Horrible bank security practices (not really news)



  • This is great description by a technical user of their horrible experience using schwab.com which is a large investment banking firm.

    Basically passwords are 8 chars max and the hilarity ensues from there...

    On the plus side, at least he didn't complain of getting sent other peoples emails like a few other banks have trouble with..



  • I just was looking at data where all of the user passwords started with a caret (^), followed by encrypted or hashed characters. Why do I think regex when I see that...



  • What I think my password is: pAssWord1LaLaLaL

    What Schwab stored my password as: password

    That is a buttumption. We just had a thread recently about the Git vulnerability, where someone pointed out that case insensitivity, and case folding, are two separate things.

    So they might store the password as pAssWord, but the comparison is case-insensitive.



  • Well, my bank's only "password" is an 8-digit PIN. And the "username" is your national ID card number, which is not terribly hard to find out for someone else. And until recently, their login page didn't use https by default. It's a fucking big bank by the way.

    They do however have a "2-factor authentication" in the form of a code card, which is required for all transfers. And they repeatedly claim that they will refund any money lost in fraudulent online or credit card operations (up to 10,000€, if you report it within 30 days).

    And now they're doing all kinds of weird stuff with social networks and mobile apps in a desperate effort to stay with the times. It's not bad stuff, I mean, but you can clearly see they're throwing shit to the wall to see what sticks. I'll make a thread about them soon.



  • @anonymous234 said:

    And they repeatedly claim that they will refund any money lost in fraudulent online or credit card operations (up to 10,000€, if you report it within 30 days).

    The "we'll fix it in post" brand of security!



  • Well, I've always said that banks just treat security as a legal problem instead of a technical one.

    Which also explains why they sometimes decide to prosecute the people who find and report security holes in their system. In our mindset, if a system is not secure, it's their fault, but in theirs, it's you who should avoid poking where you have no permission to poke.



  • @ben_lubar said:

    The "we'll fix it in post" brand of security!

    More like "the VISA and Mastercard corporations force this on us so we can use their payment points" brand of security.



  • @anonymous234 said:

    Well, my bank's only "password" is an 8-digit PIN. And the "username" is your national ID card number, which is not terribly hard to find out for someone else. And until recently, their login page didn't use https by default. It's a fucking big bank by the way.

    They do however have a "2-factor authentication" in the form of a code card, which is required for all transfers. And they repeatedly claim that they will refund any money lost in fraudulent online or credit card operations (up to 10,000€, if you report it within 30 days).

    And now they're doing all kinds of weird stuff with social networks and mobile apps in a desperate effort to stay with the times. It's not bad stuff, I mean, but you can clearly see they're sticking shit at the wall to see what happens. I'll make a thread about them soon.

    O god the mobile shit. Everytime I log into my credit union's online banking page it asks if I want to enable mobile services. Every. Single. Fucking. Time.

    NO YOU CUNTS, I DONT WANT A GIGANTIC HOLE EXPOSING MY MONEY ON A PHONE THAT CAN BE STOLEN EASILY. STOP ASKING.



  • My bank's password is 6 char, case-insensitive alpha-numeric only, entered by mouse using an on-screen alphabetical keyboard.
    Customer numbers are provided on pretty much every piece of paper correspondence.

    Two-factor authentication is only available/mandated for business users.

    Dissenting feedback is ignored.


  • sockdevs

    @mratt said:

    Dissenting feedback is ignored.

    in that case I would be saying "Hello Customer support. Close my account. no i will not stay i am leaving your bank because your website has convinced me that my money is not secure with you."



  • I'm only still with them because as long as I follow the rules then I'm covered if unauthorised access occurs.
    They have recently introduced two-factor (SMS security code) for any funds transfer to a new payee, which is a small improvement.



  • I got some money from my grandpa for the holidays so I put it on Steam with my dad's help. Steam needed to make two additional fake charges and ask for how much they were in order to verify that the credit card belonged to my dad. You know, as opposed to some kind of non-WTF-worthy web interface or something.



