Journal jawtheshark's Journal: P&T e-banking FAIL.... 2
My wife and I have been client with the P&T Luxembourg Financial Services since ages. (I don't know how it is in non-EU countries, but in many EU countries, the Postal Services has a banking branch). They are great because having a current account there costs nothing, using their e-banking costs nothing and pretty much 80% of all payments can be done using them as most people have an account at P&T Luxembourg. It's also mandatory for state servants to have a postal account as wages are only paid on such accounts. The downside is that you don't get any interest with them, but frankly, it's not as banks give much interest on current accounts these days.
Their web banking also worked perfectly fine with alternate browsers on alternate platforms. (Not that I have to complain about my other bank, where the same applies). Now, recently I got a letter announcing their "new and improved" web banking service. I was already a bit miffed, because it clearly stated that it would move in the mid-term to LuxTrust which is the most useless thing the Luxembourgish State came up with. Basically, it's a certificate authority (Good!) in private hands (Bad! Of course, granted defacto monopoly status by the State. Ugly!) which is supposed to bring secure transactions to all citizens of Luxembourg. You're supposed to get your own certificate, signed by them, so you can handle anything related to the state (I don't know, like requesting a birth certificate and stuff like that) securely and banks are strongly encouraged to participate. Obviously, the semi-state-dependent P&T does participate.
I have absolutely no problem in getting my own certificate to prove who I am. It's a fine system. What is not fine is that they fucking charge money for that. Sure, it's only a mere "63.25€" for their cheapest option. So, I go from "no-cost" to "must-pay-for-stupid-certificate". Sure, it comes down to about 12.65€/year, which is the price of a credit/debit card on your account. It is not much, but I think it's a pure ripoff.
Furthermore, notice that I said that the P&T's banking worked on all systems. I have absolutely no indication that the WebTrust thing with run on my operating system of choice. None at all. The only Linuxes that are supported are Debian 4.0 (Etch) and Redhat 4.0. That's not even the current Debian Stable, because that one is called Squeeze, and in between there was Lenny! A quick glance on Wikipedia, reveals to be that Redhats current Stable is at 6.0.
Of course, the software from Redmond and Cupertino is supported. Why and I not surprised?
Did you notice the column "Java" in the supported systems table? I have the vague impression it's all Java based. Applets... 1995 called and wants their technology back.
This brings me on the topic... I logged into the P&T "new-and-shiny-improved" system today. First of all, I got a nice screen with compatible systems and needed to click through that I was sure whether I wanted to continue because my system wasn't supported. Great, now they start to complain about my system. I took the "old" authentication system (which, as I understood will disappear mid-term. I obviously can't test the LuxTrust version, as I refuse to pay for it) and got presented with... an Applet! WTF! It was signed so I got a scary Java message complain about that. Seriously? For the basic authentication you used before? Worse, when it came to type in the codes, I had to use a fucking virtual keyboard. What?!? Seriously?
The good news is that the rest of the site seems to be a standard web-application.
This is seriously bad news for alternate-OS citizens of Luxembourg. We'll get cut off. Worse, it's bad news for ALL citizens of Luxembourg because you'll sooner or later get this scam forced upon you and getting another fee squeezed out of you for nothing at all.
If you didn't notice: I'm seriously pissed off. Especially, because my other bank doesn't do this shit nor does it participate. They issue you a certificate, free of charge (well, I guess it's covered in my three-monthly account fees). Yes, it's software, but I can import it in any browser I want, copy it wherever I want. If I lose it (for example on a USB stick) it it's no big deal as an exported certificate (p12) is encrypted and password protected and I have another copy at home. Only pluses. It's perhaps slightly less secure than a hardware token, but it works, is simple and is free.
I weep for the geeks in my country. Politics taking over technology always ends up in tears.
Re: (Score:1)
Obviously this journal was a rant.... I'm aware that LuxTrust isn't going anywhere as the adoption is low. However, this is clearly a tactic to force more people on it. There were several "hints" going in the direction "you shouldn't use the old login, please use LuxTrust". I hope their attempt will fail, but it has the potential to succeed as the "installed base" of P&T is so insanely huge due to all state servants having an account with them. Those users aren't very tech-savvy and they work for a