Bank says no to XP for online banking

It doesn't sound like the bank people told you XP wouldn't work, only that they recommended not to use it. In other words they didn't say that computers running XP would actually be prevented from accessing the site. Is that correct?

Does a website have the ability to determine the OS of a client machine? A website receives information about the browser user agent, which (as others have mentioned) can be easily spoofed. A sensible thing for people running XP to do would be to use one of the current browsers, such as Chrome or Firefox and not IE 8 which is the last version available for XP.

 

Ignorant/Simple Minded/Uneducated people usually follow black and white rules. For them Windows XP will be indefinitely less secure than a completely compromised Windows 7 laptop.

 

Blocking will probably prove difficult for banks, but that's not the most important issue IMO. If consumers accounts get emptied by banking trojans, the banks could start requiring an investigation of the compromised device, and refuse to refund any OS that is not approved, AV+FW installed, updated or whatever.
I think it's best to name the banks that don't want to approve Linux, they probably don't want to risk angering the whole Linux community.

 

I have several accounts and I was able to log on to a small one with XP SP3 (with no updates for 2-2 1/2 years). The site did not block my access or issue any pop ups or other communications stating that I was not using an up to snuff OS. The "personal banker" did mention when asked that I was covered for online theft as long as a Police report was made.
But he still insisted that I no longer use XP.

I was told a long time ago that the below info was accessible to online entities.

I am not sure if this is true or not.

Edit: As I always clear my browser history, when I do go online to check balances the Log- On page says " we do not recognize your computer" then offers a telephone number to call or to receive an E mail with an access number to enter along with my other info to get logged in. They stress that this number will expire in a short time and to therefore use it promptly.

 

Maybe he was trying to give you some computer security advice...

Only a part of it. The browser sends a User Agent string in every HTTP request that can contain the OS version that you are using. But that is the only piece of information that is directly accessible to a server that you connect to. However, that User Agent string can be changed by the user at will.

That sounds like a two way authentication mechanism. Usually, if you specify that your computer is "trusted" during a two way authentication session, a cookie is stored and you will not be asked for the second factor (that access number) when you are using that browser. When you cleared your history, if you cleared that cookie as well you are required to use the second factor again (hence the need to call a phone number to receive that access number).

 

Sure is, plus many other things.

 

It's nice that banks say NO to XP but until they resign on Java the security of their online applications won't be improved. Personaly I don't have a problem with XP, after many years of the regular monthly maintenance this system is quite hardened. However a lot of banks, insurance companies and other institutes still have their online systems built up on Java applets, so users don't have other chance than to install Java environment. Look at past two years, there wasn't a month when a Java vulnerability or security risk wasn't discovered.