Hacker News new | ask | show | jobs
by azalemeth 1270 days ago
I have a bank account with TSB and got compensation as a result of this mix-up.

Some rather personal experiences of the fiasco:

– Rather pointlessly, the website changed from being mostly static to entirely written in a very JS-heavy, "dynamic" way. I still can't use it in my normal browser (FF) with its extensions because it relies heavily upon CORS requests and referrer information that my somewhat privacy-paranoid extensions block.

– This was introduced at the time of the switchover, and until that point the IT system used looked identical between Lloyds, TSB and Halifax / BOS systems (I have accounts with some of those)

– The online browser-based system was telemetry and JS heavy, replacing a far leaner page

– I was unable to log in during the time of the fiasco, mostly due to 403 errors or timeouts. Often the page would just hang as an async request wasn't answered.

– Once I did manage to log in, I was amazed to see another person's account details (!!!), replete with (their) name and statement.

– I was unable to use online banking to pay bills or check my balance – I could see someone else's account in detail but was too honest to do anything with that knowledge. I can't remember if my card stopped working but I was effectively forced to make other arrangements for quite an extended period of time.
6 comments
varispeed 1270 days ago
> – The online browser-based system was telemetry and JS heavy, replacing a far leaner page

I remember one of those banks using the "leaner" page also had heavy telemetry turned on at some point. I type very fast, so I noticed that when I was entering my user id, it was lagging heavily. Then I turned on developer tools only to see that they were logging all keystrokes to analytics. Including username and password. At first I thought I got a virus or something, but these appeared to be legit scripts from the bank. So I decided to not use that bank account for a while. I wonder why would they turn something like that on.

link
orangepurple 1270 days ago
Report that to the regulators.

If you're in the US I know for a fact the regulators listen to and review complaints.

https://www.federalreserve.gov/faqs/credit_12666.htm

link
orangepurple 1270 days ago
You can also report serious problems to FinCEN and the OCC
link
jbkkd 1270 days ago
Honest question - why do you still have an account with them?
link
PeterisP 1270 days ago
In general, banks compete on other attributes - a small difference in a mortgage interest rate is a lot of money and makes up for a HUGE difference in the quality of internet services; and whenever loan market becomes tight (and thus it's not attractive to refinance to another bank) people are pretty much locked in.
link
azalemeth 1270 days ago
Exactly this. They're not great, but there's something about being a customer somewhere for a very long time that genuinely does (or did) seem to offer you a mortgage rate that was advantageous.
link
penguin_booze 1270 days ago
I'm surprised to hear UK banks value loyalty. It's certainly not my experience.
link
greggarious 1270 days ago
Why don't people get divorced or break up?

Abusive relationships can trap you, personal or business.

link
usr1106 1270 days ago
As a privacy-aware user, when making a contract with a bank (or buying a flight ticket or whatever) you should get assertions that their web site meets certain quality standards so you can use your browser to access the account or actually check in.

Paper did not have those incompatibility problems...

However, from the BBC article I conclude that even customers with a default browser could not necessarily use their account

Edit: Forgotten not added.

link
ryandrake 1270 days ago
Businesses can change, too. My credit union[1] recently made a web site change causing me to no longer be able to log in. The new shiny red login button they probably paid $millions for an incompetent developer to provide does nothing when you click it (desktop Safari). I vetted the old site which worked perfectly, but now it doesn’t. I’m working on moving my business elsewhere.

