News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Chase bank is at it again with useragent sniffing

    Posted on Ascaris Comment on the AskWoody Lounge

    Home Forums Outside the box Rants Chase bank is at it again with useragent sniffing

    This topic contains 9 replies, has 7 voices, and was last updated by  MW 1 month, 2 weeks ago.

    • Author
      Posts
    • #2015763 Reply

      Ascaris
      AskWoody_MVP

      Chase Bank used to redirect users with “unsupported” browsers to a page explaining what browsers they would allow you to use to manage your money.  Rather than detecting whether the browser has the appropriate security features, they allow or disallow access based on the self-reported useragent string of the browser, which has long been condemned as a really poor practice.  Since “best viewed with Netscape Navigator” messages were a thing.

      If I, as a Waterfox user, wanted to use their site, I would have to change my useragent to pretend I was using something else, and then it would let me in.  That’s illustrative of how dumb and pointless useragent sniffing is– the practice excludes too many people (because it blocks browsers that are fully updated like mine just because it does not recognize them) and too few (in that anyone who knows how to install an addon and select a new browser from a dropdown menu can masquerade as some other browser).

      That’s what you’d call “a bad idea.”

      They eventually changed that practice, and I’ve given them credit for changing their mind, even if I still used them as an example of what not to do.  Was this a success story of a site owner learning from their mistakes?  I’d thought so.

      Well, I just tried logging in there, and upon entering my information, it told me “It seems that this part of our site isn’t working now.

      I tried again with the adblocker and script blockers disabled, and still no access.  Tried in Waterfox’s safe mode… still the same.  I tried with a blank profile, with all default settings… no good.

      I do have an addon to change the useragent, but I am reluctant to use it simply because it should not be necessary.  Either my browser has the ability to use the grade and type of security features the bank wants to use or it does not, and the most certain way to find out is to try to use those features and observe the results.

      I can see blacklisting certain browser versions that are known to have unfixed security bugs, but to whitelist only a few selected browsers and deny the rest is really bad practice, not to mention 15+ years out of style.

      So, reluctantly, I changed my useragent from Waterfox 2019.10 on Linux to Firefox 67 on Windows 10, and voila– now that part of their site works.

      It’s bad enough to tell the customer “Sorry, we don’t recognize your browser, so get lost,” as they once did (and if I remember correctly, they didn’t have ANY browsers on the accepted list if the user was on Linux), but to simply say that this part of their site is not working, which is what some of us like to call “a lie,” is worse.  If one was to take the site at its word, he would simply try again later, then later, and so on, and it would never work, without any clue that the site was selectively blocking people based on the useragent string of their browser, and then lying about what had happened.

      I thought Chase had learned, but apparently not.

      On top of that, they have a really silly “we don’t recognize the computer you’re using” conditional 2fa message.  It says exactly that, but the very next line says, “This may have happened because you’re using a device you don’t usually use or you cleared the cookies on your phone.” (emphasis added)

      It is the same device I use to access the site every time, so it’s not that, and I guarantee that I have not cleared the cookies on my phone, as that is quite impossible on either my dumb cell phone or my land line phone, which are the only phones I have.  What would that have to do with my computer anyway?  You know, the one they say they don’t recognize!

      That bit is laughable, but it kind of reinforces the idea that they really have no idea what they are doing.

      I’ll have to think about whether it’s worth it to continue to do business with them.

      Group "L" (KDE Neon User Edition 5.17.5).

      5 users thanked author for this post.
    • #2015871 Reply

      ibe98765
      AskWoody Plus

      Discover mag has something similar going on.  Their code only works with certain browsers (not my old FF either).  They are telling me they only support Chrome right now!  Talk about a lame company!  And their magazine has deteriorated tremendously over the years such that it is almost not worth reading any longer.

      Most programmers just code what someone tells them to.  This isn’t the old days when programmer/analyst/coder were synonymous.

      1 user thanked author for this post.
      • #2015927 Reply

        Fred
        AskWoody Plus

        Quote from {[@]Admin}Kirsty on twitter:
        “We can no longer pretend that Google is a positive force in the world.
        There is a simple first step that every internet user can take to make things a little better. Seek out a better web browser to replace Google Chrome and tell everyone to do the same.” https://twitter.com/campuscodi/status/1203034558414938118

        Is a good start

        After all.. Just because we're paranoid doesn't mean they aren't out to get us.
        • #2015980 Reply

          Ascaris
          AskWoody_MVP

          The tweet was actually from Catalin Cimpanu, a journalist at ZDNet.

          That “No to Chrome” site reminds me a lot of the “No to IE” movement in the early 2000s.  I had a page back then that did useragent sniffing to display a message to IE users asking them to try something else (no content was blocked!).

          Of course, back then, we had a Mozilla that was determined to do battle with Microsoft by unabashedly making a better product in every way imaginable.  Now we have a Mozilla that is more interested in obeying Google and doing their bidding than Brave or Vivaldi devs, both of which are forks of Chromium.

          I think the site makes an error by pointedly refusing to endorse any Chromium-based browser.  If the claim is that it’s about respecting the wishes of the user, any of the de-Googled variants of Chrome will do that.

