Last week, FNB implemented a new policy which prevented its online banking customers from pasting their passwords into their browsers.
Instead, customers are now required to manually enter their login details – a change which the bank said was implemented to improve security.
“All stored passwords on your device can be viewed during a malware attack. Passwords can be easily accessed on your unattended/unlocked/stolen device,” FNB said in a notice announcing the change to customers.
While this is true, the change does not protect against malware such as keyloggers, and it discourages customers from using password managers, which are widely accepted as one of the best security measures available to Internet users.
Password managers allow users to employ unique, extremely strong passwords for each service they use. This approach is based on the adage, “the strongest password is the one you don’t remember”, and allows users to secure all their passwords behind a single strong master password.
A similar level of security is provided by browser password lockers such as Google’s password vault, although this is arguably not as secure as solutions like LastPass.
According to PlainSpeak founder Alistair Fairweather, FNB’s change forces users to use less secure passwords that they can remember in order to continue using online banking.
For this reason, those who are concerned about their online security and are sure that their physical systems are not compromised may be better served by circumventing FNB’s password manager block.
Backlash and bypass
Prominent security experts – including “Have I Been Pwned?” creator Troy Hunt – have weighed in on the logic behind FNB’s move, with many condemning the discouragement of password manager usage by customers.
In response to protests on Twitter, FNB’s customer support supplied the following statement:
“Hi. While the Bank appreciates the useful role that password managers play and accept that you can make use of this for your other apps and systems, we caution you against the use of a password manager for your banking.”
Some users refused to comply with FNB’s security changes and found ways to bypass the bank’s password pasting blocker.
Users found that by adding the “https://www.fnb.co.za/web-plt/Exhursfl” URL to their ad-blocker or blocking the “https://www.fnb.co.za/00Assets/v2.2/js/pilot.js” script, they could circumvent FNB’s blocking rules.
One user even created a Chrome extension named “Unblock FNB”, which allows users to once again paste passwords from their password manager software into their browser.
FNB’s warnings regarding the danger of your device being physically compromised or infected with malware are valid, but if you prefer to use a password manager, you should not simply install any extension available on the Chrome web store.
It is recommended that technical users inspect the “Unblock FNB” script on GitHub thoroughly before attempting to use it to bypass FNB’s password manager block.