  • @mratt said:

    My bank's password is 6 char, case-insensitive, entered by mouse using an on-screen alphabetical keyboard.Customer numbers are provided on pretty much every piece of paper correspondence.

    westpac.PNG1095x686 74.6 KB

    Two-factor authentication is only available/mandated for business users.

    Dissenting feedback is ignored.

    My bank started out as a credit union. It had phone and online banking before any of the Big Four, and did it right, and still hasn't fucked it up. It also craps upon the Big Four from a great height on service, price, straightforwardness and staff welfare grounds.

    Logging in with KeePass is super-smooth because input focus automatically goes to the user ID field on page load, and you get a choice of phone or dongle 2FA.

    I can honestly say that I have never had cause to complain about this bank. It Just Works. Recommended.



  • You and your decent banks... I live in Murika, the land of Wish-It-Was-Two Factor where Chip & PIN is met with uncomprehending stares and any suggested security improvements are met with a noncommittal shrug.


    Filed under: 0.01% APY, we need a new tag cloud to attack


  • Discourse touched me in a no-no place

    @TwelveBaud said:

    where Chip & PIN is met with uncomprehending stares

    Actually, given that C&P is coming to the US in the not-too-distant future, if you look you will probably see that many places have already updated their card readers. I've seen a whole bunch of places that have a slot for those cards. I even saw one woman using one.


  • Discourse touched me in a no-no place

    @FrostCat said:

    Actually, given that C&P is coming to the US in the not-too-distant future, if you look you will probably see that many places have already updated their card readers. I've seen a whole bunch of places that have a slot for those cards. I even saw one woman using one.

    It probably helps that all their suppliers want to produce C&P devices anyway so they can also sell into non-US markets.



  • Oh! That's so cute (or sad), since we're moving to the NFC cards, so no slots for us.



  • They're catching on over here too but the limit is £20 for "contactless" so still falls back to Chip & Pin for anything above that or the significant amount of places that still don't take it.
    I'm still waiting until I can use my phone rather than my cards.



  • October 2015, here we come!

    Also, I happen to have an EMV card, which I tried to use at a local Subway. The card reader, in addition to a small screen with a Subway logo and my total, had a swipe slot and a C&P slot and an Apple Pay antenna. I tried to pay by swiping, but since the terminal supported C&P the swipe was declined. I tried to pay by Chip & PIN, but the software didn't even register that I put my card in the slot. Finally I tried to pay by EMV contactless and the card reader rebooted. Progress!

    Also this.



  • @anonymous234 said:

    but in theirs, it's you who should avoid poking where you have no permission to poke.

    Yes, I love that brand of thinking willful blindness.

    Local kid: "Hey I found this security hole and wanted to tell you about it..." whisked off to jail

    Later: Same security hole exploited by Russian Mafia, funds drained, bank subject to lawsuits by their customers and risks going bankrupt.

    But they nabbed and jailed that first offender!

    @delfinom said:

    O god the mobile shit. Everytime I log into my credit union's online banking page it asks if I want to enable mobile services. Every. Single. Fucking. Time.

    NO YOU CUNTS, JUST BECAUSE EVERY IDIOT AND THEIR MOTHER WANTS I DONT WANT A GIGANTIC HOLE EXPOSING MY THEIR MONEY ON A PHONE THAT CAN BE STOLEN EASILY DOESN'T MEAN I REALLY WANT THAT FEATURE TOO. STOP ASKING.

    FTFY


  • Discourse touched me in a no-no place

    Of course, I expect most banks will hold off until the last moment before issuing C&P cards. My current one, which I just got this summer, doesn't expire until 2017, so I don't think they're replace it until they have to, or possibly if I ask.



  • @FrostCat said:

    Of course, I expect most banks will hold off until the last moment before issuing C&P cards. My current one, which I just got this summer, doesn't expire until 2017, so I don't think they're replace it until they have to, or possibly if I ask.

    I can tell you it's not because they don't want to. It's an infrastructure issue.

