slef-reflections on Online Banking with GNU/Linux, Firefox-based browsers or Free Software

Recent updates

photo

2007-03-16

Added non-current-account (credit cards, investments, and so on) and overseas sections.

Added Abbey, Alliance & Leicester, Bank of Scotland, Cahoot, First Direct, Intelligent Finance, Northern Rock. Updated Nationwide, Barclays, HSBC.

Added questions: does HSBC work with non-Gecko browsers? Which banks support interchange with finance programs?

2007-03-19

Added: Commonwealth Bank, Ulster Bank, Sparkasse, Citibank, UBS

Updated: Smile, HSBC, NatWest

2007-03-20

Added: ANZ Bank, Berliner Volksbank, Mint, Tesco

Updated: Cooperative Bank, Deutsche Bank, NatWest, Sparkasse, UBS

2007-03-21

Added: BW-Bank, Etrade, ING Direct, Nordea, RBC Banque Royale, Swedbank

Updated: Cooperative Bank (business)

Linked to other lists: Australia and New Zealand, Denmark, Germany, Worldwide

2007-03-22

Added: Säästöpankki

Updated: National Australia Bank, ING Bank, ING Direct

2007-03-28

Added: Banca Popolare Etica, Caisses Populaires Desjardins, Caja Madrid, Caja de Segovia, Fortis Bank Belgium, KBC, netbank.de, Osuuspankki, PC Financial Master Card, Société Générale, Sparebank 1-Gruppen, Storebrand Bank

Updated: NatWest

Andrew Donnellan suggested:

"Perhaps it would be useful to start a list of banks that *don't* work with Free Software as well so we can a) petition them, and b) boycott them until they make it work."

I'd prefer to keep this to a positive list for various reasons (including lawyer-fear, search engine rankings, rewarding the good and saying nothing if I've nothing nice to say). If a listed bank goes bad, it will show up as Removed.

If you want to rant about how a bank screwed you, please use your own site. If I see it and like it, it will appear in one of my linkposts.

2007-04-01

Added: Clydesdale, Record Bank, TD Canada Trust, Wachovia

2007-04-02

Added: Crédit Coopératif, link to French compilation, Skandiabanken, postbank, 1822direkt, Deutsche Kreditbank AG, ing-diba

Question from Carsten Aulbert: some banks "offer HBCI with cards, but so far I haven't tried it. Do you happen to know a good link, which cardreaders are supported under Linux?"

2007-04-03

Added: Handelsbanken, Vermont State Employees Credit Union, ING Direct US, Monte dei Paschi di Siena, Banca Sella

Updated: HSBC, 1822direkt

2007-04-06

Added: List of Sweden Banks; BBVA Bancomer, Bendigo Bank, HSBC Canada, Rabobank, San Paolo IMI, Santander, Skandinaviska Enskilda Banken

Updated: Nordea

2007-04-11

Added: Banco Río, ING Bank Śląski, mBank, Sparkasse

I notice that Jonathan's earth.li presence: Planned bank outages notes Cahoot's good approach and asks about others. I've sometimes seen announcements on the web pages of NPBS and Co-operative Bank, but no email unless it appears in their routine email newsletters. How about others? (I've posted this comment here because the presence is a login-to-comment site.)

2007-04-16

Removed: Barclays (previously described as "by far the best online banking system I've tried"; "Barclays allows one to download statements as CSV files. Sadly, Barclays are ****s, which does rather compromise one's ethics...") because uk.comp.os.linux reports that they will start enforcing these operating system requirements.

Update: niq commented:

"Calm down! It only says "may not work", not anything about "enforcing". That reads to me like butt-covering rather than anything more sinister."

I know the public pages don't yet say it, but the report by Kit that I linked wrote about a message on a logged-in screen:

"Just logged into my account today to find that Barclays online intend to support and guarantee to work with only certain browsers and operating systems. Linux is not listed.

Seem to be travelling in the opposite direction to Scottish Power whose website appears to have lost all vestiges of its original "no Linux" stance."

Who to believe?

A later message from Dave Liquorice reports:

"Had a reply from Barclays, it basic boils down to them insisting on 128 bit encryption."

Surely free software has done 128-bit for a long time, so why isn't it listed?

Update: Francies commented:

"I also emailed Barclays regarding their non-listing of Linux and had the "128-bit encryption" where again Linux was not mentioned (have they even heard of it? A friend mentioned today that he has read that Barclays will be issuing chip and pin or card devices to all online banking users so could it be that these will be Windows only? If so the Linux community should complain in case all banks get the same idea."

