<< C++ cryptics | Command prompt utilities should have a readable help message >>

e-banking at its best

by Miha Markič 29. August 2007 06:45

I saw this post over at David's blog and all that I have to say is that ... I am not surprised. e-banking applications aren't good over here in Slovenia. But this one from David's post tops the list by far. Here is the screenshot from his blog (I hope he don't mind that I've made a copy of it).

So, you might say "heck, errors happen". Yes they do, but this one shows bank ignorance at its worst. Even though their representative Janez explains in a comment that the error and usage of Access(!) database are unrelated to core application itself he is bloody wrong. So, what can you see from this error:

They are using Access
They are using asp
They are using ODBC driver (who knows why..)
The code that connects to the database is in the file /obvestila/DBConn.asp and the connection itself is in the line 9
They never heard of never ever show internal error to the public

These are 5 lines of knowledge that should remain hidden. Specially in this kind of sensitive application. Do you wonder what other errors might reveal? But the real problem is not within this particular data displayed, it is the fact that they are showing data that shouldn't be seen from outside, ever. This leads me to thinking that their application is really badly written, or at least a part of it, and it might be highly vulnerable to malicious attacks. At least such message doesn't really give you a sense of security. I also wonder how scalable the application is when used by more than 5 concurrent users.

Anyway I am sure that application was written by the cheapest company...Kudos to everybody using this application for their courage.

UPDATE: The page with the error shown above is not the page from their e-banking but from their e-banking entry page. Their e-banking application is actually located on another web address and it seems like it is java application. So the two might be separated. But nevertheless all of the criticism above is still very valid.

913eed67-154c-44f7-b54f-82ff5b4edf6f|0|.0

Tags:

Strong typing routes in ASP.NET MVCLet’s say you have Test action in Home controller like this: public ActionResult Test(i...Where has TimeZone2 class gone?If you are following blogs about .net 3.5 you might have across this interesting post. It explains t...Windows Genuine Advantage is legal user's worst enemyI've never ever been a supporter for online activation process for any product. Ever. On th...

Comments (6) -

Mladen

8/29/2007 1:56:16 PM #

shall we play crash the bank site? ))

Giuseppe

8/29/2007 4:40:22 PM #

outsch!!! still can't trust my eyes that's very very evil. (And they are using http instead of https)

Milko

8/30/2007 12:22:54 AM #

Have you read the comments on David's site?

Miha Markic

8/30/2007 12:38:23 AM #

Which one?

Janez Demšar

8/31/2007 5:14:55 AM #

Dear All,

The error is of course not connected with the application of Internet banking.

Please read the whole explanation on vidmar.net/.../...t-to-see-when-you-open-your.aspx

With my best regards,

Janez Demšar

Miha Markic

8/31/2007 6:52:17 AM #

I know, read the UPDATE paragraph. All the criticism still applies, it casts a bad light to your banking software (if your web site is poorly done one might assume that e-banking app is not much better) and it helps malicious users. Just for a simple example, what if somebody hacks into your web site and changes the link to e-banking application (redirects to a similary looking application)? Will your clients notice that they are passing their credentials to a false application? Would you notice that link has been compromised?
So, the error is connected with your e-banking, perhaps not directly.

Add comment

Name* Required Please choose another name

E-mail*

Country Country flag

b i u quote

Comment
Preview

Notify me when new comments are added

Miha Markic

INETA Country Leader for Slovenia

Miha currently works as a free lance consultant and software developer specialized in .net area.
He graduated in Computer and information science at the University of Ljubljana, Slovenia. He has accumulated experience in various programming languages such as Java, Visual Basic 3-6 (MCP), Visual C++, Delphi, C# and VB.Net through years.
He has experience in practically all (technical) stages of project development, including planning, framework development, user interface, business processes, as well as testing and documenting. He has worked on big and small projects in Slovenia and abroad (e.g. participated in completing level 3 IS for the Nucor steel plant, Hertford, USA).
Currently he enjoys programming in .net environment using C#. Since 2000 he has been active in Developer Express' DX Squad and has been ECDL trainer and tester. He also gives lectures on conferences and other events in Slovenia.

Month List

2012
- January (2)
2011
- December (3)
- October (1)
- September (4)
- August (5)
- July (7)
- June (3)
- May (2)
- April (2)
- March (1)
- January (4)
2010
- October (3)
- September (1)
- August (2)
- May (4)
- April (1)
- March (2)
- February (1)
- January (7)
2009
- December (2)
- November (5)
- October (7)
- September (4)
- August (2)
- July (1)
- June (6)
- May (5)
- April (5)
- March (10)
- February (9)
- January (9)
2008
- December (1)
- November (6)
- October (6)
- September (3)
- August (2)
- July (3)
- June (6)
- May (5)
- March (5)
- February (4)
- January (10)
2007
- December (6)
- November (10)
- October (10)
- September (4)
- August (14)
- July (7)
- June (12)
- May (7)
- April (9)
- March (6)
- February (8)
- January (12)
2006
- December (11)
- November (11)
- October (14)
- September (17)
- August (13)
- July (7)
- June (12)
- May (16)
- April (5)
- March (6)
- February (15)
- January (11)
2005
- December (18)
- November (18)
- October (10)
- September (11)
- August (10)
- July (9)
- June (8)
- May (10)

Most comments

	Paulius 1 comments United States
	Meh 1 comments United States
	bart dm 1 comments Netherlands

RecentComments

Fixing combination of NuGet and Team Foundation in workgroup configuration: 401 Unauthorized (12)
Bojan wrote: Looks like this helps. Thank you. [More]
Fixing combination of NuGet and Team Foundation in workgroup configuration: 401 Unauthorized (12)
Pawel wrote: Thanks a lot!!! It worked for me as well. [More]
Fixing combination of NuGet and Team Foundation in workgroup configuration: 401 Unauthorized (12)
Tim B wrote: Thank you your diligent effort, which I expect has... [More]
Bridging IPTV over wireless using two Linksys WRT54GL routers and DD-WRT firmware (7)
bart wrote: It worked for me with the latest stable ddwrt rele... [More]
Bridging IPTV over wireless using two Linksys WRT54GL routers and DD-WRT firmware (7)
Miha Markic wrote: Hi Bart, I did a quick file search on my disks an... [More]
Bridging IPTV over wireless using two Linksys WRT54GL routers and DD-WRT firmware (7)
bart dm wrote: hellow, nice reading your guidelines. Do you have ... [More]
Logging exceptions with NLog (2)
Paulius wrote: Why not to use ${exception:maxInnerExceptionLevel=... [More]
Building an Intel Core i7 based computer – Motherboard (2)
Julian wrote: I went with an i7-2600k and the asus sabertooth p6... [More]
Realtime graph for WPF (2)
Miha Markic wrote: Glad you like it. Well, yes, it is not a finished ... [More]
Realtime graph for WPF (2)
m0sa wrote: Wow, great! Beats the s**t out of DynamicDataDispl... [More]

Comment RSS

e-banking at its best