1password is changing password info [Bank of Melbourne and St. George login issues]

coldrick
coldrick
Community Member
edited June 2016 in 1Password in the Browser

I'm using the app store version, and syncing to iCloud. A few days ago, I started to not be able to login from Chrome via 1password to my banking site, https://ibanking.stgeorge.com.au/ibank/logonAction.action. If I entered the details by hand, all went well. If I changed the info in 1password, then when I next tried logging on, the 1password webform data had changed!

I've reinstalled from the app store, and the problem continues.

Help!!!

Regards,
David

1Password Version: 6.2.1
Extension Version: 4.5.6.90
OS Version: OSX 10.11.4
Sync Type: iCloud

«1

Comments

  • Nigel_J
    Nigel_J
    Community Member

    I am having the same problem again with this website. I reported the issue using the "report website issue" in the app. a few days ago but have not had a response.
    try this.. check the 'never submit tab' and then reenter the details correctly then save.

  • coldrick
    coldrick
    Community Member

    Thanks, Nigel. Tried that, but problem remains.

    Regards,
    David

  • Pilar
    Pilar
    1Password Alumni

    Hi @coldrick,

    That page has been causing us some headaches for a while, it's on our radar and we're working on it! Right now what seems to help most people is to correct by hand the erroneous information in the login or fully recreate the login manually. Disabling auto submit also helps. You can do both things if you click on "Edit" on your item. If this doesn't work you can find a few more suggestions on this post.

    I hope some of this helps you while we can get it permanently fixed :chuffed:

  • dakeeper
    dakeeper
    Community Member

    First - I'm a very happy 1Password user and have been for years. As of today the app doesn't work on my mac...and any browser with my main bank. Which unfortunately is my main login! Here: https://ibanking.stgeorge.com.au/ibank/loginPage.action

    I have tried recreating the login. and turned off auto submit which seems to have been recommended action for past problems with St George. But no joy. I welcome any further advice since this is killing my main purpose for the app. Thanks in advance, Steve

    1Password Version: 1Password 6 Version 6.2.1 (621002) AgileBits Store
    Extension Version: 4.5.6
    OS Version: 10.11.5
    Sync Type: Dropbox

  • dakeeper
    dakeeper
    Community Member

    As of today, 1Password is not working on St George for me. Since I access it several times a day I would welcome a fix. Tried several browsers. Same result. Thanks. I tried creating a new login and turning off auto submit. No joy.

  • jxpx777
    jxpx777
    1Password Alumni

    Hi, @coldrick and @dakeeper. I'm sorry for the troubles you're having. I recently dove into the St. George code (Some other banks like Bank of Melbourne do this too, so it sadly makes me think this is some solution for online banking that is being peddled to these banks… :(), and here's what I found. The problem is that the site scrambles some of the fields after you fill them. In Chrome, you can see what I mean with a little detective work:

    1. Navigate to the sign on page and enter your details but do not submit.
    2. Choose View > Developer > Javascript Console from the menu bar.
    3. Run the following code: document.getElementById("securityNumber").value

    I tested with a value of 90210 and the value that the site stores there is 78948. What's more, the value seems to be different from visit to visit. After reloading, I got 75895 as the value.

    It seems they are deliberately performing some cryptographic operations on these fields. You can see their code for yourself.

    The truth of this is that this is all a bit of theater because it seems the key required to perform all of this decryption is in the page itself. If the key used to encrypt is not itself secret, then this amounts to nothing more than obfuscation rather than actual encryption and the amount of security gained from it is essentially zero.

    I double checked and it seems they are submitting this to their server in the obfuscated form as well. Here's what I see when I intercept the submitted data using Chrome's browser extension frameworks.

    It seems the nameId field contains the key in some encoded form and then this is used to decrypt the values that are specified in the submitted fields, which seem to be using a relatively simple substitution cypher from the look of it, on the server side.