I've also seen Barclays announce the chip-and-pin readers and a BBC report about them. I asked if anyone had seen the Barclays PINsentry keypad before... Kris Marsh wrote that:

"it looks a lot like the way secureid cards work. In which case, it won't physically connect to your PC, would provide you with proper two factor (password + token) and would definitely be a Good Thing(tm).

Not only then, would a phisher have to take your password, but they'd have to steal your actual card and PINsentry device to get access to your online account. Thus pushing the phishing emphasis elsewhere (different banks? phone scamming?).

I guess time will tell if they manage to mess it up to make it only work on Windows somehow. :-)"

Adam Bower opined:

"The Barclays devices just look like a challenge response system. Someone I know has something similar for a bank account which when you login the website presents you with a 4 digit number. You then type that number into the pad and then enter a pin and it presents another number that you enter onto the webpage and the online banking lets you in (along with a username and password). I should imagine that these new devices won't make any difference to people running Linux."

Neil McGovern noted:

"It seems that they're external devices for generating OTPs from C+P cards, so won't affect compatability."

Roger Gammans commented:

"Barclay use GEM plus usb smart card readers with their business internet banking.

IIRC, this requires windows and IE so that the activeX controls on the page can talk to the reader.

Having said that one desciription of the new device I heard sounded like it was a standard alone device with a display. You put your card into it and push a button and then it produces a code number which you copy onto the web page. But I haven't seen one yet - and the media are good at getting the wrong end of the stick."

So, let's wait and see.

2007-05-08

I spotted ZDNet reporting Abbey and Prudential plan to support Firefox-based browsers. Finally!

Relisted Barclays because no-one objected to a "wait and see" approach.

2007-06-28

Problems reported on ingdirect.es:

"I get a message in Firefox to the effect that the web page is NOT a secure site, even though the address bar shows the URL as https...???

THIS is the URL on the pop up.

THIS is the URL of the bank's opening page. Access de clientes is the link to log in."

I didn't see the cause at a glance... anyone? Does this work with GNU/Linux or not?

Also spotted a D+Cglug subscriber reporting problems on UK HSBCnet - anyone willing to confirm or reject that? Comment form at the bottom of the list.

2007-10-04

Updated: Société Générale (FR) with gnucash QIF importer

2007-10-04

Updated: Société Générale (FR) with gnucash QIF importer

2007-10-16

Added: Sainsbury's Bank's Online Saver, SEB Vilniaus Bankas (LT), Snoras (LT)

Noted problems with Alliance and Leicester commercial banking.

2007-10-31

Added: PSK (AT)

2007-11-04

Added: Raiffeisen Banking (AT), US Bank (US), Moneydance.fi OFX - Thanks everyone!

2007-11-14

Added: Inteligo (PL)

Noted: ING Bank (PL) exploit published on hacking.pl. Sounds bad. Wonder if I should delist ING(PL)?

Noted: BBC: Fears over online banking checks - "It's about customer retention rates, user experience and customer satisfaction."

2007-11-15

Updated: Washington Mutual (US)

Noted: BIM: Homeless Polar Bears in Court - "highlight the role of the Royal Bank of Scotland in financing the oil and gas industry resulting in climate chaos throughout the world."

2008 onwards

See the web category on Software Cooperative News for later updates.

The List: What Works With GNU/Linux

The online banking services from these UK banks seem to work with GNU/Linux (usually at least compatible with Firefox-based browsers). Quotes are from users of those services, not me. You act on this list at your own risk: if possible, get a promise from the banking service provider that they will continue to work with GNU/Linux, free software and web standards.

