A Virtual Bank Is Still A Bank

A Virtual Bank Is Still A Bank

By | | Comments 0 Comment

Recently I was attempting to set up automatic payments with a utility company via their website. I dutifully entered my bank’s routing number and my account number, but when I tried to submit, I was told the routing number was invalid. I double-checked it with the bank’s website, but I still got the error.

Being something of a nerd, whenever I run into trouble like this on a website, I open up Chrome’s dev tools to see what’s going on. Turns out the UI was sending the routing number to an API endpoint that ensured it belonged to a real bank before submitting the form. For whatever reason it appeared this API didn’t have my bank in its database.

Which made me wonder if I could twiddle the site’s Javascript to skip this API call and submit the form anyways. Lucky for me they didn’t perform any minification, and it was straightforward to bypass this verification step. When I did so, the form submitted just fine and told me automatic payment setup was complete. I suppose I’ll find out on my next billing cycle if it worked, but I bet it will.

Three takeaways from this little adventure:

  • As I said a few days ago, I’m glad to be the kind of person that has both the knowledge and curiosity to solve a problem like this, instead of falling back to an interminable customer support call.
  • If you’re going to put a blocking validation process in front of your customers, you better be darn sure to get it right, especially if having it fail means a loss of potential revenue.
  • Client-side validation is only a convenience, and Javascript is easily manipulated (even if minified, but honestly people, minify!) Server-side validation of all input is absolutely essential.

Leave a Reply

Your email address will not be published. Required fields are marked *