Why bank websites remove the ability to paste? You have already copied the text when you realize you cannot paste. So what is the point? Writing things by hand are prone to errors and if your clipboard is poisoned you have already copied the stuff by the time you realize you cannot paste…
I always imagine there is an "intro to forms programming" which includes code to disable copy and paste, and its concepts now have thousands of descendants across the web, to the point that people start imagining it's a security measure and proactively copy it. I agree w/you and don't see the point in stopping users from pasting in the first place.
I don't think it specifically violates any accessibility regulations, but preventing pasting has always come across to me as an accessibility violation.
Not only does my bank's website not allow me to paste my "password", it doesn't allow me to type it at all. It's insane. Said "password" is just a 6 digit number (we're not allowed to set our own passwords, because 6 digits is definitely way more secure than the 16 character random strings my password manager generates) and it forces me to enter it using buttons on the page itself with randomized positions. No idea how any of this is supposed to help with security, if my device is already compromised to the point that all my keypresses and clicks are being logged, the attacker can probably also just read the password from the browser's memory...
But, how exactly does being able to install a keylogger on someone's computer mean you can also break memory integrity and steal data from the browser's memory?
From what I know, windows keylogger "services" were very popular some 10 years ago and hence the banks rushing to "fix" it.
Also, keyloggers don’t have to be in software (for a desktop, I suppose). You can buy one that simply plugs in between keyboard and computer. In this way, I can sympathize with the onscreen idea, however it’s criminal to not at least include a password field that is detectable by all password managers so that it “just works” for them.
(And also criminal to have a password max, short of like 1MB — even then the only reason for the limit is to slightly reduce the harm of some kind of weird DDOS against your login endpoint - whenever I see a password max I always assume this site is so dumbly implemented that they aren’t hashing my password but storing it in plaintext or reversible encrypting it.)
> But, how exactly does being able to install a keylogger on someone's computer mean you can also break memory integrity and steal data from the browser's memory?
On Windows at least, any process can read any other process' memory as long as it's running under the same user.
Polish ING modifies IBAN on pasting it during bank transfer and forces to enter manually first two digits "for your security". They also disable IBAN selection in transfer summary view, so one cannot copy it and double check before confirming the transfer. ING seems to deploy the most arbitrary "security" measures found on most random blog posts and sprouted during the most brain-dead brainstorming meetings.
Forcing you to manually type the first two digits makes sense to me. If a hacker is able to modify clipboard text, you manually inputting the first two digits should trip up the IBAN checksum.
Whatever are the motivations and reasoning, bank is doing exactly what the bad actors are doing. They modify the text during the copy and paste workflow.
It's only the same thing if you look from a very shallow angle. Stripping part of the user input to ensure it's entered by the person themselves is otherwise completely different from replacing user input with different data. One defends against a specific kind of attack, the other is a malicious attack.
How often to you write random text into the IBAN field of your bank? Never, because it's an identification number? What a coincidence.
I mean, just think this two steps further. Hackers change input, and banks change input, so hackers == banks? But hackers also change what is displayed on the screen, and password fields change what is displayed on the screen, so hackers == password fields? Pressing my mouse button on the "reply" button changes what is displayed, so hackers == my mouse?
No, my premise is very straightforward. Do not modify the text during the copy and paste workflow. Copy and paste workflow is well defined and established concept by now. That bad actors are doing it doesn't mean you should. No point in exaggerating my premise and ridiculing me.
> No, my premise is very straightforward. Do not modify the text during the copy and paste workflow.
That's not the premise you stated earlier. That was: "Banks and hackers do the same thing by modifying the text during the copy and paste workflow", which completely ignores what kinds of modifications are happening.
> Copy and paste workflow is well defined and established concept by now. That bad actors are doing it doesn't mean you should.
See? You're doing it again. Banks are not doing what "bad actors are doing". Banks are doing something else.
> No point in exaggerating my premise and ridiculing me.
I am not exaggerating your premise and ridiculing you, I'm continuing your logic to show its' flawed premise. You stated that "banks and hackers are doing the same thing", and the reason it's the same is due to the literal operation being the same. Why can't I extend this logically to other operations that are the same? A password field changes what is displayed compared to my input, how is that different from a hacker changing what is displayed compared to my input?
I hate this so much, was registering for a new ISP the other day, they blocked paste in the password inputs and broke my password manger. Such an incredible bad decision from a security perspective.
Usually it starts with a company having issues with robot traffic. So they try a bunch of things to hinder the robot(s). They do something, the robot stops working, but after a while it comes back, it's a cat and mouse game essentially.