  1. Cooperatives and Mutuals:
    • Cooperative Bank (personal accounts: no back button; business account: "works, but is quite nasty, slow and difficult to navigate for no good reason" or "no problems with Firefox/Debian/AMD64. All the functionality we need is there: recent transactions, statements, payments (salaries paid to other banks' accounts, tax to HMRC, etc). It's not particularly slow either.")
    • Coventry Building Society
    • Nationwide ("Nationwide - site works with Firefox 3 but for ages now using Opera has been problematic - it's not officially supported in Windows or Linux - for example in 9.x the top toolbar is missing top making a secure log out impossible"; no back button)
    • Norwich and Peterborough Building Society (NPBS) ("Doesn't work with Firefox 3 - probably javascript bugs. Lets you login and then logs you straight back out. Very annoying. No date for a fix known yet.")
    • Smile (Cooperative Bank) ("despite their obsession with making the "back" button log you out, is probably the best internet banking site I've used") ("In the days when they had a crazy Java applet that didn't work with the mouse on gecko-based browsers (a few years ago) they told me that khtml based stuff was fine and they would be switching to a fully w3c valid site soon. So they actually know about the existence of linux")
  2. Other current account banks:
    • Abbey ("Abbey Business Banking works fine. Abbey personal banking bitches that you are using an unsupported product but offers a "login anyway" option."; future official support announced)
    • Alliance & Leicester ("Alliance and Leicester commercial banking hasn't worked for nearly a week [at 9 Oct] with Firefox. My personal account is working fine but I can't login as a business. No help from their technical support who played the it only works in Microsoft browsers IE5+ and the venerable Netscape 4.7 gambit. As this site went live on October 3rd 2007 I'm impressed they dug out a copy of Nutscrape to test it with. If only they'd bothered to test it on a recent Firefox build. I'm waiting to see what happens with my complaint and if they'll give me a proper answer or look into it at all but so far they've been very unhelpful.")
    • Cahoot (Abbey) ("works in firefox and has done for several years")
    • Citibank ("no problem with Gecko under Gnu/Linux")
    • Clydesdale (National Australia Bank)
    • Yorkshire Bank (National Australia Group)
  3. Big Chains:
    • Bank of Scotland (HBoS)
    • Barclays - may or may not keep working - see removal comments above.
    • Firstdirect (HSBC) ("The basic bank website works with Linux and Firefox. Also works on my Nokia symbian web browser. They also have an plus service that uses active x, which only works with IE. I haven't tried this with IE4linux that may work but I am not going to pay for the service to try it out." Incompatibility page)
    • Halifax (HBoS)
    • HSBC ("allows one to download statements as CSV files"; "fine with Epiphany"; "HSBC works with non-gecko browsers - hell, it works from w3m (if you hit F a few times to render the frames)"; "HSBC business works with Epiphany and not Opera"; unhappy comment from redi about their credit card system)
    • Intelligent Finance (HBoS)
    • Lloyds-TSB
    • NatWest/RBS has mixed reports - ("Update on NatWest, recently they seem to have changed it again. Now I had to set general.useragent.extra.firefox to "Firefox/3.0.1" in about:config (before it was set to 2.0.11 or something). Silly people."; it works with "latest fc6 kernel with firefox 1.5.0.10"; "You do have to be using an approved browser though; Any other XUL-based browser which doesn't identify as firefox or mozilla will be refused however."; "they only accept user-agent strings that match specific browsers that they've tested"; "the NatWest One all-on-one mortgage account is actually set up as a Royal Bank of Scotland account, and although the NatWest online banking system is _excellent_ (apart from the crappy restriction on useragents), the one provided by oneaccount.com is a complete pile of crap. It does work, but it's all Java and fairly useless.")
  4. Non-current-account banking services:
    • American Express
    • Barclaycard
    • Egg ("probably the best internet credit card site I've used")
    • Icesave
    • ING Direct
    • MBNA
    • Mint (RBS) ("work reasonably well for me")
    • Sainsbury's Bank's Online Saver ("I can verify that every graphical browser I've tried works (other than links in graphical mode, which is hardly surprising as it doesn't support cookies by design): Firefox 2, Konqueror 3.5.7, Mozilla Seamonkey..." "Requires Javascript")
    • Tesco (RBS) ("work reasonably well for me")
  5. Overseas, by country code:
    • Banco Río (AR) ("It has ads in flash, but I think that without flash everything works. A drawback: all the navigation is done via javascript, so you cannot bookmark or disable javascript.")
    • PSK (AT) ("Austrian Post Bank has online banking services that work fine with GNU/Linux")
    • Raiffeisen Banking (AT) ("works fine with firefox (don't tested it with konq) and even has a demo site for your testing - works without java. Needs javascript.")
    • Sparkasse (AT) ("works with Firefox and Konqueror (but needs Java)")
    • List of Australia and New Zealand Banks (AU+NZ)
    • ANZ Bank (AU) ("web site works perfectly in linux with Firefox/Iceweasel. Pure HTML/Javascript, no flash etc")
    • Bendigo Bank (AU?) ("works fine for me (ubuntu, epiphany). All HTML based (maybe some JS)... even has security token (where you enter the code in a web form). No silly onscreen keyboards either")
    • Commonwealth (AU) ("works fine with Mozilla"; "for some reason Konqueror has connection troubles, while iceweasel still works fine")
    • National Australia Bank (AU) ("officially supports Firefox and also works with Epiphany if you tick a box")
    • ING Direct (AU)
    • ING Bank (AU)
    • Fortis Bank Belgium (BE) ("works like a charm"; "uses a token generator")
    • KBC (BE)
    • Record Bank (BE) ("Konqueror works equally fine, I only needed to change the browser identification to 'Mozilla'.")
    • Caisses Populaires Desjardins (CA) ("was working, but I have left them since")
