e-banking at its best

I saw this post over at David's blog and all that I have to say is that ... I am not surprised. e-banking applications aren't good over here in Slovenia. But this one from David's post tops the list by far. Here is the screenshot from his blog (I hope he don't mind that I've made a copy of it).

BA-CA error

So, you might say "heck, errors happen". Yes they do, but this one shows bank ignorance at its worst. Even though their representative Janez explains in a comment that the error and usage of Access(!) database are unrelated to core application itself he is bloody wrong. So, what can you see from this error:

  • They are using Access
  • They are using asp
  • They are using ODBC driver (who knows why..)
  • The code that connects to the database is in the file /obvestila/DBConn.asp and the connection itself is in the line 9
  • They never heard of never ever show internal error to the public

These are 5 lines of knowledge that should remain hidden. Specially in this kind of sensitive application. Do you wonder what other errors might reveal? But the real problem is not within this particular data displayed, it is the fact that they are showing data that shouldn't be seen from outside, ever. This leads me to thinking that their application is really badly written, or at least a part of it, and it might be highly vulnerable to malicious attacks. At least such message doesn't really give you a sense of security. I also wonder how scalable the application is when used by more than 5 concurrent users.

Anyway I am sure that application was written by the cheapest company...Kudos to everybody using this application for their courage.

UPDATE: The page with the error shown above is not the page from their e-banking but from their e-banking entry page. Their e-banking application is actually located on another web address and it seems like it is java application. So the two might be separated. But nevertheless all of the criticism above is still very valid.

Comments (6) -

  • Mladen

    8/29/2007 12:56:16 PM | Reply

    shall we play crash the bank site? Smile))

  • Giuseppe

    8/29/2007 3:40:22 PM | Reply

    outsch!!! still can't trust my eyes Wink that's very very evil. (And they are using http instead of https)

  • Milko

    8/29/2007 11:22:54 PM | Reply

    Have you read the comments on David's site?

  • Miha Markic

    8/29/2007 11:38:23 PM | Reply

    Which one?

  • Miha Markic

    8/31/2007 5:52:17 AM | Reply

    I know, read the UPDATE paragraph. All the criticism still applies, it casts a bad light to your banking software (if your web site is poorly done one might assume that e-banking app is not much better) and it helps malicious users. Just for a simple example, what if somebody hacks into your web site and changes the link to e-banking application (redirects to a similary looking application)? Will your clients notice that they are passing their credentials to a false application? Would you notice that link has been compromised?
    So, the error is connected with your e-banking, perhaps not directly.

Loading