    Think of it this way: the law requires a new, more expensive kind of car (cards) to be sold only after 2016 and the old ones made no longer available, but it won't run on 80% of the roads (ATMs, POSes) until those are repaved (upgraded/replaced). Without the new roads, you don't get the full benefit of the new car.

    Another point in the card industry:
    Meanwhile, companies like Target (sorry Target, you're a convenient target [lame pun intended] until the next big breach) continue to have breaches that lead to more cards being replaced for security reasons. So why issue the new cards when the old ones serve? And still have plenty of stock to burn through before the new cards are made available and get rotated in?

    If your company was issuing the cards, given the above, and the pressure to establish/maintain profitable margins so soon after a horrible economic time which hasn't fully recovered, what would you do?


  • Discourse touched me in a no-no place

    @redwizard said:

    Think of it this way: the law requires a new, more expensive kind of car (cards) to be sold only after 2016

    Is there actually a "these cards may not be available until 2016" in the US? I take your point in theory, but if that's not actually the case, then it's not true. I don't expect them to rush to replace them--as I said, I just got a new one myself, so I don't actually expect my bank to replace it until they have to, either by statutory deadline turning off the old cards, or it expiring, or breaking.

    But someone who got a new card 18 months ago (assuming a roughly two-year cycle)? It wouldn't necessarily be unreasonable to give them C&P, if the cards are physically available.



  • @redwizard said:

    Think of it this way: the law requires a new, more expensive kind of car (cards) to be sold only after 2016 and the old ones made no longer available, but it won't run on 80% of the roads (ATMs, POSes) until those are repaved (upgraded/replaced). Without the new roads, you don't get the full benefit of the new car.

    Right except that's not the same because Chip & Pin cards still have the magnetic strip so a) still work in a reader where it's not available and b) even in a Chip & Pin reader, can still fall back to being swiped if it's not broken or the chip won't read or whatever.
    Assuming the implementation in the US is the same as that in Europe, of course.



  • @loopback0 said:

    Chip & Pin cards still have the magnetic strip so a) still work in a reader where it's not available

    Yep. I can use my Canadian credit card (which have had chip and pin for years) in the US this way.



  • @FrostCat said:

    Is there actually a "these cards may not be available until 2016" in the US?

    Clarification: Chip part isn't required - yet. Keeping the magnetic stripe is for backwards compatibility. Don't know if/when that might go away, but not in the foreseeable future.



  • I believe its if retailers accept mag, they will be liable for fraud. But its there for backwards compatibility.





  • A Reference: http://money.usnews.com/money/personal-finance/articles/2014/10/28/coming-next-fall-more-chip-and-pin-cards-in-the-us

    Here's what gets me: The chip cards are "not as widely used in the U.S. That's likely to change next October, when liability for fraud shifts from U.S. card issuers to merchants if merchants don’t upgrade their payment terminals to properly accept chip-based cards."

    BUT later the article says: "Card issuers don't have to issue the chips..."

    WTF?


  • Discourse touched me in a no-no place

    IIRC, there's an interim period where if a store doesn't accept chip cards, it's liable, but then after a deadline when everyone is supposed to have them, the liability goes back to the bank, or something similar to that.



  • @FrostCat said:

    IIRC, there's an interim period where if a store doesn't accept chip cards, it's liable, but then after a deadline when everyone is supposed to have them, the liability goes back to the bank, or something similar to that.

    @redwizard said:

    liability for fraud shifts from U.S. card issuers to merchants if merchants don’t upgrade their payment terminals to properly accept chip-based cards

    Nothing reverts. If the merchant upgrades their system, the liability stays with the bank. If they don't, it's with the merchant. Sure, if all the merchants upgraded, the net effect would be as if the liability never shifted. Nothing expires that I know of. If it did, it wouldn't make sense (then again, law and common sense don't always agree...)



  • I work in the gaming (gambling basically) and everything has to be PCI complaint, shit like that shouldn't be allowed to happen.



