slef-reflections on Online Banking with GNU/Linux, Firefox-based browsers or Free Software
Added non-current-account (credit cards, investments, and so on) and overseas sections.
Added Abbey, Alliance & Leicester, Bank of Scotland, Cahoot, First Direct, Intelligent Finance, Northern Rock. Updated Nationwide, Barclays, HSBC.
Added questions: does HSBC work with non-Gecko browsers? Which banks support interchange with finance programs?
Added: Commonwealth Bank, Ulster Bank, Sparkasse, Citibank, UBS
Updated: Smile, HSBC, NatWest
Added: ANZ Bank, Berliner Volksbank, Mint, Tesco
Updated: Cooperative Bank, Deutsche Bank, NatWest, Sparkasse, UBS
Added: BW-Bank, Etrade, ING Direct, Nordea, RBC Banque Royale, Swedbank
Updated: Cooperative Bank (business)
Linked to other lists: Australia and New Zealand, Denmark, Germany, Worldwide
Updated: National Australia Bank, ING Bank, ING Direct
Added: Banca Popolare Etica, Caisses Populaires Desjardins, Caja Madrid, Caja de Segovia, Fortis Bank Belgium, KBC, netbank.de, Osuuspankki, PC Financial Master Card, Société Générale, Sparebank 1-Gruppen, Storebrand Bank
Andrew Donnellan suggested:
"Perhaps it would be useful to start a list of banks that *don't* work with Free Software as well so we can a) petition them, and b) boycott them until they make it work."
I'd prefer to keep this to a positive list for various reasons (including lawyer-fear, search engine rankings, rewarding the good and saying nothing if I've nothing nice to say). If a listed bank goes bad, it will show up as Removed.
If you want to rant about how a bank screwed you, please use your own site. If I see it and like it, it will appear in one of my linkposts.
Added: Clydesdale, Record Bank, TD Canada Trust, Wachovia
Added: Crédit Coopératif, link to French compilation, Skandiabanken, postbank, 1822direkt, Deutsche Kreditbank AG, ing-diba
Question from Carsten Aulbert: some banks "offer HBCI with cards, but so far I haven't tried it. Do you happen to know a good link, which cardreaders are supported under Linux?"
Added: Handelsbanken, Vermont State Employees Credit Union, ING Direct US, Monte dei Paschi di Siena, Banca Sella
Updated: HSBC, 1822direkt
Added: List of Sweden Banks; BBVA Bancomer, Bendigo Bank, HSBC Canada, Rabobank, San Paolo IMI, Santander, Skandinaviska Enskilda Banken
Added: Banco Río, ING Bank Śląski, mBank, Sparkasse
I notice that Jonathan's earth.li presence: Planned bank outages notes Cahoot's good approach and asks about others. I've sometimes seen announcements on the web pages of NPBS and Co-operative Bank, but no email unless it appears in their routine email newsletters. How about others? (I've posted this comment here because the presence is a login-to-comment site.)
Removed: Barclays (previously described as "by far the best online banking system I've tried"; "Barclays allows one to download statements as CSV files. Sadly, Barclays are ****s, which does rather compromise one's ethics...") because uk.comp.os.linux reports that they will start enforcing these operating system requirements.
Update: niq commented:
"Calm down! It only says "may not work", not anything about "enforcing". That reads to me like butt-covering rather than anything more sinister."
I know the public pages don't yet say it, but the report by Kit that I linked wrote about a message on a logged-in screen:
"Just logged into my account today to find that Barclays online intend to support and guarantee to work with only certain browsers and operating systems. Linux is not listed.
Seem to be travelling in the opposite direction to Scottish Power whose website appears to have lost all vestiges of its original "no Linux" stance."
Who to believe?
A later message from Dave Liquorice reports:
"Had a reply from Barclays, it basic boils down to them insisting on 128 bit encryption."
Surely free software has done 128-bit for a long time, so why isn't it listed?
Update: Francies commented:
"I also emailed Barclays regarding their non-listing of Linux and had the "128-bit encryption" where again Linux was not mentioned (have they even heard of it? A friend mentioned today that he has read that Barclays will be issuing chip and pin or card devices to all online banking users so could it be that these will be Windows only? If so the Linux community should complain in case all banks get the same idea."