    Overall, I would be very skeptical of what benefit this provides vs submitting the raw values over HTTPS. Any attacker privileged enough to monitor what you're doing in a web page or to intercept and decrypt HTTPS traffic would have no trouble deciphering the scrambled mess they've made of these values with a little bit of interest and time. And once they know how to decrypt this traffic once, they know how to do it every time and the obfuscation is totally worthless.

    I hope that helps explain why 1Password's filling isn't working for you here. We'll continue to monitor the situation, but right now, copy and paste is your best option. To be honest, there are many other things higher on the priority list for us than trying to tango with sites that are going so far out of their way to be so obtuse. I would love to see more 1Password users complain about these sites and encourage them to help users behave securely in the first place rather than taking meaningless steps to create pretend security that prevents their users using good security practices.

    Let us know if you have any other questions or concerns.

    --
    Jamie Phelps
    Code Wrangler @ AgileBits

  • dakeeper
    dakeeper
    Community Member

    Appreciate the time invested. thanks

  • jxpx777
    jxpx777
    1Password Alumni

    My pleasure!

  • jxpx777
    jxpx777
    1Password Alumni

    Just wanted to follow up and let you know I merged your other post about St. George into this thread so that we can keep the discussion all together. I hope you don't mind. :)

  • coldrick
    coldrick
    Community Member

    Thanks, Jamie.

    I sent the following to customerrelations@stgeorge.com.au.

    Regards,
    David

    =======================================================

    Hello,

    Like any other security-conscious individual, I use a password manager - in my case, the excellent 1Password - to maintain passwords to the sites I login to. The St George site has recently become unusable via 1Password, and I am reduced to having my login details retained in a text file so that I can copy and paste them into the page. This is ridiculous in the extreme.

    One of the 1Password support guys investigated the problem and came up with the results below.

    Please pass this on to whoever maintains your website. I would appreciate a response and an estimate as to when the problem will be resolved.

    Sincerely,
    David, a frustrated customer

    Hi, @coldrick and @dakeeper. I'm sorry for the troubles you're having. I recently dove into the St. George code (Some other banks like Bank of Melbourne do this too, so it sadly makes me think this is some solution for online banking that is being peddled to these banks… :(), and here's what I found. The problem is that the site scrambles some of the fields after you fill them. In Chrome, you can see what I mean with a little detective work:

    Navigate to the sign on page and enter your details but do not submit.
    Choose View > Developer > Javascript Console from the menu bar.
    Run the following code: document.getElementById("securityNumber").value
    I tested with a value of 90210 and the value that the site stores there is 78948. What's more, the value seems to be different from visit to visit. After reloading, I got 75895 as the value.

    It seems they are deliberately performing some cryptographic operations on these fields. You can see their code for yourself.

    The truth of this is that this is all a bit of theater because it seems the key required to perform all of this decryption is in the page itself. If the key used to encrypt is not itself secret, then this amounts to nothing more than obfuscation rather than actual encryption and the amount of security gained from it is essentially zero.

    I double checked and it seems they are submitting this to their server in the obfuscated form as well. Here's what I see when I intercept the submitted data using Chrome's browser extension frameworks.

    . . .

    It seems the nameId field contains the key in some encoded form and then this is used to decrypt the values that are specified in the submitted fields, which seem to be using a relatively simple substitution cypher from the look of it, on the server side.

    Overall, I would be very skeptical of what benefit this provides vs submitting the raw values over HTTPS. Any attacker privileged enough to monitor what you're doing in a web page or to intercept and decrypt HTTPS traffic would have no trouble deciphering the scrambled mess they've made of these values with a little bit of interest and time. And once they know how to decrypt this traffic once, they know how to do it every time and the obfuscation is totally worthless.

