Netteller considers FF45 too old to support; ends my online banking

Dr. T Michaels's Avatar

Dr. T Michaels

16 Oct, 2020 11:43 PM

Netteller is a 3rd party vendor of online banking services to small banks. It is the largest such in the country, as well as big world-wide ops. It was recently taken private by US Vulture Capitalist funds; they are re-structuring the company to improve short-term earnings by cutting staff and limiting their services. Netteller's main competitors have long been acquired by Netteller.

I have had accounts at some small banks for decades. They are too small to support their own IT and contract with Netteller. Suddenly, as of September, I have been cut off by Netteller. The response they gave the bank was that I was using FF45, and that it was "too old."

The bank "IT" personnel have minimal IT experience and understanding, so I did not detail TFF27 for them, just to say that it was an up-to-date browser.

Given that Netteller is on a profit-max drive, top-driven, it's unlikely that they will alter their decision.

QUESTION > is it possible to give TFF a sham identity to avoid this cutoff. The example for this is iCab, the German Mac browser that has the option to present itself as another identity, such as versions of IE and Safari, the appropriate one selected by the user in the Preferences.

Can this be done with TFF ? Obviously, iCab did it very efficiently, as it was necessary for them to get max adoption of their browser which no one knew about.

Pls Advise
   Dr. t

  1. Support Staff 1 Posted by Chris (chtrusch... on 17 Oct, 2020 07:15 AM

    Chris (chtrusch)'s Avatar

    Hello Dr. t, the answer is: yes, it can. Go to Preferences > TenFourFox and choose 'Select user agent string to use' …, then start with Firefox 52; if that works, leave it at that. Otherweise try more recent FF versions.

    However, looking at your screenshot, this problem cannot be cured by choosing a different user agent string. The website thinks TFF FPR 27 doesn't have sufficiently strong encryption available to talk securely to the website, which is not true.

    What's the exact URL you're trying to reach? Maybe https://www.neteller.com? This works fine for me.

  2. 2 Posted by cal yooper on 17 Oct, 2020 08:56 PM

    cal yooper's Avatar

    Hello Chris
    Thanks for your input.

    1. I will do the Preferences change you suggest, and if it works, I will advise.

    2. If the problem is Netteller's faulty analytics, then an approach
    to them directly, through
    the bank, their paying customer, would be the best way.
    For this approach, I would need to give them a direct contact in your
    shop so that TFF27's encryption sufficiency could be explained to
    them.

    (Remember, this 'insufficiency' of TFF is NEW, since Sept. Up until
    then, the current and previous versions of TFF were sufficiently
    sufficient -- unlikely an algorithm made that decision, unless it is a
    new algorithm.)

    3. As expalined, Netteller is a big, old [in internet terms] operation.
    My 'portal' [if I'm using the right term] is the bank's page, as
    Netteller is their contract vendor.

    Netteller deal directly with the public as a quasi-bank, money
    transfer agent, which has nothing to do with me.

    Thanks for the response. If you do not hear from me on the
    Preferences change by Monday, 19th, assume it didn't work. Pls
    provide contact procedure that I can give to the bank's 'IT' person to
    give to their Netteller rep to contact your shop on the encryption
    issue.

    Rgds,
        Dr. t

  3. Support Staff 3 Posted by Cameron Kaiser on 17 Oct, 2020 10:35 PM

    Cameron Kaiser's Avatar

    I can get all the way to the login screen without a problem, and our cryptography library is current to Firefox 78. Like Chris asked, we really do need a specific URL to test with so we can see what you're seeing (obviously no usernames or passwords).

  4. 4 Posted by cal yooper on 18 Oct, 2020 03:47 PM

    cal yooper's Avatar

    Gents
    1. went straight to FF78 (see attach). No joy. (did a re-start before trying)

    2. Here are a couple of portals -- note that all the locally-owned
    banks in the 906 & 715 area code districts are Netteller clients,
    their individual HP designs notwithstanding.

         msbir.com
         fnbimk.com

  5. 5 Posted by cal yooper on 18 Oct, 2020 04:23 PM

    cal yooper's Avatar

    FYI CONFIDENTIAL

     Just to update you on the recency of this problem, I attach a snip
    that shows that I accessed fnbimk.com on 7th October using TFF27.