    • HSBC (CA) ("Their online Personal Banking account gives users a choice to download transactions for Quicken or Money but not in a generic CSV format.")
    • PC Financial Master Card (CA)
    • RBC Banque Royale (CA) ("I used different versions of Firefox successfully.")
    • ING Direct (CA) ("I used different versions of Firefox successfully.")
    • TD Canada Trust (CA) ("I can download transactions in [...various financial package...] or Spreadsheet (CSV) formats.")
    • UBS (CH) ("clueful people in the sysadmin seats. Whether they're helpful or not depends on the cause"; "Switzerland has not adapted the external standards")
    • List of German Banks and Browsers (DE)
    • 1822direkt (DE) ("I had HBCI running with Gnucash. They also provide PGP (yes, not GPG)-encrypted mails whenever some happens on the account (immediately as it reaches their computing centre)")
    • Berliner Volksbank (DE) ("offers HBCI if you bug them hard enough and plays well with gnucash.")
    • BW-Bank (DE)
    • Deutsche Bank (DE) ("does HBCI+"; "clueful people in the sysadmin seats. Whether they're helpful or not depends on the cause")
    • Deutsche Kreditbank AG (DE)
    • ing-diba (DE) ("relies heavily on Javascript, but works with Firefox")
    • netbank.de (DE) ("works with Linux from the beginning. With all browsers.")
    • postbank (DE) ("works via https flawlessly (PIN/TAN), both "standard online" and "direkt" versions (firefox, konqueror). HBCI (PIN/ITAN) works also (except a few problems with credit card account) with libaqbanking.")
    • Sparkasse (DE) ("supports DTAUS and HBCI"; "no problem with Gecko under Gnu/Linux")
    • List of Denmark Banks (DK)
    • Caja de Segovia (ES) ("Firefox or Konqueror")
    • Caja Madrid (ES) ("works like a charm on every browser")
    • Nordea (FI) ("uses both OTP's (which works in all browsers) and certificates (card or file) which does not work (requires Nexus Personal software only available for Windows atm)")
    • Osuuspankki (FI)
    • Säästöpankki (FI)
    • List of France Banks (FR)
    • Crédit Coopératif (FR)
    • Société Générale (FR) ("For the Societe Genreale, there is a .QIF translator (the QIF provided by the bank is needs manual operations after import into gnucash) See http://xl2qif.chez-alice.fr/")
    • Ulster Bank Ireland (IE) ("enforces IE by User-Agent check, which can be easily circumvented")
    • Banca Popolare Etica (IT) ("fully accessible from Linux")
    • Banca Sella (IT)
    • Monte dei Paschi di Siena (IT) (reported as maybe non-working 2009-02)
    • San Paolo IMI (IT)
    • SEB Vilniaus Bankas (LT) ("work perfectly fine using either Epiphany or Iceweasel")
    • Snoras (LT) ("work perfectly fine using either Epiphany or Iceweasel")
    • BBVA Bancomer (MX) ("work reliably under Firefox and Epiphany in Linux [...] rely, however, on opening popup windows, and might require to disable some blocking - but they do work.")
    • Santander (MX) ("work reliably under Firefox and Epiphany in Linux [...] rely, however, on opening popup windows, and might require to disable some blocking - but they do work.")
    • ABN-AMRO (NL) ("an excellent online bank. Their site has worked flaw-lessly with every version of Gecko since the sites inception a few years ago. Having talked to a consultant who did a small part of it I know they spend considerable effort on making sure it works on different browsers/OSs.")
    • Rabobank (NL)
    • Skandiabanken (NO) (Firefox "1.5 and 2.0, haven't tried 1.0 since they last revamped it")
    • Sparebank 1-Gruppen (NO)
    • Storebrand Bank (NO)
    • ING Bank (PL) ("has a login application which is locked to SUN Java down to a particular version number. Some 2 weeks ago they forced a _downgrade_ to SUN JRE 1.5, after a forced upgrade to JRE 1.6 earlier this year. Right now it does not work with JRE 1.6 installed at all, even though it's backwards compatible. Their soft keyboard is unsafe and this fact is widely known. It was released as a hot news by a top Polish IT security website hacking.pl (in Polish) *months* ago, and they didn't move a finger to date [2007-11-14]")
    • Inteligo (PL) ("works under Linux with Konqueror, Firefox and even Links2 graphical. It uses JavaScript, not Java")
    • mBank (PL)
    • List of Sweden Banks (SE)
    • Handelsbanken (SE) ("works in one way (and doesn't in another) for personal banking. They have two methods: certificates and one-time codes. The certificates used to work with built in handling in firefox under linux, but then they decided to enhance security and an additional windows-only app was required for handling of certificates. Now I use username/password enhanced with the one-time codes.")
    • Swedbank (SE)
    • Etrade (US) ("bank and brokerage works with Firefox on Debian GNU/Linux")
    • Bank of America (US)
    • HSBC (US) ("I'm in the US and have used HSBC for years with no problems. The recently added a 2 step - 3 part auth. step 1-- enter username in text field. step 2-- enter password in text field and secret code via web-keyboard.")
    • ING Direct (US) ("Firefox 2.0")
    • US Bank (US) ("works just great on Ubuntu (Dapper through Gutsy)")
    • Vermont State Employees Credit Union (US) ("Firefox 2.0")
    • Wachovia (US) ("admittedly I don't use any of the fancy stock picking stuff")
    • Washington Mutual (US) ("works perfectly with Iceweasel, and thus I suspect it works with other Gecko-based browsers as well; I have observed no compatibility problems or unexpected behavior. Their online banking does not require any proprietary plugins or software. Furthermore, they offer downloads of banking information using QIF, which, while not exactly an open standard, works fine with numerous pieces of Free and Open Source Software. The only unfortunate problem I've noticed: their demo and tutorial videos require Flash.")
    • Skandinaviska Enskilda Banken (Unknown) ("Few javascripts on the page; just one to make sure you let the loading page load before you request a new.")
    • Are there other national lists of these that I should link to? Anyone want to start some?
    • List of Worldwide Banks and Browsers - last updated 2005

