13

One of my credit card's bill paying site has an incredibly annoying limitation... it does not allow the user to paste in the bank routing and account number. Therefor, every month I am forced to manually type these numbers in (twice!). I have other credit cards and bills and none of them have this limitation. Is there any security advantage to the one bank not allowing pasting?

SplashHit
  • 253
  • 2
  • 7
  • 5
    Have you tried using a browser extension, such as [Don't fuck with Paste](https://chrome.google.com/webstore/detail/dont-fuck-with-paste/nkgllhigpcljnhoakjkgaieabnkmgdkb?hl=en) – timuzhti Nov 04 '15 at 04:17
  • 1
    That extension solved my problem with that site! – SplashHit Nov 04 '15 at 13:02
  • 1
    The fact that their "security feature" was easily circumvented by simply installing a publicly available browser extension seems to point out the "value" of this "feature" – SplashHit Nov 04 '15 at 13:11
  • If you have to type it (and even if you paste it) spyware may get it. As I see it, It doesn't really add security one way or the other. [You know those graphical keypads that change the position of the numbers and that the numbers disapear when you hover the mouse? - spyware may get those to, modern ones record video.] – Theraot Dec 31 '15 at 22:50

2 Answers2

15

The problem isn't with pasting, it's with copying confidential data. The copy buffer isn't a protected resource and can be accessed fairly freely.

That said, account and routing numbers aren't really confidential as you give them out on every check so this idea sounds hair brained. Perhaps they do this to give the impression of security to less informed users? Perhaps they're just really confused.

Neil Smithline
  • 14,621
  • 4
  • 38
  • 55
  • 2
    99% of common users, and a good percentage of "technical" ones, have no concept of good security in the first place, much less even consider the implications of the copy buffer. that is, this really only annoys end users. Further, since it doesn't prevent you from doing the copy, it fails at the implied goal anyways... – Clockwork-Muse Nov 07 '15 at 14:34
  • I suspect it reduces copying of the account after multiple pasting attempts. For example, it seems that the OP has been conditioned not to copy. That said, I'm not convinced it's a good idea either. – Neil Smithline Nov 07 '15 at 16:10
1

Not allowing pasting can be for safety too. By forcing you to write them manually twice, you avoid the risk of incorrectly typing the numbers, which can result in money sent to the wrong bank account. Many users just copy the info from field 1 to field 2, to bypass the double-entry verification. In some cases, users do this from field 2 to field 1 if the field 2 had pasting disabled. That's why both fields have pasting disabled. It's for the same reason "paste" is disabled on the email/verify email, on signup forms.

So, it has actually nothing with security, but rather with safety. They don't want problems with customers mistyping account numbers, and then copy pasting them to avoid having Writing it twice, and then money lands at some bankrupt company and money is lost.

This sometimes happen here in Sweden. A bill-payer writes the wrong account number in their internet banking interface, and does not check the receiver name that pops up on "confirm payment". The company that receives the money is bankrupt and has debts, so the money is taken by the government to pay the company's debts. Thus "Conditio indebiti" is not enforceable, and then money is lost and the user in question has to pay a second time for the same bill.

schroeder
  • 123,438
  • 55
  • 284
  • 319
sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33
  • 1
    Risk of incorrect typing is not a reason for this. Most types of financial account numbers, including all IBAN numbers currently used also in Sweden, credit card numbers, etc use a variety of checksum systems that have guarantees that common typing mistakes (a typo, swapped neighbouring symbols, etc) must result in a number that fails validation. If you do enter someone else's account number, then you're actually intentionally entering someone else's number because of some misunderstanding and that can happen both with manual entry and copying. – Peteris Nov 06 '15 at 22:02
  • Full account numbers do have this protection, sometimes both by a length digit and checkdigit, but bill-pay numbers is only anywhere between 2-8 digits where one of those is a single check-digit, so It have actually happened that Money get sent to wrong Company. Thats why all banks nowadays popup a confirm dialog where the receiver Company name is shown. I don't know how the american bank system works, but since most of these numbers are not designed from the beginning to be typed, rather to be scanned by a MICR or OCR machine, they might lack checkdigits or such type error checking. – sebastian nielsen Nov 06 '15 at 22:08
  • 5
    *"It's for the same reason "paste" is disabled on the email/verify email, on signup forms."* Yeah about that, please kill anyone doing this. – Luc Nov 06 '15 at 22:12
  • 5
    That's asinine. I copy and paste my information precisely to avoid typos. If they want to keep you from copying and pasting from one field to the next, then prevent the copy, but don't prevent paste. – Rick Sep 28 '18 at 20:18
  • 1
    @Rick Exactly, most of us use a password manager anyway which will automatically paste in correct number and is the most reliable means of input... – Dean Kuga Dec 12 '18 at 22:40