathetic in comparison to
HSBC. HSBC gave me a one time key dongle which breeds more confidence than the
various articles about santander's lax security I've read.

~~~
SpoonMeiser
HSBC are also (or at least were very recently) in the habit of calling
customers and launching immediately into security questions without even
identifying themselves first, which is wrong for all sorts of reasons.

~~~
SideburnsOfDoom
I can confirm that First Direct (a subsidiary of HSBC) would also do this.

The caller would say "I'm calling from First Direct" and then get confused
when I asked for proof of this.

~~~
SpoonMeiser
I like the Barclaycard (I think) fraud thing.

You get called by a computer that asks you to identify yourself by picking a
piece of personal information from a list. It might ask for the month and date
of your birth, for example, and give you 5 options.

Because there are 365 possible month + date combinations, and yours appears in
the list, you know they already have this information so you're safe to
confirm it, and they also get to confirm that you are (likely) who they're
intending to talk to.

~~~
liedra
Yeah, I was pleasantly surprised by this too! I had the birthday, an address,
and something about one of my standing orders that I had to pick from. It was
nice to not have to explain yourself to a real person either. You just had to
confirm whether the transactions were real ones. I just have a normal Barclays
account, too, nothing special.

------
stuff4ben
I remember a bank I used to work at got bought out by Suntrust. After we had
been migrated over, for some reason I had decided to check out the cookies
they were using. Sure enough I saw my full SSN there. They don't do that now,
but even as a junior developer at the time, I was pretty taken aback.

------
Major_Grooves
What's really annoyed me about Santander's website is when you click 'log-out'
you might think you have logged out - but no - you are taken to the 'are you
sure you want to log-out' page.

With banking websites I just want to click that link and be sure I am logged
out. I don't mind logging in again if I clicked by accident.

------
fmavituna
From a practical attack point of view:

1\. As explained in the original email XSS attacks now lead CC exposure, very
bad

2\. If the cookies are not session cookies. It's horrible, then anyone who got
access to that computer later can read the cookies and Credit Card. But also
don't forget tons of websites still keeps auto-complete enabled!!!! in
freaking CC fields.

3\. If the cookies are not marked as "secure" (or issued over HTTPS) then it's
totally messed up and invalidates PCI etc. directly. Now your credit card
transmitted over HTTP.

4\. Other than this even though it's rather pointless thing to do, there is
not any more direct attack I can think of.

Put it this way, this is not worse than a XSS vulnerability in a website as an
XSS can lead more serious issues directly.

------
advisedwang
Confirmed for my santander account. I have not got a credit card, but the
NewUniversalCookie cookie does contain my passcode (in all caps, just
discovered it is case insensative!).

The data is not just one base64 chunk, but multiple space separated chunks
that base64 -d chokes on after a bit. I am probably missing a step.

~~~
ed209
wowzer. I just checked for my business account with santander and found my
password as you mention.

Edit: although when you get logged out for inactivity or you click log out it
seems to get rid of this cookie.

------
chubbard
These hacks better be glad this industry isn't regulated like other
professions where the individual professional is liable for his work. If these
developers were doctors or engineers they personally would be liable for
damages. Right now we have laid blame at the feet of the company, but this
company doesn't seem to understand they don't have the technical know how to
be building websites for their customer base.

~~~
readme
Please don't give the government ideas

~~~
chubbard
Well it might not be your government that institutes this idea. Given this is
a bank in the UK you or I might not be allowed to vote on this type of thing,
but if general populous begins to see the choice of technical decisions are
more in the hands of the professionals and not so much the company it could
very well change. And it might be companies that push legislation like this if
they feel they don't want to bear the legal risk.

Now usually there is professional insurance that consulting companies have to
purchase for liabilities just like this. If you are consulting firm
implementing systems for banks they will require you carry $2 millions/dev of
insurance should there be a screw up like this.

Maybe this is the best option because I'm not exactly behind supporting
measures to certify or regulate our industry, but I fear bad behavior like
this might force it. This is a hack rookie mistake. I'm fully aware of the
ramifications of doing something like this, but I'm not immune to mistakes
that could result in the same damage. However, a law like this would treat me
the same way as these hacks.

------
joeconway
For anyone interested, if you want to see the information it is storing then
take the NewUniversalCookie and seperate it by the #'s then you can see two
base64 strings which are easily decoded

The scary part is that the 'alias' id is actually one of the 2 passwords
needed to log into the account. So in fact if someone had that and my card
number all they would need is the 5 digit numerical code to log in

------
sw007
Slightly off topic but I bank with Natwest.com and I have gone to their
homepage today and am AMAZED as to what I saw.

If you navigate to their homepage - in prime view you'll see a section that
says:

"Great ideas come from great conversations"

Under this is feedback from customer - 90% of the feedback is incredibly
negative. For example:

""Tell your customers the truth how bad a silver account is. Premium numbers
to contact and register, cannot register mobiles for ..."

"Natwest is an embarassment, you have lost a customer for life".

This just sums up how out of touch banks are today with the internet. Don't
advertise this sort of feedback! Especially on a homepage! What are they
thinking?

~~~
marshray
How often do happy customers leave positive feedback compared to unhappy ones?