"Northern Rock's online savings account is entirely Java-based, and while it works in theory on platforms other than Windows, it had serious font issues every time I tried it (99 times out of 100 it worked in theory, you just couldn't see any text). I'm told that more recent versions of Java have fixed what was (apparently) a pretty horrendous implementation of font rendering, so it may no longer be a problem, but I've long since closed that account."

Sources: May 2006 threads on news:uk.comp.os.linux about online banking (see also its old FDL-plagued FAQ); Members of BBLUG including: Alan Pope, Malcolm Parsons, James Hosken, Peter H, Rob Davis, Matt Dainty, James Cort, Alex Butcher, A. S. Budden, and others. Commenters to this site: Enrico Zini, David Woodhouse, Gunnar Wolf, Neil Williams, Daniel Wild, Matthew Wilcox, David Weinehall, Stuart Ward, Chris Waigl, Luis Villa, Peter Van Loock, Marcin Trybus, Josh Triplett, Mark Thurston, Magnus Therning, Stewart Smith, Andy Smith, Joey Schulze, Giuseppe Sacco, Scott Robinson, Roger, pub.cra, Brett Parker, Daniel Nylander, Nix, Neil, Víctor Moral, Hamish Moffatt, mkv, mikko, Jiri Mencak, Martin, Kris Marsh, KNT, Kevin Mark, Steve McIntyre, Shaun Laughey, Domas Jokubauskis, Dagfinn Ilmari Mannsåker, wjl aka Wolfgang Lonien, Florian La Roche, martin f. krafft, Sander Klein, KDS, Emmanuel Kasper, Antti-Juhani Kaijanaho, Nils Ivanson, Marek Isalski, infinito, David Hunnisett, Arndt Heuvel, Jon Kåre Hellan, Hans-Peter, David Haguenauer, Kevin Fries, Ben Francis, Hubert Figuiere, Feth, Martín Ferrari, Leo Eraly, Andrew Donnellan, Thomas Cort, Christoph Claus, Stefano Canepa, Floris Bruynooghe, Mark Brown, P. Oscar Boykin, Adam Bower, Carsten Aulbert, Phil Armstrong, Alex; IRCers: Philipp Kern; and others on Usenet in replies to my messages: Ian Smith.

Do you know about any more? Which banks in the list actually support OFX, DTAUS or HBCI for direct data exchange with finance programs? Send me a comment, please.

Kevin Fries commented:

"Here is a good place to start with the OFX compatability: http://moneydance.com/fi "

Comments are moderated (damn spammers) but almost anything sensible gets approved (albeit eventually). If you give a web address, I'll link it. I won't publish your email address unless you ask me to, but I'll email you a link when the comment is posted, or the reason why it's not posted.

This is copyright 2007 MJ Ray. See fuller notice on front page.