          Avoiding IE back when it had nearly the entire browser market was, for me, a matter of principle, as is avoiding the actual Chrome now.  Avoiding Chromium variants that take Google’s code and repurpose it to serve the interests of the user doesn’t bother me a whole lot. The idea of the whole web being based on a single rendering engine is concerning, but with Mozilla’s strategy of copying Chrome still in full effect, I don’t really see Mozilla as being a bona fide alternative anymore.  If Mozilla was mounting a real opposition to Google’s hegemony, I’d certainly want to be a part of it.  As it stands, Mozilla seems to be on team Google anyway.

          I use Waterfox (Classic, which for me is the real Waterfox) because the extensions it uses are far more powerful than anything Chromium or the current Firefox currently uses, and it can be customized to be exactly the way I want it.  If Waterfox went away, Firefox proper remains, for the time being, a better choice for me than any Chromium variant for the moment, since it still has the ability to use userChrome.css, which partly mitigates the disaster of the Quantum leap backward– enough so that it still is closer to my ideal browser than the Chrome variants.  If my prediction that the userChrome.css will be removed from Firefox comes to fruition, and if Waterfox wasn’t there, Vivaldi would become my top choice, even though it is a Chromium fork.

          The main downside I see to using de-Googled Chromium forks that is that the makers of these browsers will be tempted to use the Chrome useragent so that issues like the one I describe in the original post won’t happen.  In that case, these non-Chrome browsers will be reported by Netmarketshare.com and others as part of the statistics for Chrome, which just perpetuates the idea that Chrome is “the” browser to use.

          Group "L" (KDE Neon User Edition 5.17.5).

          • #2015986 Reply

            Fred
            AskWoody Plus

            So Kirsty was right to spreaden the message in a retweet. Cool

            After all.. Just because we're paranoid doesn't mean they aren't out to get us.
    • #2016247 Reply

      Mele20
      AskWoody Lounger

      This is an override that is in Basilisk to cut down on complaints from users:

      general.useragent.override.chase.com;Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0

      That’s an older version of Fx but Chase is happy with it and throws errors if I were to set that entry as “false” and let Basilisk current UP TO DATE VERSION correctly identify itself.

      I got my first Smart phone a year ago (iPhone 10 R) and have been using the Chase app on the phone …works great and is a relief from Chase carping. I’ve had a Chase credit card (with a low FIXED interest rate) for about 25 years. I recall when Chase first got into online banking and what a mess they made! It was awful.

      I’ve always, all these years (after Chase got its first messed up try with online banking around 2003 or so cleaned up) used Chaseonline.com rather than Chase.com as all I wanted to do was check my credit card and pay it monthly so I wanted to avoid the long time scandalous NON SECURE login from the main chase.com site. I was told in security forums years ago to ONLY use chaseonline.com because the login there IS secure unlike at chase.com for many years. Chase has finally cleaned up their login at chase.com main site and it is secure now. But the reason Chase is trying to discourage use of Chaseonline website now is that you get very little advertising and little uBlock Origin “hits” there. If, instead, you let Chase scare you with their banner that Chaseonline.com is an “old” site and you go login on chase.com, as they want, you are inundated by ads and other junk and a LOT of activity by uBlock.

      The Chase app for smart phones is quite good so for those with smart phones that is the preferable way to interact with Chase. The second best way is using Basilisk (as it has the override built in so Chase is fooled when it sniffs the UA) and using the older, but still serviceable, chaseonline.com but that does depend on what you need to do at Chase as some activities may require login on the main Chase.com site.

      I just tried https://chaseonline.chase.com/Logon.aspx on current Waterfox (legacy version) and got the same popup about the site being old but I had no trouble logging in.

    • #2016360 Reply

      Mele20
      AskWoody Lounger

      It doesn’t redirect for me but then I have had that link to chaseonline.com for MANY years saved in bookmarks in all my browsers. I used the bookmark to go there earlier.

      Friday-December-06-2019-202219001

      Attachments:
    • #2016570 Reply

      anonymous

      The persistent user agent sniffing could be a way to convince or force people to use the smartphone application. Then there is an Chrome application programming interface that is seen as a call for great concern.

    • #2016577 Reply

      MW
      AskWoody Plus

      On top of that, they have a really silly “we don’t recognize the computer you’re using” conditional 2fa message. It says exactly that, but the very next line says, “This may have happened because you’re using a device you don’t usually use or you cleared the cookies on your phone.” (emphasis added) It is the same device I use to access the site every time, so it’s not that, and I guarantee that I have not cleared the cookies on my phone, as that is quite impossible on either my dumb cell phone or my land line phone, which are the only phones I have. What would that have to do with my computer anyway? You know, the one they say they don’t recognize!

      I get that every now and then with Chase.  There is no rhyme or reason to the pattern when I do get it.  I have Waterfox set to always browse in private mode and delete cookies on close.

      Other than that I have had zero issues logging in on all my machines.

      The useragent override I’m using on my Mint Cinnamon machine is;

      Mozilla/5.0 (X11; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0

      That is verbatim from Firefox.

       

      W7 & W8.1 - Group W (since April 2017)
      Mac Sierra & Mojave - Group A
      Mint Cinnamon - Group A

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Chase bank is at it again with useragent sniffing

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.