Urban Vancouver

Royal Bank Online Fears Autocomplete

By nep on August 16, 2005 - 2:07am

I signed into my Royal Bank account on July 22, and got this notice:

To: HOP STUDIOS
Subject: Please Prepare Now for Upcoming Changes to the Sign-In Page

Effective August 17, 2005, client card numbers and passwords will no longer be automatically displayed when signing in to Online Banking.... The AutoComplete feature, which automatically displayed your client card numbers and passwords, will no longer be available. After this date, you will need to type your full client card numbers and passwords into the provided fields in order to enter Online Banking.

To me, this means that they're probably also going to break the Mac Keychain, probably by randomizing field names so that autofill tools won't be able to repopulate form fields.

If these built-in features of both the Mac and Windows operating system, features that are available in every major browser, are such a big security hole that the Royal Bank needs to disable them, don't you think they'd have been removed from the software by now because of the hue and cry of security conscious advocates?

And, if Royal Bank is suffering a rash of break-ins relating to the use of autofill, why haven't we heard reports about this in other media? Pointing out flaws in operating systems is practically a media sport these days, and anything that points out the flaws of online banking would be gret grist for the mill.

What it boils down to, is that Royal Bank is about to make it harder for me to log into my online banking account, because it thinks, in its infinite wisdom, that it knows better than I do how I should store my password and what steps I should go through to use it.

Royal Bank, in a typical We Know Best fashion, gives no way to respond specifically to this issue, but if you think it's bone-headed, send them an email.

(Cross-posted from my blog.)