1password is changing password info [Bank of Melbourne and St. George login issues]
I'm using the app store version, and syncing to iCloud. A few days ago, I started to not be able to login from Chrome via 1password to my banking site, https://ibanking.stgeorge.com.au/ibank/logonAction.action. If I entered the details by hand, all went well. If I changed the info in 1password, then when I next tried logging on, the 1password webform data had changed!
I've reinstalled from the app store, and the problem continues.
Help!!!
Regards,
David
1Password Version: 6.2.1
Extension Version: 4.5.6.90
OS Version: OSX 10.11.4
Sync Type: iCloud
Comments
-
I am having the same problem again with this website. I reported the issue using the "report website issue" in the app. a few days ago but have not had a response.
try this.. check the 'never submit tab' and then reenter the details correctly then save.0 -
Thanks, Nigel. Tried that, but problem remains.
Regards,
David0 -
Hi @coldrick,
That page has been causing us some headaches for a while, it's on our radar and we're working on it! Right now what seems to help most people is to correct by hand the erroneous information in the login or fully recreate the login manually. Disabling auto submit also helps. You can do both things if you click on "Edit" on your item. If this doesn't work you can find a few more suggestions on this post.
I hope some of this helps you while we can get it permanently fixed :chuffed:
0 -
First - I'm a very happy 1Password user and have been for years. As of today the app doesn't work on my mac...and any browser with my main bank. Which unfortunately is my main login! Here: https://ibanking.stgeorge.com.au/ibank/loginPage.action
I have tried recreating the login. and turned off auto submit which seems to have been recommended action for past problems with St George. But no joy. I welcome any further advice since this is killing my main purpose for the app. Thanks in advance, Steve
1Password Version: 1Password 6 Version 6.2.1 (621002) AgileBits Store
Extension Version: 4.5.6
OS Version: 10.11.5
Sync Type: Dropbox0 -
As of today, 1Password is not working on St George for me. Since I access it several times a day I would welcome a fix. Tried several browsers. Same result. Thanks. I tried creating a new login and turning off auto submit. No joy.
0 -
Hi, @coldrick and @dakeeper. I'm sorry for the troubles you're having. I recently dove into the St. George code (Some other banks like Bank of Melbourne do this too, so it sadly makes me think this is some solution for online banking that is being peddled to these banks… :(), and here's what I found. The problem is that the site scrambles some of the fields after you fill them. In Chrome, you can see what I mean with a little detective work:
- Navigate to the sign on page and enter your details but do not submit.
- Choose View > Developer > Javascript Console from the menu bar.
- Run the following code: document.getElementById("securityNumber").value
I tested with a value of 90210 and the value that the site stores there is 78948. What's more, the value seems to be different from visit to visit. After reloading, I got 75895 as the value.
It seems they are deliberately performing some cryptographic operations on these fields. You can see their code for yourself.
The truth of this is that this is all a bit of theater because it seems the key required to perform all of this decryption is in the page itself. If the key used to encrypt is not itself secret, then this amounts to nothing more than obfuscation rather than actual encryption and the amount of security gained from it is essentially zero.
I double checked and it seems they are submitting this to their server in the obfuscated form as well. Here's what I see when I intercept the submitted data using Chrome's browser extension frameworks.
It seems the
nameId
field contains the key in some encoded form and then this is used to decrypt the values that are specified in the submitted fields, which seem to be using a relatively simple substitution cypher from the look of it, on the server side.Overall, I would be very skeptical of what benefit this provides vs submitting the raw values over HTTPS. Any attacker privileged enough to monitor what you're doing in a web page or to intercept and decrypt HTTPS traffic would have no trouble deciphering the scrambled mess they've made of these values with a little bit of interest and time. And once they know how to decrypt this traffic once, they know how to do it every time and the obfuscation is totally worthless.
I hope that helps explain why 1Password's filling isn't working for you here. We'll continue to monitor the situation, but right now, copy and paste is your best option. To be honest, there are many other things higher on the priority list for us than trying to tango with sites that are going so far out of their way to be so obtuse. I would love to see more 1Password users complain about these sites and encourage them to help users behave securely in the first place rather than taking meaningless steps to create pretend security that prevents their users using good security practices.
Let us know if you have any other questions or concerns.
--
Jamie Phelps
Code Wrangler @ AgileBits0 -
Appreciate the time invested. thanks
0 -
My pleasure!
0 -
Just wanted to follow up and let you know I merged your other post about St. George into this thread so that we can keep the discussion all together. I hope you don't mind. :)
0 -
Thanks, Jamie.
