• eTransfer msg section, pretty lame

    From August Abolins@2:221/1.58 to All on Tue Nov 16 18:52:00 2021
    An eTransfer typically allows for entering a short message of
    up to 400 chars. For a recent eTransfer, I found it important
    to enter something to reference the billing statement that I am
    paying for. My typical message was something like this:

    This payment is for the "60-90 days" portion of the
    statement dated 11/15/21.

    But that triggered an error message:

    "There appears to be an error! All errors must be corrected
    before continuing."

    Please enter a valid message. It must not exceed 400
    characters and contain only letters, numbers, and the
    characters . ! @ / ; : , ' = $ ^ ? * ( ). It must not
    contain the words http:, https:, www., javascript,
    function, return.

    In this case it seemed that the quote char and the dash was not
    on the allowed list. Now, I'm just wondering WHY would a quote
    or dash char need to be treated differently and excluded from a
    valid set?

    Likewise, why would even a simple word like function or return
    be a problem for a message block? When the system dedicates a
    400 char block for a message, why can't the system simply treat
    that content as a benign group of chars and ignore any
    "functionality" implied with http: https: or www, etc?

    Could there be hacking vectors that haven't been solved in the
    eTransfer system?

    --- OpenXP 5.0.50
    * Origin: (2:221/1.58)
  • From Wilfred van Velzen@2:280/464 to August Abolins on Wed Nov 17 09:28:36 2021
    Hi August,

    On 2021-11-16 18:52:00, you wrote to All:

    An eTransfer typically allows for entering a short message of
    up to 400 chars. For a recent eTransfer, I found it important
    to enter something to reference the billing statement that I am
    paying for. My typical message was something like this:

    This payment is for the "60-90 days" portion of the
    statement dated 11/15/21.

    But that triggered an error message:

    "There appears to be an error! All errors must be corrected
    before continuing."

    Please enter a valid message. It must not exceed 400
    characters and contain only letters, numbers, and the
    characters . ! @ / ; : , ' = $ ^ ? * ( ). It must not
    contain the words http:, https:, www., javascript,
    function, return.

    In this case it seemed that the quote char and the dash was not
    on the allowed list. Now, I'm just wondering WHY would a quote
    or dash char need to be treated differently and excluded from a
    valid set?

    Likewise, why would even a simple word like function or return
    be a problem for a message block? When the system dedicates a
    400 char block for a message, why can't the system simply treat
    that content as a benign group of chars and ignore any
    "functionality" implied with http: https: or www, etc?

    I suspect it's a standard the banks involved agreed about for this message. It's handled by all kinds of systems at multiple banks, probably all over the world. So it's probably a "better safe then sorry" messure, because there isn't 1 authority that checks and oversees the development of all these systems. That's handled by the IT departments of the individual banks.

    Could there be hacking vectors that haven't been solved in the
    eTransfer system?

    With so many systems involved you never know if somewhere there is an undiscovered bug lurking in one of them. It's probably wise to assume there are more then one... So it's also wise to prevent them from being triggered by having a strict "front gate".

    Bye, Wilfred.

    --- FMail-lnx64 2.1.0.18-B20170815
    * Origin: FMail development HQ (2:280/464)