1: https://www.techcu.com/

link
LeifCarrotson 1270 days ago
Hopefully they didn't pay $millions...the source is completely unminified, it checks a cookie, calls Google Analytics, then changes the login link from display:none to display:block.

    function LoginButtonClick() {
        var selAccount = $("#accounts").val();
    
        LoginCookieSet(selAccount);
    
        if (typeof ga !== 'undefined')
            ga('techcu.send', 'event', 'button', 'Click', 'Member Login');
    
        var formAction = "https://online.techcu.com/User/AccessSignin/Password"; // testing url
    
        switch (selAccount) {
            case "1":
                formAction = "https://online.techcu.com/User/AccessSignin/Password";
                if (window.location.host === "dev.techcu.com" || window.location.host === "qa.techcu.com") {
                    formAction = "https://onlinetest.techcu.com/User/AccessSignin/Password";
                }
                break;
            case "3":
                formAction = "https://businessbanking.techcu.com/";
                break;
            case "2":
                formAction = "https://businessbanking.techcu.com/smallbusiness";
                break;
            default:
                formAction = "http://online.techcu.com/User/AccessSignin/Username";
        }
        if ($('#UsernameField1').val().substr(0, 2) == "**") {
            $('#onlineBankingLogin #UsernameField').val($('#UserNameHidden').val());
        } else {
            $('#onlineBankingLogin #UsernameField').val($('#UsernameField1').val());
        }
        $('#onlineBankingLogin #PasswordField').val($('#PasswordField1').val());
    
        $('#onlineBankingLogin').attr('action', formAction);
        $('#onlineBankingLogin').submit();
    }
The direct login link is then visible, you can bookmark https://online.techcu.com/User/AccessSignin/Start for later...but yeah, nonfunctional for ~10% of desktop browsers is not a good look for a technology credit union.
link
ryandrake 1270 days ago
Nice debugging and thanks! Didn't expect someone to actually dive in and figure it out. I'll bookmark the direct link to hold me over until I find a new bank but I've already totally lost confidence in the business. They can't even be assed to test their main web site. I wonder if they see the failure from analyzing the before-and-after browser share in their logs. I wonder if anyone's even monitoring the logs.
link
justinclift 1270 days ago
Found similar kinds of things happening with the occasional website too, mainly due to my use of Firefox. eg buttons that used to work, suddenly "do nothing"

Pretty sure its caused by "Chrome-only" developers, as going through the hassle of installing a Chrome/webkit based browser gets things working. But really, fuck that. ;)

Ubereats made this change recently. Naturally, there's no way on their website to contact them about it. :/

link
usr1106 1270 days ago
Yes, they can change. But if technical compatibility were part of your contract they might end up paying damages if they break it. Well, I am dreaming...
link
foldr 1270 days ago
The login button works for me on Safari (15.2).
link
zaphirplane 1269 days ago
> you should get assertions

I think you’d get blank looks if you asked that question followed by generic we use modern blah and new improvement next blah

link
Rastonbury 1270 days ago
How did you get compensation? Thank goodness for monzo and revolut being so quick to set up but I had money trapped in TSB for some time. I thought it would only last a day or two at most. The services and ability to get support were non-existent during that time I totally stopped trying to call. I closed my TSB account shortly after
link
azalemeth 1270 days ago
I went in-store to get money out in person, mentioned the problems and very nicely got handed details of how to complain. I did so, with screenshots, and got something like £150 -- completely unrequested -- in my account about six months later. I think they handled the whole thing very well actually, although I'd probably feel different if I had gone into mortgage arrears because of it, as I understand some customers did...
link
antihero 1270 days ago
> I still can't use it in my normal browser (FF) with its extensions because it relies heavily upon CORS requests and referrer information that my somewhat privacy-paranoid extensions block.

So you have extensions that literally break normal browser behaviour and you are blaming them somehow? CORS is part of browser security and should be respected.

Not saying that TSB aren't clearly a shitshow but maybe just disable the extension for that site.

link
iechoz6H 1270 days ago
"I could see someone else's account in detail but was too honest to do anything with that knowledge"

Are you patting yourself on the back for not commiting fraud?

link
azalemeth 1270 days ago
I meant more that I didn't answer the question "if I make a bank transaction, like I want to, will it come out of my account or theirs"?
link
dylan604 1270 days ago
In today's world, that's no small feat. Not the patting on the back, but to be honest about it and not do anything untoward.
link