I sent the following to customerrelations@stgeorge.com.au.
Regards,
David=======================================================
Hello,
Like any other security-conscious individual, I use a password manager - in my case, the excellent 1Password - to maintain passwords to the sites I login to. The St George site has recently become unusable via 1Password, and I am reduced to having my login details retained in a text file so that I can copy and paste them into the page. This is ridiculous in the extreme.
One of the 1Password support guys investigated the problem and came up with the results below.
Please pass this on to whoever maintains your website. I would appreciate a response and an estimate as to when the problem will be resolved.
Sincerely,
David, a frustrated customerHi, @coldrick and @dakeeper. I'm sorry for the troubles you're having. I recently dove into the St. George code (Some other banks like Bank of Melbourne do this too, so it sadly makes me think this is some solution for online banking that is being peddled to these banks… :(), and here's what I found. The problem is that the site scrambles some of the fields after you fill them. In Chrome, you can see what I mean with a little detective work:
Navigate to the sign on page and enter your details but do not submit.
Choose View > Developer > Javascript Console from the menu bar.
Run the following code: document.getElementById("securityNumber").value
I tested with a value of 90210 and the value that the site stores there is 78948. What's more, the value seems to be different from visit to visit. After reloading, I got 75895 as the value.It seems they are deliberately performing some cryptographic operations on these fields. You can see their code for yourself.
The truth of this is that this is all a bit of theater because it seems the key required to perform all of this decryption is in the page itself. If the key used to encrypt is not itself secret, then this amounts to nothing more than obfuscation rather than actual encryption and the amount of security gained from it is essentially zero.
I double checked and it seems they are submitting this to their server in the obfuscated form as well. Here's what I see when I intercept the submitted data using Chrome's browser extension frameworks.
. . .
It seems the nameId field contains the key in some encoded form and then this is used to decrypt the values that are specified in the submitted fields, which seem to be using a relatively simple substitution cypher from the look of it, on the server side.
Overall, I would be very skeptical of what benefit this provides vs submitting the raw values over HTTPS. Any attacker privileged enough to monitor what you're doing in a web page or to intercept and decrypt HTTPS traffic would have no trouble deciphering the scrambled mess they've made of these values with a little bit of interest and time. And once they know how to decrypt this traffic once, they know how to do it every time and the obfuscation is totally worthless.
I hope that helps explain why 1Password's filling isn't working for you here. We'll continue to monitor the situation, but right now, copy and paste is your best option. To be honest, there are many other things higher on the priority list for us than trying to tango with sites that are going so far out of their way to be so obtuse. I would love to see more 1Password users complain about these sites and encourage them to help users behave securely in the first place rather than taking meaningless steps to create pretend security that prevents their users using good security practices.
0 -
@coldrick: Wow! Thank you so much for taking the time, David! While we can try to find workarounds ourselves, ultimately they're not likely to accommodate us. As you helpfully pointed out to them, you're their customer, and letting them know that they're making it difficult for you to behave securely can make a difference. :)
0 -
-
Indeed, thoughtful feedback really can make a difference! :) :+1:
0 -
Glad to have found this thread. 1password and St George Internet Banking has stopped working for me also. I've tried everything. I'll be letting them know my displeasure.
0 -
I wish that none of this were necessary. :(
Hopefully they'll appreciate you and their other customers' desire to use long, strong, unique, random passwords with a password manager instead of using weak ones that can be easily remembered and typed.
0 -
I too am having this issue with St George. VERY boring. Tried everything as suggested on various threads but just cannot get it to work.
I have just got an ANZ credit card to use Apple Pay - might move all my accounts there!0 -
The only thing I've had success with is manually copy/pasting field-by-field from 1Password (starting with the account number and going down from there).
0 -
I too am having this issue with St George. VERY boring. Tried everything as suggested on various threads but just cannot get it to work. I have just got an ANZ credit card to use Apple Pay - might move all my accounts there!
@alexmorrison: I can't say I blame you. Just be prepared: once you start using Apple Pay it's a real drag to go back to plastic! :lol:
The only thing I've had success with is manually copy/pasting field-by-field from 1Password (starting with the account number and going down from there).
@VirtualWolf: I'm sorry there isn't a better solution right now, but at least it's better to use a long, strong, unique password rather than one you can remember and type — even if it means using copy/paste. :blush:
0 -
I'm sorry there isn't a better solution right now, but at least it's better to use a long, strong, unique password rather than one you can remember and type — even if it means using copy/paste.