"it looks a lot like the way secureid cards work. In which case, it won't physically connect to your PC, would provide you with proper two factor (password + token) and would definitely be a Good Thing(tm).
Not only then, would a phisher have to take your password, but they'd have to steal your actual card and PINsentry device to get access to your online account. Thus pushing the phishing emphasis elsewhere (different banks? phone scamming?).
I guess time will tell if they manage to mess it up to make it only work on Windows somehow. :-)"
Adam Bower opined:
"The Barclays devices just look like a challenge response system. Someone I know has something similar for a bank account which when you login the website presents you with a 4 digit number. You then type that number into the pad and then enter a pin and it presents another number that you enter onto the webpage and the online banking lets you in (along with a username and password). I should imagine that these new devices won't make any difference to people running Linux."
Neil McGovern noted:
"It seems that they're external devices for generating OTPs from C+P cards, so won't affect compatability."
Roger Gammans commented:
"Barclay use GEM plus usb smart card readers with their business internet banking.
IIRC, this requires windows and IE so that the activeX controls on the page can talk to the reader.
Having said that one desciription of the new device I heard sounded like it was a standard alone device with a display. You put your card into it and push a button and then it produces a code number which you copy onto the web page. But I haven't seen one yet - and the media are good at getting the wrong end of the stick."
So, let's wait and see.
I spotted ZDNet reporting Abbey and Prudential plan to support Firefox-based browsers. Finally!
Relisted Barclays because no-one objected to a "wait and see" approach.
Problems reported on ingdirect.es:
"I get a message in Firefox to the effect that the web page is NOT a secure site, even though the address bar shows the URL as https...???
THIS is the URL on the pop up.
THIS is the URL of the bank's opening page. Access de clientes is the link to log in."
I didn't see the cause at a glance... anyone? Does this work with GNU/Linux or not?
Also spotted a D+Cglug subscriber reporting problems on UK HSBCnet - anyone willing to confirm or reject that? Comment form at the bottom of the list.
Updated: Société Générale (FR) with gnucash QIF importer
Updated: Société Générale (FR) with gnucash QIF importer
Added: Sainsbury's Bank's Online Saver, SEB Vilniaus Bankas (LT), Snoras (LT)
Noted problems with Alliance and Leicester commercial banking.
Added: PSK (AT)
Added: Raiffeisen Banking (AT), US Bank (US), Moneydance.fi OFX - Thanks everyone!
Added: Inteligo (PL)
Noted: ING Bank (PL) exploit published on hacking.pl. Sounds bad. Wonder if I should delist ING(PL)?
Noted: BBC: Fears over online banking checks - "It's about customer retention rates, user experience and customer satisfaction."
Updated: Washington Mutual (US)
Noted: BIM: Homeless Polar Bears in Court - "highlight the role of the Royal Bank of Scotland in financing the oil and gas industry resulting in climate chaos throughout the world."
- 2008 onwards
See the web category on Software Cooperative News for later updates.
The List: What Works With GNU/Linux
The online banking services from these UK banks seem to work with GNU/Linux (usually at least compatible with Firefox-based browsers). Quotes are from users of those services, not me. You act on this list at your own risk: if possible, get a promise from the banking service provider that they will continue to work with GNU/Linux, free software and web standards.
- Cooperatives and Mutuals:
- Cooperative Bank (personal accounts: no back button; business account: "works, but is quite nasty, slow and difficult to navigate for no good reason" or "no problems with Firefox/Debian/AMD64. All the functionality we need is there: recent transactions, statements, payments (salaries paid to other banks' accounts, tax to HMRC, etc). It's not particularly slow either.")
