Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Site problem: USBank

0 views
Skip to first unread message

Jon Jerome

unread,
Jun 12, 2002, 6:19:28 PM6/12/02
to
Recently USBank redid their website. The new site rejects Opera connections, no matter what I tell Opera 6.01 to identify itself as. Their page contains a sniffer script; if I'm lucky with the Stop
button I can get the login page to load anyway and after that the session proceeds just fine, but it's an annoyance. The sniffer script seems to be aware of Opera through version 5 but does not
specifically mention version 6. Is there anything I can do to alter what Opera shows the sniffer so that it will pass as MSIE or Netscape?

Here is the text of the sniffer script:

// Ultimate client-side JavaScript client sniff. Version 3.03
// (C) Netscape Communications 1999-2001. Permission granted to reuse and distribute.

function acceptsCookies() {
var cookieAccepter;
document.cookie = 'USBank_acceptsCookies=yes';
if(document.cookie == '') cookieAccepter = false; else cookieAccepter = true;
document.cookie = 'USBank_acceptsCookies=yes; expires=Fri, 13-Apr-1970 00:00:00 GMT';
return cookieAccepter;
}

var agt=navigator.userAgent.toLowerCase();

// *** BROWSER VERSION ***
// Note: On IE5, these return 4, so use is_ie5up to detect IE5.
var is_major = parseInt(navigator.appVersion);
var is_minor = parseFloat(navigator.appVersion);

// Note: Opera and WebTV spoof Navigator. We do strict client detection.
// If you want to allow spoofing, take out the tests for opera and webtv.
var is_nav = ((agt.indexOf('mozilla')!=-1) && (agt.indexOf('spoofer')==-1)
&& (agt.indexOf('compatible') == -1) && (agt.indexOf('opera')==-1)
&& (agt.indexOf('webtv')==-1) && (agt.indexOf('hotjava')==-1));
var is_nav2 = (is_nav && (is_major == 2));
var is_nav3 = (is_nav && (is_major == 3));
var is_nav4 = (is_nav && (is_major == 4));
var is_nav4up = (is_nav && (is_major >= 4));
var is_navonly = (is_nav && ((agt.indexOf(";nav") != -1) ||
(agt.indexOf("; nav") != -1)) );
var is_nav6 = (is_nav && (is_major == 5));
var is_nav6up = (is_nav && (is_major >= 5));
var is_gecko = (agt.indexOf('gecko') != -1);


var is_ie = ((agt.indexOf("msie") != -1) && (agt.indexOf("opera") == -1));
var is_ie3 = (is_ie && (is_major < 4));
var is_ie4 = (is_ie && (is_major == 4) && (agt.indexOf("msie 4")!=-1) );
var is_ie4up = (is_ie && (is_major >= 4));
var is_ie5 = (is_ie && (is_major == 4) && (agt.indexOf("msie 5.0")!=-1) );
var is_ie5_5 = (is_ie && (is_major == 4) && (agt.indexOf("msie 5.5") !=-1));
var is_ie5up = (is_ie && !is_ie3 && !is_ie4);
var is_ie5_5up =(is_ie && !is_ie3 && !is_ie4 && !is_ie5);
var is_ie6 = (is_ie && (is_major == 4) && (agt.indexOf("msie 6.")!=-1) );
var is_ie6up = (is_ie && !is_ie3 && !is_ie4 && !is_ie5 && !is_ie5_5);

// KNOWN BUG: On AOL4, returns false if IE3 is embedded browser
// or if this is the first browser window opened. Thus the
// variables is_aol, is_aol3, and is_aol4 aren't 100% reliable.
var is_aol = (agt.indexOf("aol") != -1);
var is_aol3 = (is_aol && is_ie3);
var is_aol4 = (is_aol && is_ie4);
var is_aol5 = (agt.indexOf("aol 5") != -1);
var is_aol6 = (agt.indexOf("aol 6") != -1);

var is_opera = (agt.indexOf("opera") != -1);
var is_opera2 = (agt.indexOf("opera 2") != -1 || agt.indexOf("opera/2") != -1);
var is_opera3 = (agt.indexOf("opera 3") != -1 || agt.indexOf("opera/3") != -1);
var is_opera4 = (agt.indexOf("opera 4") != -1 || agt.indexOf("opera/4") != -1);
var is_opera5 = (agt.indexOf("opera 5") != -1 || agt.indexOf("opera/5") != -1);
var is_opera5up = (is_opera && !is_opera2 && !is_opera3 && !is_opera4);

var is_webtv = (agt.indexOf("webtv") != -1);

var is_TVNavigator = ((agt.indexOf("navio") != -1) || (agt.indexOf("navio_aoltv") != -1));
var is_AOLTV = is_TVNavigator;

var is_hotjava = (agt.indexOf("hotjava") != -1);
var is_hotjava3 = (is_hotjava && (is_major == 3));
var is_hotjava3up = (is_hotjava && (is_major >= 3));

// *** JAVASCRIPT VERSION CHECK ***
var is_js;
if (is_nav2 || is_ie3) is_js = 1.0;
else if (is_nav3) is_js = 1.1;
else if (is_opera5up) is_js = 1.3;
else if (is_opera) is_js = 1.1;
else if ((is_nav4 && (is_minor <= 4.05)) || is_ie4) is_js = 1.2;
else if ((is_nav4 && (is_minor > 4.05)) || is_ie5) is_js = 1.3;
else if (is_hotjava3up) is_js = 1.4;
else if (is_nav6 || is_gecko) is_js = 1.5;
// NOTE: In the future, update this code when newer versions of JS
// are released. For now, we try to provide some upward compatibility
// so that future versions of Nav and IE will show they are at
// *least* JS 1.x capable. Always check for JS version compatibility
// with > or >=.
else if (is_nav6up) is_js = 1.5;
// NOTE: ie5up on mac is 1.4
else if (is_ie5up) is_js = 1.3

// HACK: no idea for other browsers; always check for JS version with > or >=
else is_js = 0.0;

if (is_js >= 1.0) {
if (is_nav4up || is_ie4up ) {
if (acceptsCookies()) {

} else {
alert("You must have cookies enabled in order to use U.S. Bank Internet Banking. Once you have enabled cookies, click \"OK\" to continue with your login. For more
information about the use of cookies by Internet Banking, please review our Privacy Pledge.");

}
} else {
alert("Your current browser doesn?t meet the security requirements of U.S. Bank Internet Banking.");
location.href="/internetBanking/en_us/info/BrowserRequirementsOut.jsp#browserreq";
}
} else {
alert("You must have JavaScript enabled in order to use U.S. Bank Internet Banking.");
location.href="/internetBanking/en_us/info/BrowserRequirementsOut.jsp#enablingjavascript";
}

//--> end hide JavaScript


Tim Rivera

unread,
Jun 12, 2002, 6:27:18 PM6/12/02
to
> Recently USBank redid their website. The new site rejects Opera
connections, no matter what I tell Opera 6.01 to identify itself as.

I was able to open www.usbank.com with no problem. However when I clicked on
the "Internet Banking" link, I was told that my browser does not meet the
security requirements of US Bank.


Tim


Richard Grevers

unread,
Jun 12, 2002, 8:14:09 PM6/12/02
to
In article <1103_10...@news.opera.com>, Jon Jerome said...

> Recently USBank redid their website. The new site rejects Opera
> connections, no matter what I tell Opera 6.01 to identify itself
> as. Their page contains a sniffer script; if I'm lucky with the
> Stop button I can get the login page to load anyway and after
> that the session proceeds just fine, but it's an annoyance. The
> sniffer script seems to be aware of Opera through version 5 but
> does not specifically mention version 6. Is there anything I
> can do to alter what Opera shows the sniffer so that it will pass
> as MSIE or Netscape?
>
No, but that script is somewhat future-proofed by using variables
such as IE4_up and Opera5_up. The script successfully identifies Opera
as Opera regardless of Opera's browser ID. (as a good sniffer script
should - the multiple ID's are to cope with bad sniffer scripts which
don't detect Opera).
The problem comes with what is done with the sniffed info. Any browser
which is Not IE or Navigator is rejected for security reasons.

Your course of action should be to write to the bank pointing out that
Opera's security capabilities match if not exceed both IE's and
Navigator's and have done so for a long time. (Opera was the first
browser to implement 128-bit TLS security, and it has alwasy been bug-
free.)
If they wish to shut out Opera because they can't be bothered writing
javascript which works with Opera, that is one thing. But to lie about
the browser's security capability is offensive if not libellous.