Oh absolutely, I'm in complete agreement. ;)
0 -
Long life to good passwords! :chuffed:
0 -
This problem still persists for me using Safari (9.1.1 (11601.6.17)). I also reported this through the Synapse process and never received any response. I have been using the same 1P entry for years without problems until recently when it just stopped working. I have checked that the web form details have the correct values and tried switching to "Never submit" but it still fails. 1P populates all three fields on the web page but if I press the return key or click on the Submit button it rejects the credentials. Only the manual copy and paste seems to work. This same issue occurs on iOS 9.3.2. I have tried creating a new entry but that saves erroneous values in the web form details. Even if I change the values to the correct credentials it still doesn't work.
I hope we can get back to a smooth 1P logon as previously experienced. Thanks.
1Password Version: 6.3.1 (631005) MAS
Extension Version: 4.5.6
OS Version: 10.11.5
Sync Type: iCloud0 -
@Online_Alias Please see my previous post for more detail about the problem. Right now, I'm not sure how we can help with saving Logins there but I think we can help with filling and I hope to have something in place soon.
0 -
Hi everyone, I sent a tweet to the Bank of Melbourne today, and received a reply telling me to call them. That resulted in them asking me to email the details of the issue to them, (the guy on the phone says they've made no changes and he uses iCloud Keychain on Safari and it works. Don't worry, I pointed out this doesn't fill out all three fields they require, and clearly there have been changes).
I gave them a link to this forum thread, and can only hope they act promptly. It's so frustrating that if they don't fix it soon they will lose me as a customer. As has been pointed out the lack of Apple Pay is not helping their cause!
Keep up the pressure guys! Tweet, call, and email!
0 -
@cambrown: I also want to add that we're happy to assist them! Don't hesitate to direct them to support@agilebits.com if they need further details from us, or if there's something we can do to meet them halfway. After all, you're our customer and theirs, so if we can coordinate to improve your experience, everybody wins! :chuffed:
0 -
Hi everyone,
I have had an unsatisfactory response from the Bank of Melbourne. Apparently by using a password manager I may be breaching their Terms & conditions!!!
Here is the body of the letter I received:
"Thank you for contacting us in relation to your recent experience with Bank of Melbourne. We have now completed our review of your concern.
Our understanding of your concern relates to the loss of functionality with 1Password when using internet banking.
I sincerely apologise for the inconvenience you may have experienced as a result of this matter.
I’ve escalated this matter to our digital security team. The Westpac Group does not have any working agreement with 1Password. The bank does not endorse or recommend the use of third party software or password managers to store log in credentials. As such, we do not provide technical support for issues encountered with the use of these applications, and refer our customers to the software vendor or service provider if they are experiencing issues.
We are aware customers can choose to use Password Managers if they wish and they certainly are better than storing passwords in plain text, however, by using them they are potentially breaching the terms and conditions.
If you are not satisfied with this final response, you can contact the Financial Ombudsman Service Australia on 1800 367 287, email info@fos.org.au or mail GPO Box 3, Melbourne VIC 3001. If you choose to pursue this option, you will need to do so within 2 years of this correspondence.
Yours sincerely,
Nathan Spratt
Customer Manager
Customer Resolution and Experience"I have now made moves to switch to a different bank, and now urge everyone with a Bank of Melbourne, St George, Bank SA, or Westpac account to switch banks too. Given their hostility to Apple Pay, it's one more reason to take the time to switch.
Sorry I don't have better news, but they are intransigent, and not interested in answering my "why did you make the changes" question. :(
0 -
That's really sad, @cambrown. I hope that you and others that are affected by this do contact the ombudsman. Perhaps Westpac really just doesn't understand that they're making it more difficult for their customers to behave securely by actively thwarting password managers.
Out of curiosity, have you tried Safari's password saving and autofill for this? I'd be curious to know if any password manager was able to properly cope with this approach…
0 -
I assume you folks at 1Password haven't changed anything with regards to this? Because I'm now able to use 1Password perfectly happily again with St George! I swapped over to your subscription service and installed the applications and latest extensions somewhere in between now and when I last tried, so I want to make sure you didn't fix anything before I say thanks to St George for not being stupid. ;)
0 -
Yes all of a sudden some weeks ago I noticed this issue was no longer an issue on St George site!
0 -
@VirtualWolf, @dakeeper: We've made some changes to try to accommodate these forms in particular in version 4.6.2 of the extension. Thanks so much for taking the time to let us know it's working better for you! I've let the rest of the team know it's helped. Cheers! :chuffed:
0