    Clearly, Netteller didn't have a problem with TFF27 encryption. There
    was a subsequent arbitrary decision on their part.

    rgds,
       Dr. t

  6. Support Staff 6 Posted by Chris (chtrusch... on 18 Oct, 2020 05:35 PM

    Chris (chtrusch)'s Avatar

    I can access both websites just fine with TFF FPR 27.

    However when I try to log in with a bogus ID I actually can see what you're talking about.

    The actual URL is:
    https://www.netteller.com/login2008/Authentication/Views/Login.aspx?returnUrl=%2ffnbim

    It does load in Webkit (latest version), which has *all* weak cyphers since it hasn't been updated in two years, and it loads in FF 78 ESR. It does not load in Waterfox Classic 2020.09 (based on FF 52), which uses the same cyphers as we do.

    On the other hand, Qualys says www.netteller.com wants
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    which we have.

    FF 78 connects using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 over TLS 1.2.

    I don't know what's going on. There must be some other SSL/TLS setting which prevents the login site from loading.

  7. Support Staff 7 Posted by Cameron Kaiser on 18 Oct, 2020 08:10 PM

    Cameron Kaiser's Avatar

    Yes, I can reproduce with that URL on the development machine. Disabling enforced TLS profiles didn't help either.

    Frankly, this should work. Debug version doesn't show anything obviously wrong, however, so it won't be fixed for FPR28.

  8. 8 Posted by cal yooper on 18 Oct, 2020 08:45 PM

    cal yooper's Avatar

    I don't understand the technical aspects of ssl/tls, nor wish to.
    But, what I hear you saying is that there is nothing obvious about why
    it is not working.

    What we have as an answer to that is the Netteller customer rep
    telling the bank liaison that "FF45 is too old" -- not exactly a
    precise answer to the question. But it does tell us that TFF27 is
    seen as FF45 on that end.

    What we DO KNOW is that all WAS copacetic, that FTT27 was working just
    fine with the Netteller sys well into Sept '20, that the existing
    systems had no problems communicating with whatever those protocols
    were. So, it's reasonable to assume that at that point, the wonks
    at Ntlr made some change on their end which cut us off.

    Here is a TFF problem > it is showing up at Ntlr as FF45, not FF78.
    If TFF has the ssl/tttls encryption protocol of FF78, then why is Ntlr
    not seeing it as FF78, esp. when the User Agent has been set to it ?
    What parameter did Ntlr change in Sept that stopped the communication
    that had been going on previously ?

    Tomorrow, Mon, I will ask the MSBIR IT person to tell her Ntlr rep
    that we [you guys] need to talk to someone in the Ntlr shop who knows
    what they did and why. That we need names to get to the root of the
    problem.

    Or, is there a site-designated comms person for you guys to reach out to there ?

    Any other thoughts, directions on how to proceed ?

    Thanks for all the effort.
    Rgds,
       Dr. t

  9. Support Staff 9 Posted by Cameron Kaiser on 18 Oct, 2020 09:12 PM

    Cameron Kaiser's Avatar

    The browser is being seen as Firefox 45 because that is its basis. Certain components have been upgraded, including the security library, but the browser is still Fx45 at its core.

    I am able to correctly view the page in Firefox 78 and 80. Since we have the same cipher set as Firefox 78, then it should work on our end too, and we are probably merely missing some additional piece or setting to make that function. I'll look into this but it won't be for the next version, which is already in testing and scheduled to emerge on Tuesday.

    I'm sorry this is frustrating you, but we do not talk to other companies on users' behalf. That is not a reasonable expectation from a volunteer project. The browser is free, no money changes hands, and no guarantees or promises are made.

  10. 10 Posted by cal yooper on 22 Oct, 2020 02:31 PM

    cal yooper's Avatar

    Cameron
    FYI >
    Have been pushing one of the banks who has an officer with a little
    background with IT vendors. Here's some input that may be of interest.

     I can sometimes guest on a pc system w/T1 line, the system managed by
    outside firm, so updates of apps don't always get made timely. On
    that system, the last upgrade to FF was v.81.0.1. That v. is
    incompatible with Netteller's security.

    The bank advises that 'lots' of users of Ntlr had problems accessing
    w/FF.v.81. The new FF v.82 has solved only 'some' of those users'
    problems.

    Question > are the FF Mac & pc versions different in sequence ? ie.
    is FF78 the latest Mac .v ?

    Rgds,
       Dr. t

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Already uploaded files

  • nettellr.fail.tiff 72.4 KB

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac