[afnog] internet banking fail - with ipv6

Frank Habicht geier at geier.ne.tz
Mon Dec 3 19:17:58 UTC 2018 

Hi all,

So there's a bank in Tanzania that has customers trying to use their 
internet banking.

At https://www.stanbicbank.co.tz/ you get the link to "Internet Banking" 
in the "Online Banking" box. The link leads to 
https://ibanking.stanbicbank.co.tz/

which is hosted on a CDN (and i hope to get help from there, hint...).

[prompt]$ dig a ibanking.stanbicbank.co.tz +short
ibanking.stanbicbank.co.tz.cdn.cloudflare.net.
104.19.160.18
104.19.159.18
[prompt]$ dig aaaa ibanking.stanbicbank.co.tz +short
ibanking.stanbicbank.co.tz.cdn.cloudflare.net.
2606:4700::6813:a012
2606:4700::6813:9f12
[prompt]$

at https://ibanking.stanbicbank.co.tz/ you get a 268 byte html response 
containing only a redirect:


[prompt]$ cat ibanking_v4.html
<html>
         <head>
                 <META http-equiv=REFRESH content="0; 
url=corp/AuthenticationController?FORMSGROUP_ID__=AuthenticationFG&__START_TRAN_FLAG__=Y&FG_BUTTONS__=LOAD&ACTION.LOAD=Y&AuthenticationFG.LOGIN_FLAG=1&BANK_ID=TZ">
         </head>
</html>
[prompt]$


The content doesn't (when I tried this) depend on IPv4/IPv6, same 
content. That's what I expect.


Now following that redirect, one gets different content [and also 
different http headers], depending on whether IPv4 or IPv6 is used!

with IPv6 [1] :
- 1148 bytes body
- "isFatal: true" in the headers
- a body that says you've been kicked out because of pressing the 'back'
    button or similar things

with IPv4 [2] :
- 54602 byte body
- no "isFatal" header - see below
- the desired body, login form for internet banking


I don't have the evidence, but from memory I believe before the issue 
was experienced, the ibanking.stanbicbank.co.tz fqdn did point to a 
locally (in Tanzania) hosted Standard Bank (196.8.0.0/16) IP, without 
AAAA record. IIRC.


So at work (native v6):
disable IPv6 on laptop (reluctantly): --> works
enable it again: -> doesn't work
disable: -> works


That's when I wanted to ask for help.
But I checked again - tethered from a TZ mobile provider, on IPv4 only.
And got the problem (error message instead of login page) again.
Also in Chrome. But not in "Privacy window" of Chrome.
So I killed 4 weeks worth of browsing data.
Then: timeout between Cloudflare and origin (Ray ID: 4838387046992ca8)
And again.
Then: close and restart Chrome browser. --> happiness. login page.


CF: can v6 clients get the same content as v4 clients?
(I'm sure we agree they _should_.)

Can we get the bank to fix it?
without pulling the AAAA?



PS: comparing with other countries:
- KE: no CF, no AAAA, A to 196.8.0.0/16
- UG: same
- ZA: CNAME to CF, no AAAA


To the bank: Thanks for putting me at the bleeding edge, not let's fix 
it without pulling the AAAA. Deal?
hint: you want happy customers.


Frank



[1]
[prompt]$ wget -S -6 -O ibanking2_v6.html 
'https://ibanking.stanbicbank.co.tz/corp/AuthenticationController?FORMSGROUP_ID__=AuthenticationFG&__START_TRAN_FLAG__=Y&FG_BUTTONS__=LOAD&ACTION.LOAD=Y&AuthenticationFG.LOGIN_FLAG=1&BANK_ID=TZ'
--2018-12-03 16:09:54-- 
https://ibanking.stanbicbank.co.tz/corp/AuthenticationController?FORMSGROUP_ID__=AuthenticationFG&__START_TRAN_FLAG__=Y&FG_BUTTONS__=LOAD&ACTION.LOAD=Y&AuthenticationFG.LOGIN_FLAG=1&BANK_ID=TZ
Resolving ibanking.stanbicbank.co.tz... 2606:4700::6813:a012, 
2606:4700::6813:9f12
Connecting to ibanking.stanbicbank.co.tz|2606:4700::6813:a012|:443... 
connected.
HTTP request sent, awaiting response...
   HTTP/1.1 200 OK
   Date: Mon, 03 Dec 2018 13:09:54 GMT
   Content-Type: text/html
   Connection: close
   Set-Cookie: __cfduid=d775a34b0ef52bab65dc61ac7bd686f0d1543842594; 
expires=Tue, 03-Dec-19 13:09:54 GMT; path=/; domain=.stanbicbank.co.tz; 
HttpOnly
   isFatal: true
   Last-Modified: Wed, 04 Dec 2013 02:48:21 GMT
   Cache-Control: max-age=2592000
   Expires: Wed, 02 Jan 2019 13:08:42 GMT
   Vary: Accept-Encoding
   Content-Language: en-US
   Expect-CT: max-age=604800, 
report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
   Server: cloudflare
   CF-RAY: 483645362c242ca8-MBA
Length: unspecified [text/html]
Saving to: “ibanking2_v6.html”

     [ <=> 
                                              ] 1,148       --.-K/s   in 
0s

2018-12-03 16:09:54 (40.8 MB/s) - “ibanking2_v6.html” saved [1148]

[prompt]$


[2]

[prompt]$ wget -S -4 -O ibanking2_v4.html 
'https://ibanking.stanbicbank.co.tz/corp/AuthenticationController?FORMSGROUP_ID__=AuthenticationFG&__START_TRAN_FLAG__=Y&FG_BUTTONS__=LOAD&ACTION.LOAD=Y&AuthenticationFG.LOGIN_FLAG=1&BANK_ID=TZ'
--2018-12-03 16:10:00-- 
https://ibanking.stanbicbank.co.tz/corp/AuthenticationController?FORMSGROUP_ID__=AuthenticationFG&__START_TRAN_FLAG__=Y&FG_BUTTONS__=LOAD&ACTION.LOAD=Y&AuthenticationFG.LOGIN_FLAG=1&BANK_ID=TZ
Resolving ibanking.stanbicbank.co.tz... 104.19.159.18, 104.19.160.18
Connecting to ibanking.stanbicbank.co.tz|104.19.159.18|:443... connected.
HTTP request sent, awaiting response...
   HTTP/1.1 200 OK
   Date: Mon, 03 Dec 2018 13:10:01 GMT
   Content-Type: text/html;charset=UTF-8
   Connection: close
   Set-Cookie: __cfduid=de738e4d1e49b1b2c25721967998c3ac11543842600; 
expires=Tue, 03-Dec-19 13:10:00 GMT; path=/; domain=.stanbicbank.co.tz; 
HttpOnly
   VIEW_ID: CustomSTDRetailAuthenticationScreen
   Cache-Control: no-store
   Pragma: no-cache
   Expires: 0
   Title: Login
   Vary: Accept-Encoding
   Content-Language: en-US
   Expect-CT: max-age=604800, 
report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
   Server: cloudflare
   CF-RAY: 4836455f2f8a2cae-MBA
Length: unspecified [text/html]
Saving to: “ibanking2_v4.html”

     [ <=> 
                                              ] 54,602      --.-K/s   in 
0.06s

2018-12-03 16:10:01 (859 KB/s) - “ibanking2_v4.html” saved [54602]

[prompt]$

More information about the afnog mailing list