3

I'm asking nearly the same question, but today is related to my bank website, they disabled several functions, including: right click, copying, pasting.

Is there any real security implication about allowing doing this? Today I was registering an account to do a transfer, and had to type manually the number. Very annoying, to be honest.

I think that they are just exaggerating, I can't see anything wrong about copying my balance or pasting an account number.

Important: They use an on screen keyboard for typing passwords, so copying and pasting passwords is not a reason to do this.

This is not the same that related question: Is there any reason to disable paste password on login?

schroeder
  • 125,553
  • 55
  • 289
  • 326
IAmJulianAcosta
  • 2,465
  • 3
  • 15
  • 18
  • 1
    Outdated security practices (some senior guy said so and nobody dares to ask why) and/or security theater (so they can proudly say "it's for your security!" when a customer asks) can explain this. In a similar scenario, some banking sites break the back button and prevent opening multiple tabs. – André Borie Aug 08 '16 at 17:03
  • if they use a web-based on screen keyboard then pasting would circumvent a large measure of security since as-is they need not protect the keyboard chain or clipboard. – dandavis Aug 08 '16 at 19:09

2 Answers2

6

Is there any real security implication about allowing doing this?

No.

Lets look at each of these things:

disabling right click

There is no security benefit to this at all, as there is no dangerous action that is performed with a right click.

Some websites disable right click so that users can't copy or save images easily, but this can of course be easily bypassed.

It's very difficult to even come up with a contrived example of the dangers of right click. Some corner-case clickjacking attack may exist, but the defense against that would of course not be to disable right click, but to not allow clickjacking in general.

disabling copying

See above. There is no reason for this at all. Any contrived clickjacking attack should be mitigated by proper clickjacking defenses.

disabling pasting

This is the only functionality that some would argue provides a security benefit, as it disallows the pasting of passwords. They would be wrong.

tim
  • 29,122
  • 7
  • 96
  • 120
0

They're obviously doing their best in making sure that the customers do not use copy-paste which could represent bad habits and slight security risks should other sites access the clipboard (paste buffer).

Browser will typically ask confirmation before accessing the clipboard, but the banks can not rely on that. It is also important for customers to remember their password, thus avoiding to copy it, possibly insecurely, all over the place.

As far as I know, this is very common practice with banking sites.

If you have any concerns regarding the operations of a specific site, you need to contact them directly to get clarifications as they may have their own reasons for doing whatever they chose to do.

Julie Pelletier
  • 1,919
  • 10
  • 18
  • 5
    Disabling copy/paste makes it harder to use password managers, so it creates a good breeding ground for bad passwords. So it is a really bad idea. – André Borie Aug 08 '16 at 17:01
  • 1
    My point was that banks may consider that using password managers could actually induce an additional security risk and it is a concrete possibility. – Julie Pelletier Aug 08 '16 at 17:03
  • 5
    That's a really stupid point of view then. Granted, a compromised machine means the password manager holds all the keys to the kingdom, but at that point, is a manually typed-in password any safer (especially if it's reused everywhere)? – André Borie Aug 08 '16 at 17:05
  • 1
    note that there is no current browser-based permission for clipboard access, most of those tools are flash ([example](https://cordova.apache.org/plugins/)). Old copies of IE did have naive clipboard access, but it's long been removed. The larger vector is that any binary application (even the kind that don't need installation or perms) can read the clipboard, so if you left it copied, it could easily be stolen by 1,000,001 apps and malware – dandavis Aug 08 '16 at 19:11
  • @dandavis: Thank you for pointing out what seemed obvious to me. – Julie Pelletier Aug 08 '16 at 19:20
  • Does storing a password on a manager qualify as "write down"? I think some terms of service may prevent you from writing your password anywhere, else, if you write it, you may have reduced fraud protection or stuff like that. So, if you cannot paste, you would not use a manager ... and it may make sense in the end! – Rho Phi Dec 13 '17 at 22:39