Why do some internet banks force logout on back button?

A scenario such banks might want to protect you from could be this:

  1. you visit your banking website and do your banking stuff.
  2. after you are finished you log out and then navigate to some other website to look at cat pictures or whatever.
  3. you leave your computer with the cat picture website open. Because there is nothing incriminating on your screen, you feel safe doing that.
  4. your evil roommate comes along and presses the back button a few times.
  5. they arrive at the cached version of your banking site, see your bank account and see that you still haven't paid your share of the rent even though you clearly have enough money to do that.

That's one reason why banking websites do not work when you navigate to them using the browsers back button.

But an even more likely reason could be laziness on the side of the web developers.

Allowing the user to use back and forward navigation creates an additional variable in a web application which needs to be kept in mind at all times. Simply making this impossible removes that variable and makes it far easier for the developers to create a secure and bug-free application. Because bugs in banking applications can cause quite a lot of financial damage, developers in that sector are rather conservative and tend to limit usability when it results in a more predictable application use-pattern.


There's a couple of things going on here:

Bankings sites will use cache-control headers to forbid cacheing of the pages. So when you click back the browser has to reload the page from the server.

Some parts of the site may have a strict flow of pages, e.g. you enter transaction details, enter your SMS code, view transaction confirmation. These require strict tracking of what page you're supposed to be on. So if you click back, it breaks this, and you get an error.

It can also occur because of dubious attempts to improve site security. For example, some banks have session tokens in the URL that change with each request, and if you go back your token is now invalid.

There is usually no strict need for the site to have this behaviour. Going back ten years or so it used to be very common, although less so now.


This isn't as common now, but quite some time ago a lot of websites were just HTML wrappers around classic terminal (IBM 3270 and the like) applications which were being scraped statefully, and this was especially prevalent in legacy industries where the whole idea of a separation between view and model is very, very new. It's possible that a lot of banking websites still are implemented in that way, or that they used to be and still have the back-button-preventing behavior "just in case."

Tags:

Web Browser

Banks

Related

What kind of certificate should I get If I want to secure a connection between a web server and a database? How to securely counter users from adding a single digit to their old password upon creating a new one? Is it possible for my password to have more than one password combination? Is my SSL connection encrypted if the certificate isn't trusted? When viewing my website from port 3306, I see some weird MySQL info Did someone impersonate my WiFi? Is this a weakness of enveloped XML signature? Why would security cover things like natural disasters? How to know whether a textfile has been edited or tampered with? GnuPG asks for a key ID when sharing my public key, what is that? Does holding an AES-encrypted string and its cleartext from a database help an attacker in decrypting other parts of the database Parameters for PBKDF2 for password hashing

Recent Posts