- Coventry Building Society
- Nationwide ("Nationwide - site works with Firefox 3 but for ages now using Opera has been problematic - it's not officially supported in Windows or Linux - for example in 9.x the top toolbar is missing top making a secure log out impossible"; no back button)
- Smile (Cooperative Bank) ("despite their obsession with making the "back" button log you out, is probably the best internet banking site I've used") ("In the days when they had a crazy Java applet that didn't work with the mouse on gecko-based browsers (a few years ago) they told me that khtml based stuff was fine and they would be switching to a fully w3c valid site soon. So they actually know about the existence of linux")
- Other current account banks:
- Abbey ("Abbey Business Banking works fine. Abbey personal banking bitches that you are using an unsupported product but offers a "login anyway" option."; future official support announced)
- Alliance & Leicester ("Alliance and Leicester commercial banking hasn't worked for nearly a week [at 9 Oct] with Firefox. My personal account is working fine but I can't login as a business. No help from their technical support who played the it only works in Microsoft browsers IE5+ and the venerable Netscape 4.7 gambit. As this site went live on October 3rd 2007 I'm impressed they dug out a copy of Nutscrape to test it with. If only they'd bothered to test it on a recent Firefox build. I'm waiting to see what happens with my complaint and if they'll give me a proper answer or look into it at all but so far they've been very unhelpful.")
- Cahoot (Abbey) ("works in firefox and has done for several years")
- Citibank ("no problem with Gecko under Gnu/Linux")
- Clydesdale (National Australia Bank)
- Yorkshire Bank (National Australia Group)
- Big Chains:
- Bank of Scotland (HBoS)
- Barclays - may or may not keep working - see removal comments above.
- Firstdirect (HSBC) ("The basic bank website works with Linux and Firefox. Also works on my Nokia symbian web browser. They also have an plus service that uses active x, which only works with IE. I haven't tried this with IE4linux that may work but I am not going to pay for the service to try it out." Incompatibility page)
- Halifax (HBoS)
- HSBC ("allows one to download statements as CSV files"; "fine with Epiphany"; "HSBC works with non-gecko browsers - hell, it works from w3m (if you hit F a few times to render the frames)"; "HSBC business works with Epiphany and not Opera"; unhappy comment from redi about their credit card system)
- Intelligent Finance (HBoS)
- NatWest/RBS has mixed reports - ("Update on NatWest, recently they seem to have changed it again. Now I had to set general.useragent.extra.firefox to "Firefox/3.0.1" in about:config (before it was set to 2.0.11 or something). Silly people."; it works with "latest fc6 kernel with firefox 22.214.171.124"; "You do have to be using an approved browser though; Any other XUL-based browser which doesn't identify as firefox or mozilla will be refused however."; "they only accept user-agent strings that match specific browsers that they've tested"; "the NatWest One all-on-one mortgage account is actually set up as a Royal Bank of Scotland account, and although the NatWest online banking system is _excellent_ (apart from the crappy restriction on useragents), the one provided by oneaccount.com is a complete pile of crap. It does work, but it's all Java and fairly useless.")
- Non-current-account banking services:
- American Express
- Egg ("probably the best internet credit card site I've used")
- ING Direct
- Mint (RBS) ("work reasonably well for me")
- Tesco (RBS) ("work reasonably well for me")
- Overseas, by country code:
- PSK (AT) ("Austrian Post Bank has online banking services that work fine with GNU/Linux")
- Sparkasse (AT) ("works with Firefox and Konqueror (but needs Java)")
- List of Australia and New Zealand Banks (AU+NZ)
- Bendigo Bank (AU?) ("works fine for me (ubuntu, epiphany). All HTML based (maybe some JS)... even has security token (where you enter the code in a web form). No silly onscreen keyboards either")
- Commonwealth (AU) ("works fine with Mozilla"; "for some reason Konqueror has connection troubles, while iceweasel still works fine")
- National Australia Bank (AU) ("officially supports Firefox and also works with Epiphany if you tick a box")
- ING Direct (AU)
- ING Bank (AU)
- Fortis Bank Belgium (BE) ("works like a charm"; "uses a token generator")
- KBC (BE)
- Record Bank (BE) ("Konqueror works equally fine, I only needed to change the browser identification to 'Mozilla'.")
- Caisses Populaires Desjardins (CA) ("was working, but I have left them since")
- HSBC (CA) ("Their online Personal Banking account gives users a choice to download transactions for Quicken or Money but not in a generic CSV format.")
- PC Financial Master Card (CA)
- RBC Banque Royale (CA) ("I used different versions of Firefox successfully.")
- ING Direct (CA) ("I used different versions of Firefox successfully.")
- TD Canada Trust (CA) ("I can download transactions in [...various financial package...] or Spreadsheet (CSV) formats.")
- UBS (CH) ("clueful people in the sysadmin seats. Whether they're helpful or not depends on the cause"; "Switzerland has not adapted the external standards")
- List of German Banks and Browsers (DE)
- 1822direkt (DE) ("I had HBCI running with Gnucash. They also provide PGP (yes, not GPG)-encrypted mails whenever some happens on the account (immediately as it reaches their computing centre)")
- Berliner Volksbank (DE) ("offers HBCI if you bug them hard enough and plays well with gnucash.")
- BW-Bank (DE)
- Deutsche Bank (DE) ("does HBCI+"; "clueful people in the sysadmin seats. Whether they're helpful or not depends on the cause")
- Deutsche Kreditbank AG (DE)
- netbank.de (DE) ("works with Linux from the beginning. With all browsers.")
- postbank (DE) ("works via https flawlessly (PIN/TAN), both "standard online" and "direkt" versions (firefox, konqueror). HBCI (PIN/ITAN) works also (except a few problems with credit card account) with libaqbanking.")
- Sparkasse (DE) ("supports DTAUS and HBCI"; "no problem with Gecko under Gnu/Linux")
- List of Denmark Banks (DK)
- Caja de Segovia (ES) ("Firefox or Konqueror")
- Caja Madrid (ES) ("works like a charm on every browser")
- Nordea (FI) ("uses both OTP's (which works in all browsers) and certificates (card or file) which does not work (requires Nexus Personal software only available for Windows atm)")
- Osuuspankki (FI)
- Säästöpankki (FI)
- List of France Banks (FR)
- Crédit Coopératif (FR)
- Société Générale (FR) ("For the Societe Genreale, there is a .QIF translator (the QIF provided by the bank is needs manual operations after import into gnucash) See http://xl2qif.chez-alice.fr/")
- Ulster Bank Ireland (IE) ("enforces IE by User-Agent check, which can be easily circumvented")
- Banca Popolare Etica (IT) ("fully accessible from Linux")
- Banca Sella (IT)
- Monte dei Paschi di Siena (IT) (reported as maybe non-working 2009-02)
- San Paolo IMI (IT)
- SEB Vilniaus Bankas (LT) ("work perfectly fine using either Epiphany or Iceweasel")
- Snoras (LT) ("work perfectly fine using either Epiphany or Iceweasel")
- BBVA Bancomer (MX) ("work reliably under Firefox and Epiphany in Linux [...] rely, however, on opening popup windows, and might require to disable some blocking - but they do work.")
- Santander (MX) ("work reliably under Firefox and Epiphany in Linux [...] rely, however, on opening popup windows, and might require to disable some blocking - but they do work.")
- ABN-AMRO (NL) ("an excellent online bank. Their site has worked flaw-lessly with every version of Gecko since the sites inception a few years ago. Having talked to a consultant who did a small part of it I know they spend considerable effort on making sure it works on different browsers/OSs.")
- Rabobank (NL)
- Skandiabanken (NO) (Firefox "1.5 and 2.0, haven't tried 1.0 since they last revamped it")
- Sparebank 1-Gruppen (NO)
- Storebrand Bank (NO)
- ING Bank (PL) ("has a login application which is locked to SUN Java down to a particular version number. Some 2 weeks ago they forced a _downgrade_ to SUN JRE 1.5, after a forced upgrade to JRE 1.6 earlier this year. Right now it does not work with JRE 1.6 installed at all, even though it's backwards compatible. Their soft keyboard is unsafe and this fact is widely known. It was released as a hot news by a top Polish IT security website hacking.pl (in Polish) *months* ago, and they didn't move a finger to date [2007-11-14]")
- mBank (PL)
- List of Sweden Banks (SE)
- Handelsbanken (SE) ("works in one way (and doesn't in another) for personal banking. They have two methods: certificates and one-time codes. The certificates used to work with built in handling in firefox under linux, but then they decided to enhance security and an additional windows-only app was required for handling of certificates. Now I use username/password enhanced with the one-time codes.")
- Swedbank (SE)
- Etrade (US) ("bank and brokerage works with Firefox on Debian GNU/Linux")
- Bank of America (US)
- HSBC (US) ("I'm in the US and have used HSBC for years with no problems. The recently added a 2 step - 3 part auth. step 1-- enter username in text field. step 2-- enter password in text field and secret code via web-keyboard.")
- ING Direct (US) ("Firefox 2.0")
- US Bank (US) ("works just great on Ubuntu (Dapper through Gutsy)")
- Vermont State Employees Credit Union (US) ("Firefox 2.0")
- Wachovia (US) ("admittedly I don't use any of the fancy stock picking stuff")
- Washington Mutual (US) ("works perfectly with Iceweasel, and thus I suspect it works with other Gecko-based browsers as well; I have observed no compatibility problems or unexpected behavior. Their online banking does not require any proprietary plugins or software. Furthermore, they offer downloads of banking information using QIF, which, while not exactly an open standard, works fine with numerous pieces of Free and Open Source Software. The only unfortunate problem I've noticed: their demo and tutorial videos require Flash.")
- Are there other national lists of these that I should link to? Anyone want to start some?
- List of Worldwide Banks and Browsers - last updated 2005
"Northern Rock's online savings account is entirely Java-based, and while it works in theory on platforms other than Windows, it had serious font issues every time I tried it (99 times out of 100 it worked in theory, you just couldn't see any text). I'm told that more recent versions of Java have fixed what was (apparently) a pretty horrendous implementation of font rendering, so it may no longer be a problem, but I've long since closed that account."
Sources: May 2006 threads on news:uk.comp.os.linux about online banking (see also its old FDL-plagued FAQ); Members of BBLUG including: Alan Pope, Malcolm Parsons, James Hosken, Peter H, Rob Davis, Matt Dainty, James Cort, Alex Butcher, A. S. Budden, and others. Commenters to this site: Enrico Zini, David Woodhouse, Gunnar Wolf, Neil Williams, Daniel Wild, Matthew Wilcox, David Weinehall, Stuart Ward, Chris Waigl, Luis Villa, Peter Van Loock, Marcin Trybus, Josh Triplett, Mark Thurston, Magnus Therning, Stewart Smith, Andy Smith, Joey Schulze, Giuseppe Sacco, Scott Robinson, Roger, pub.cra, Brett Parker, Daniel Nylander, Nix, Neil, Víctor Moral, Hamish Moffatt, mkv, mikko, Jiri Mencak, Martin, Kris Marsh, KNT, Kevin Mark, Steve McIntyre, Shaun Laughey, Domas Jokubauskis, Dagfinn Ilmari Mannsåker, wjl aka Wolfgang Lonien, Florian La Roche, martin f. krafft, Sander Klein, KDS, Emmanuel Kasper, Antti-Juhani Kaijanaho, Nils Ivanson, Marek Isalski, infinito, David Hunnisett, Arndt Heuvel, Jon Kåre Hellan, Hans-Peter, David Haguenauer, Kevin Fries, Ben Francis, Hubert Figuiere, Feth, Martín Ferrari, Leo Eraly, Andrew Donnellan, Thomas Cort, Christoph Claus, Stefano Canepa, Floris Bruynooghe, Mark Brown, P. Oscar Boykin, Adam Bower, Carsten Aulbert, Phil Armstrong, Alex; IRCers: Philipp Kern; and others on Usenet in replies to my messages: Ian Smith.
Do you know about any more? Which banks in the list actually support OFX, DTAUS or HBCI for direct data exchange with finance programs? Send me a comment, please.
Kevin Fries commented:
"Here is a good place to start with the OFX compatability: http://moneydance.com/fi "
Comments are moderated (damn spammers) but almost anything sensible gets approved (albeit eventually). If you give a web address, I'll link it. I won't publish your email address unless you ask me to, but I'll email you a link when the comment is posted, or the reason why it's not posted.