    I hope that helps explain why 1Password's filling isn't working for you here. We'll continue to monitor the situation, but right now, copy and paste is your best option. To be honest, there are many other things higher on the priority list for us than trying to tango with sites that are going so far out of their way to be so obtuse. I would love to see more 1Password users complain about these sites and encourage them to help users behave securely in the first place rather than taking meaningless steps to create pretend security that prevents their users using good security practices.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @coldrick: Wow! Thank you so much for taking the time, David! While we can try to find workarounds ourselves, ultimately they're not likely to accommodate us. As you helpfully pointed out to them, you're their customer, and letting them know that they're making it difficult for you to behave securely can make a difference. :)

  • VirtualWolf
    VirtualWolf
    Community Member

    Nice one, @coldrick! Thanks for that, I'll definitely be voicing my displeasure too. And thanks for @jxpx777 for getting to the bottom of it. :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    Indeed, thoughtful feedback really can make a difference! :) :+1:

  • Age_Pat
    Age_Pat
    Community Member

    Glad to have found this thread. 1password and St George Internet Banking has stopped working for me also. I've tried everything. I'll be letting them know my displeasure.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I wish that none of this were necessary. :(

    Hopefully they'll appreciate you and their other customers' desire to use long, strong, unique, random passwords with a password manager instead of using weak ones that can be easily remembered and typed.

  • alexmorrison
    alexmorrison
    Community Member

    I too am having this issue with St George. VERY boring. Tried everything as suggested on various threads but just cannot get it to work.
    I have just got an ANZ credit card to use Apple Pay - might move all my accounts there!

  • VirtualWolf
    VirtualWolf
    Community Member

    The only thing I've had success with is manually copy/pasting field-by-field from 1Password (starting with the account number and going down from there).

  • AGAlumB
    AGAlumB
    1Password Alumni

    I too am having this issue with St George. VERY boring. Tried everything as suggested on various threads but just cannot get it to work. I have just got an ANZ credit card to use Apple Pay - might move all my accounts there!

    @alexmorrison: I can't say I blame you. Just be prepared: once you start using Apple Pay it's a real drag to go back to plastic! :lol:

    The only thing I've had success with is manually copy/pasting field-by-field from 1Password (starting with the account number and going down from there).

    @VirtualWolf: I'm sorry there isn't a better solution right now, but at least it's better to use a long, strong, unique password rather than one you can remember and type — even if it means using copy/paste. :blush:

  • VirtualWolf
    VirtualWolf
    Community Member

    I'm sorry there isn't a better solution right now, but at least it's better to use a long, strong, unique password rather than one you can remember and type — even if it means using copy/paste.

    Oh absolutely, I'm in complete agreement. ;)

  • Pilar
    Pilar
    1Password Alumni

    Long life to good passwords! :chuffed:

  • Online_Alias
    Online_Alias
    Community Member

    This problem still persists for me using Safari (9.1.1 (11601.6.17)). I also reported this through the Synapse process and never received any response. I have been using the same 1P entry for years without problems until recently when it just stopped working. I have checked that the web form details have the correct values and tried switching to "Never submit" but it still fails. 1P populates all three fields on the web page but if I press the return key or click on the Submit button it rejects the credentials. Only the manual copy and paste seems to work. This same issue occurs on iOS 9.3.2. I have tried creating a new entry but that saves erroneous values in the web form details. Even if I change the values to the correct credentials it still doesn't work.

    I hope we can get back to a smooth 1P logon as previously experienced. Thanks.

    1Password Version: 6.3.1 (631005) MAS
    Extension Version: 4.5.6
    OS Version: 10.11.5
    Sync Type: iCloud

  • jxpx777
    jxpx777
    1Password Alumni

    @Online_Alias Please see my previous post for more detail about the problem. Right now, I'm not sure how we can help with saving Logins there but I think we can help with filling and I hope to have something in place soon.

  • cambrown
    cambrown
    Community Member

    Hi everyone, I sent a tweet to the Bank of Melbourne today, and received a reply telling me to call them. That resulted in them asking me to email the details of the issue to them, (the guy on the phone says they've made no changes and he uses iCloud Keychain on Safari and it works. Don't worry, I pointed out this doesn't fill out all three fields they require, and clearly there have been changes).

