Chase Bank used to redirect users with “unsupported” browsers to a page explaining what browsers they would allow you to use to manage your money. Rather than detecting whether the browser has the appropriate security features, they allow or disallow access based on the self-reported useragent string of the browser, which has long been condemned as a really poor practice. Since “best viewed with Netscape Navigator” messages were a thing.
If I, as a Waterfox user, wanted to use their site, I would have to change my useragent to pretend I was using something else, and then it would let me in. That’s illustrative of how dumb and pointless useragent sniffing is– the practice excludes too many people (because it blocks browsers that are fully updated like mine just because it does not recognize them) and too few (in that anyone who knows how to install an addon and select a new browser from a dropdown menu can masquerade as some other browser).
That’s what you’d call “a bad idea.”
They eventually changed that practice, and I’ve given them credit for changing their mind, even if I still used them as an example of what not to do. Was this a success story of a site owner learning from their mistakes? I’d thought so.
Well, I just tried logging in there, and upon entering my information, it told me “It seems that this part of our site isn’t working now.
I tried again with the adblocker and script blockers disabled, and still no access. Tried in Waterfox’s safe mode… still the same. I tried with a blank profile, with all default settings… no good.
I do have an addon to change the useragent, but I am reluctant to use it simply because it should not be necessary. Either my browser has the ability to use the grade and type of security features the bank wants to use or it does not, and the most certain way to find out is to try to use those features and observe the results.
I can see blacklisting certain browser versions that are known to have unfixed security bugs, but to whitelist only a few selected browsers and deny the rest is really bad practice, not to mention 15+ years out of style.
So, reluctantly, I changed my useragent from Waterfox 2019.10 on Linux to Firefox 67 on Windows 10, and voila– now that part of their site works.
It’s bad enough to tell the customer “Sorry, we don’t recognize your browser, so get lost,” as they once did (and if I remember correctly, they didn’t have ANY browsers on the accepted list if the user was on Linux), but to simply say that this part of their site is not working, which is what some of us like to call “a lie,” is worse. If one was to take the site at its word, he would simply try again later, then later, and so on, and it would never work, without any clue that the site was selectively blocking people based on the useragent string of their browser, and then lying about what had happened.
I thought Chase had learned, but apparently not.
On top of that, they have a really silly “we don’t recognize the computer you’re using” conditional 2fa message. It says exactly that, but the very next line says, “This may have happened because you’re using a device you don’t usually use or you cleared the cookies on your phone.” (emphasis added)
It is the same device I use to access the site every time, so it’s not that, and I guarantee that I have not cleared the cookies on my phone, as that is quite impossible on either my dumb cell phone or my land line phone, which are the only phones I have. What would that have to do with my computer anyway? You know, the one they say they don’t recognize!
That bit is laughable, but it kind of reinforces the idea that they really have no idea what they are doing.
I’ll have to think about whether it’s worth it to continue to do business with them.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)