One day, they (developers pushed by middle managers) disable copy-paste on the login page, and the robot temporary stops working, until a couple of days later, when the robot found a way around it.
On to the next thing to do to stop the robot, but that previous "fix" is still there, with the thinking that "maybe that stops some of the robots", but it probably doesn't.
But there it sits, some ~10-ish lines of JS that will hang around until rewrite v6 when they'll begin from the beginning, and some months/years later come around to disabling it once again.
You can't win; you're going to get robot traffic unless everybody does something like Web Environment Integrity. Seriously.
Just allocate your finite resources in a hierarchical 32-level binary tree based on bit prefixes of the client IP address. Exactly what the root DNS servers do. And exactly what the only mitigation for slowloris attacks does. Then get on with your life.
Honestly, robot traffic seems like an issue just because websites are horrendously inefficient. Hundreds of round-trips to external servers, languages that require some orders of magnitude more resources than needed... It shouldn't be so expensive to just serve a page, even considering robots
> Hundreds of round-trips to external servers, languages that require some orders of magnitude more resources than needed... It shouldn't be so expensive to just serve a page, even considering robots
This is not a priority. The features are implemented by more abstraction, ie. TypeScript and web frameworks. Industry's low barrier to entry promotes studying frameworks, not technologies and standards enabling them. Anti-robot measures mostly prevent automated fraud and are there to ensure the ads are displayed, if the whole process will freeze your browser and eat your entire RAM they are fine with it.
You’re right on that part but I think it isn’t so much the server resources but the actual things the bots may be doing. For example making a ton of bot accounts to spread propaganda, or 10,000 “trial accounts” to host untraceable phishing/scam pages, etc. Or for example, an e-commerce site that doesn’t want to be automated into service as a card tester for stolen credit cards with thousands of fraudulent orders.
Idk what you are saying, are you suggesting if I operate a webstore I should let bots place thousands of fraud orders frequently, and eat all those chargeback fees? And… law enforcement? Call the cops every time that happens? At least in my country, the police would say “uhh, ok feel free to file a report,” but they will do zero to investigate it. Which actually makes sense since most of those doing this crime are operating overseas, out of their jurisdiction anyway.
Also, if someone is registering 10,000 accounts that are obviously not real people, I should let them?
First of all, my website, my free speech. I’m free to publish or delete anything on it.
Second, bulk-created fake accounts aren’t needed even for legitimate political speech. That’s more like extreme astroturfing.
That's exactly what developers will tell middle-managers but it won't matter unless you're in a organization that actually value their developer's opinion.
Not saying this is the case, but there was malware that would check to see if you had copied what looked to be a bitcoin account and replaced it with its own.
Yeah I also hate this but they have a point. Desktop clipboard is a shitshow. Any app can read it willy nilly, certainly if focused but I wouldn’t be surprised if it works in the background on some platforms.
It is one of the prime candidates for a global redesign from scratch, including even physical keys (since copy-paste is so common, certainly more than say caps lock). All the APIs are riddled with decades of tech debt and are entirely platform-specific.
Aw man, now I’m sad because that means that’s the next thing Apple will nerf out of existence. I like my clipboard manager and I haven’t ever downloaded malware onto my Mac despite rarely using their crappy App Store. :(
Stage 1: Everything is totally trusting.
Viruses exist, and scanners exist to help you not download anything stupid.
Stage 2: Locked ecosystems like iOS App Store, Platform Vendor claims their 100% diligence will protect you (and them) from all possible bad (or insufficiently-profitable) software.
Apparently they weren’t satisfied
Stage 3: Full Sandboxing and full enforcement of Platform Vendor’s blessed software source only.
Now my computer, like my phone, will only ever have the exact, enumerated features the Platform Vendor blesses me with and I will like it or else. I am free to file a feedback on their website if I’d like a clipboard manager, and they may one day look at that feedback.
Reminds me of treasurydirect.gov which presents you with a virtual keyboard and you have to click to type out your (case insensitive) password. It is insane
Of course a long, random, unique password from a password manager is best for security, everyone knows that.
So forcing people to instead use a short, easy-to-type, memorable password clearly couldn't possibly be anything else but an attempt to undermine the user's security and put their account at increased risk. That bank does not have your best interests in mind. With that in mind, it doesn't matter why they don't.
So switch to another bank (or better yet, a credit union) that does.
The banks protect you from malicious clipboard manipulation by manipulating the clipboard content ("we let you paste but complete some digits manually") and/or entirely disabling pasting text into text fields. Yes, they employ at least one "security expert" who will elaborately explain you why it's better for your security.