A suggestion that you might take your business somewhere else if they
don't address this is often productive.

Doug Goodwin

unread,
Jun 12, 2002, 8:15:28 PM6/12/02
to
"Tim Rivera" <timr...@liamtoh.com> wrote in
news:ae8i0o$fod$1...@mail.opera.no:

I was told by US Bank techs just a couple of weeks ago that their site
supported Opera; text quoted below:

> Dear Doug Goodwin,
>
> When I emailed you yesterday I was still waiting to hear if the web site
> was written to W3C standards. I did receive a confirmation that the
> site does adhere to these standards. You should have no problem using
> Opera with the web site. Thank you for considering our bank. We look
> forward to doing business with you. Have a great weekend!
>
> If you need further assistance, please feel free to email or call US
> Bank 24 Hour Banking.
> Metro Minneapolis (612) US BANKS (612) 872-2657
> St. Paul (612) US BANKS (612) 872-2657
> Portland (503) US BANKS (503) 872-2657
> Denver (303) 585-8585
> All Other Locations 1-800-US BANKS 1-800-872-2657
> (*If you are out of the country, you can call collect to any Metro
> number.)
> Personal Bankers are available 24 hours a day, 7 days a week, 365 days a
> year.
>
> Sincerely,
>
> Robnlin
> US Bank 24-Hour Banking

I offer this up for what it's worth. They are to become my new banking
institution in the near future, so if anyone else turns up additional info,
I would greatly apprecuate hearing it.

TIA
--
Doug Goodwin
YMMV

"We have met the enemy, and they is us." - Pogo
__o
_`\<,_
(*)/ (*)

Buddy

unread,
Jun 12, 2002, 8:49:33 PM6/12/02
to
This one had me stumped for a while too. After you mentioned the JS sniffer it suddenly clicked.
They're not actually checking for browser version at all. You just have to shut off JS (use F12) and
auto forwardaing (in privacy settings). Works fine with various ID strings.

Have a good one,


Buddy

a...@opera.com

unread,
Jun 13, 2002, 6:46:49 AM6/13/02
to
On 13 Jun 2002 00:15:28 GMT, Doug Goodwin <dgoo...@spamsucks.com> wrote:
> I was told by US Bank techs just a couple of weeks ago that their site
> supported Opera

It would have been interesting to hear how you managed to get in touch with them. Do you have a mail address we can use? I've
tried to use the Web form with no luck yet.

Anne-Hilde
Opera Software


mial...@yahoo.com

unread,
Jun 13, 2002, 10:05:37 AM6/13/02
to
On Thu, 13 Jun 2002 00:49:33 GMT, you wrote in opera.general:

THANKS! I've banked with USBANK with Opera for a long time, and suddenly I ran into this security alert. Your tip helped me get back in . . .

BY THE WAY, if you're doing a transaction such as transferring funds, you will probably need to turn JS back on after you get into your accounts.

Doug Goodwin

unread,
Jun 13, 2002, 3:48:21 PM6/13/02
to
a...@opera.com wrote in news:1103_10...@news.opera.no:

The e-mail address that I have for US Bank is: 1800U...@USBANK.COM
IIRC, it's the one from their web site; the contact name I have is:
Robnlin, US Bank 24-Hour Banking Center.

They also had this boiler-plate contact information on the e-mail I
received:

> For your protection and privacy, we suggest that you DO NOT send
> personal information such as account or social security numbers through
> unsecured e-mail. If you must send personal information through e-mail,
> please follow these steps to access our secured e-mail service:
>
> · Point your browser to http://www.usbank.com
> · Select "Contact Us" from the top of the page, and then click on the
> "Email Us" Link
> · Submit your information through the form provided*
>
> *Sensitive, personal information submitted through our secured e-mail
> form will be promptly submitted to a U.S. Bank Personal Banker.
>
> Please review our Online banking FAQ's at http://www.usbank.com or
> contact 1-800-USBANKS if you have any other questions regarding the
> security of our Online banking service.

I hope this helps; if I can be of any other help on this, e-mail me
direct at 200miler[at]myrealbox[dot]com.

0 new messages