    I gave them a link to this forum thread, and can only hope they act promptly. It's so frustrating that if they don't fix it soon they will lose me as a customer. As has been pointed out the lack of Apple Pay is not helping their cause!

    Keep up the pressure guys! Tweet, call, and email!

  • Pilar
    Pilar
    1Password Alumni

    Hi @cambrown

    Thank you for letting us know that you're trying to push them to have better security practices and for the the heads up about them knowing about the forum thread! I hope that we see some change soon, thank you for being invested in all this! :chuffed:

  • AGAlumB
    AGAlumB
    1Password Alumni

    @cambrown: I also want to add that we're happy to assist them! Don't hesitate to direct them to support@agilebits.com if they need further details from us, or if there's something we can do to meet them halfway. After all, you're our customer and theirs, so if we can coordinate to improve your experience, everybody wins! :chuffed:

  • cambrown
    cambrown
    Community Member

    Hi everyone,

    I have had an unsatisfactory response from the Bank of Melbourne. Apparently by using a password manager I may be breaching their Terms & conditions!!!

    Here is the body of the letter I received:

    "Thank you for contacting us in relation to your recent experience with Bank of Melbourne. We have now completed our review of your concern.
    Our understanding of your concern relates to the loss of functionality with 1Password when using internet banking.
    I sincerely apologise for the inconvenience you may have experienced as a result of this matter.
    I’ve escalated this matter to our digital security team. The Westpac Group does not have any working agreement with 1Password. The bank does not endorse or recommend the use of third party software or password managers to store log in credentials. As such, we do not provide technical support for issues encountered with the use of these applications, and refer our customers to the software vendor or service provider if they are experiencing issues.
    We are aware customers can choose to use Password Managers if they wish and they certainly are better than storing passwords in plain text, however, by using them they are potentially breaching the terms and conditions.
    If you are not satisfied with this final response, you can contact the Financial Ombudsman Service Australia on 1800 367 287, email info@fos.org.au or mail GPO Box 3, Melbourne VIC 3001. If you choose to pursue this option, you will need to do so within 2 years of this correspondence.
    Yours sincerely,
    Nathan Spratt
    Customer Manager
    Customer Resolution and Experience"

    I have now made moves to switch to a different bank, and now urge everyone with a Bank of Melbourne, St George, Bank SA, or Westpac account to switch banks too. Given their hostility to Apple Pay, it's one more reason to take the time to switch.

    Sorry I don't have better news, but they are intransigent, and not interested in answering my "why did you make the changes" question. :(

  • jxpx777
    jxpx777
    1Password Alumni

    That's really sad, @cambrown. I hope that you and others that are affected by this do contact the ombudsman. Perhaps Westpac really just doesn't understand that they're making it more difficult for their customers to behave securely by actively thwarting password managers.

    Out of curiosity, have you tried Safari's password saving and autofill for this? I'd be curious to know if any password manager was able to properly cope with this approach…

  • VirtualWolf
    VirtualWolf
    Community Member

    I assume you folks at 1Password haven't changed anything with regards to this? Because I'm now able to use 1Password perfectly happily again with St George! I swapped over to your subscription service and installed the applications and latest extensions somewhere in between now and when I last tried, so I want to make sure you didn't fix anything before I say thanks to St George for not being stupid. ;)

  • dakeeper
    dakeeper
    Community Member

    Yes all of a sudden some weeks ago I noticed this issue was no longer an issue on St George site!

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited January 2017

    @VirtualWolf, @dakeeper: We've made some changes to try to accommodate these forms in particular in version 4.6.2 of the extension. Thanks so much for taking the time to let us know it's working better for you! I've let the rest of the team know it's helped. Cheers! :chuffed:

This discussion has been closed.