Sounds like they're pretty brave to me :-)

------
michaelfeathers
I don't bank with Santander, but I was in Barcelona a few weeks ago and I
passed by a Santander ATM that was rebooting IBM OS/2 Warp.

~~~
SethMurphy
IBM OS/2 warp is still a very viable solution for always on terminals and is
more common than you may realize. While not officially supported anymore, for
a price IBM will still support it. While I wouldn't choose it for a new
solution, I wouldn't run out and create new ATM software, if it is working
well, just because of the OS. Would you be more comfortable if they were
running windows?

~~~
michaelfeathers
I was actually more surprised to see a reboot on a customer-facing ATM screen.
I don't think I've seen that in the US. Maybe I lead a sheltered life.

~~~
chubbard
Or maybe you just don't frequent ATMs a lot. I've definitely seen OS/2 Warp
reboot screens on ATMs in the US.

------
DanBC
I'm curious about responsible disclosure.

WhiteHat finds a security vulnerability. They tell the company. But, with
banks, it's pretty hard to find the right person to tell. What steps should
WhiteHat take to satisfy responsible disclosure? Just a printed letter to
banks registered address is enough? (Banks, and everyone really, should have a
"please use this address for responsible disclosure" - that would reassure me
as a customer that they are taking security seriously).

But then, in England, we have a potential further step with the regulatory
bodies. There's the ICO (information commissioner's office) who are overworked
and will do nothing about this. And then there are the card companies who
will, I'd have thought, be keen to protect their customers from fraud. Would
responsible disclosure include a step to involve these third parties, if only
to provide some clue pressure to the insecure site?

~~~
danielweber
Sometimes the media can help. If you have a contact, they can put pressure on
the company by calling them to interview about the vulnerability they are
going to write a story on.

Back when I used to read the disclosure lists, I'd see people ask "I need a
security contact as XYZ Inc." all the time.

------
nathan_long
On top of all the other issues, add the fact that some browsers __no longer
delete sessions cookies when you close the browser __. Notably, Chrome and
Firefox.

[http://dalevisser.wordpress.com/2012/07/18/how-to-fix-
firefo...](http://dalevisser.wordpress.com/2012/07/18/how-to-fix-firefox-and-
chrome-default-of-retaining-session-cookies-insecurely/)

~~~
Evbn
Holy wow. I expect that from Chrome, which is basically spyware, but not from
Firefox.

~~~
timothya
Really? Wow, I'm surprised to see someone with that sort of attitude. What
makes you say that Chrome is spyware?

~~~
reidrac
I don't use Chrome myself, I use Chromium for testing when doing web
development. Apparently you can't get the exact Chrome binary form Chromium
source code, so I don't know if there are remarkable differences... but I find
these quite amusing: <http://i.imgur.com/Mq3pH.png>

It is correct that these options are in "Privacy". The good thing is that you
don't need to worry about tracking cookies because your browser is already
tracking you ;)

(I'm half joking / half serious here; this is off-topic anyway)

------
andrewcooke
i guess no-one else here cares, but i had a quick look and santander.cl seems
to not do this (but i just logged in and looked at cookies, which all seemed
to be opaque).

~~~
d4nt
I expect the UK online banking site is a decendant of Alliance & Leicester's
site.

Santander bought A&L a few years ago when they got into trouble during the
credit crunch. Before then, Santander was not trading in the UK.

~~~
corin_
Small correction: they were trading in the UK, just not under the name
"Santander" - they had owned Abbey (formerly Abbey National) for a few years
before they bought A&L and then merged them under the new (to the UK)
Santander name.

~~~
d4nt
You're right, they bought abbey first. Completely forget about that. It's
probably a descendant of the abbey online site then.

------
Tloewald
Betteridge's law?

Given the recent IEEE clear text passwords stored on an FTP server fiasco we
need to transition from shock and outrage and switch to resignation and ennui.

------
catshirt
for what it's worth, i use sovereign bank who was recently acquired by
santander. the sovereign online banking contains the NewUniversalCookie, which
contains an XML document (LOL) with 3 nodes: name, username, and userID.
seemingly no intensely sensitive data in my cookies, but also seems to be some
crossover with Santander's security system.

~~~
btown
I've seen error messages in Spanish, which would seem to indicate (since
Sovereign was originally a New England-based company) that some backend
services are shared. Luckily, I barely use the account, and I will continue to
do so now that this post has come to light.

------
SeanDav
A huge irony in all this is that Santander pulled out of a deal to buy a large
number of branch offices from a rival bank because apparently the computer
systems of this rival bank weren't up to scratch and merging would have been
an issue.

This bank probably didn't believe in storing sensitive information in
publically accessible places clearly

/sarcasm

------
_pferreir_
I bet they have a padlock icon somewhere?

No really, whenever I think there is no display of utter incompetence in
software systems programming that will surprise me, here's another big name,
ready to make standards sink to a new low. I wonder who and how much they paid
for such a nicely done job.

------
phragg
Here in the states, MA, I use Sovereign Bank who had just got acquired by
Santander.

I was able to reproduce the NewUniversalCookie which showed my `username` and
`userid`.

I'm a rather young adult (22) and had used Sovereign solely because my parents
had used it, but now I'll be happily moving elsewhere.

------
victorantos
I've been today to Santander, and they told the only way for me to put money
in my account is by using their online service. This is because I have an
eSaving account type...

------
dreamdu5t
I don't see what's much different about this than Stripe giving you a token
for the customer/card and storing it in a cookie.

------
northband
Holy cow!