  • @flabdablet said:

    Logging in with KeePass is super-smooth because input focus automatically goes to the user ID field on page load, and you get a choice of phone or dongle 2FA.

    I can honestly say that I have never had cause to complain about this bank. It Just Works. Recommended.

    Nonces sent via SMS are not that great either, really, as SMS is not secure.
    If you want real two-factor authentication, you need something only you know and something only you have. SMS is neither because it can be intercepted (and even modified) mid-flight.

    To log in to my internet banking environment I supply the card number and bank account number. Those are not exclusively known to me, ofcourse. However, I then have to take a small dedicated, tamper-proof closed-system card reader supplied by my bank, insert my bank card (something only I have) and use my PIN (something only I know) to generate a temporary 8-digits login code.
    The encryption method used by the reader has a time component to it that removes possibility of replay attacks should the TLS connection on top of the transfer have been broken.

    Each individual transaction I set up has to be signed with the same card reader; the website presents an initial 8 digit seed token the reader takes as its first input. As its next input it takes up to 8 digits of the amount of money involved in the transaction. For large amounts, as a third input it takes the last numbers of the recipient's back account. And again, I have to use my bank card and my PIN to complete the token, which again has a time component added to it as well.

    That, ladies and gentlemen is the only correct way to secure online banking.



  • @Ragnax said:

    my PIN (something only I know)

    up until a MITM attack



  • @chubertdev said:

    up until a MITM attack

    Perhaps you need to read what I posted with a bit more attention?

    I only ever enter the PIN on a closed system that is not connected to any computer system. It is used as part of a crypto-algorithm to produce a nonce and the nonce is manually typed into an input element on the website.

    Obtaining the PIN would require breaking said crypto-algorithm and reversing the nonce.



  • Basically one of these.



  • @lucas said:

    Basically one of these.

    Exactly.



  • Not heard the word "nonce" in this context before.
    Over here it usually means a child molester, or is an abusive term for homosexual.
    I presume you mean one-time-code, is there more to it than that?
    Not going to Google it on company hardware.



  • My bank issued a new type of thingy this year ... now I have to insert my card and hold the device up to the screen where it reads some sort of flashing barcode thingy ...


  • Discourse touched me in a no-no place

    @lightsoff said:

    Not heard the word "nonce" in this context before.
    Over here it usually means a child molester, or is an abusive term for homosexual.
    I presume you mean one-time-code, is there more to it than that?

    It's got several meanings. English does that to various words. The right meaning here relates to a thing for “one time use”, generally a high-quality random number when we're talking about properly implemented cryptosystems.



  • @hungrier said:

    Yep. I can use my Canadian credit card (which have had chip and pin for years) in the US this way.

    But not in Canada where, if the chip reader fails and you attempt to swipe, it complains that you need to insert the card into the non-functional chip slot...



  • @Ragnax said:

    SMS is neither because it can be intercepted (and even modified) mid-flight.

    That's why I opted for the dongle.

    @Ragnax said:

    That, ladies and gentlemen is the only correct way to secure online banking.

    Yeah, maybe. The way my bank does it is good enough, in my view: I log in via https, using a password only I know. The first time in any logon session that I attempt any operation that could involve moving money out of my own accounts, I'm asked for a security code. I reach into my pocket and retrieve the TOTP dongle that only I have, press the button on the front, then type the 6-digit code displayed on it into the website; I'm then good to do anything I like until I log off.

    No security theatre, just nice convenient 2FA. I like it.



  • I deliberately bank with one of the few banks that doesn't issue those because they're annoying when all I want to do is login to online banking and it's been left at home.

    Yes, it's more secure, but I'm not your average idiot on the street who writes the login details down on paper or in a book or whatever and logs in from all manner of unsecure places.
    It's either from my work computer, my home laptop or my phone (which uses slightly different details anyway).



  • @Ragnax said:

    my bank card (something only I have) and use my PIN (something only I know)

    Until you use them on a compromised ATM. Using them would still require the potential thief to get his hands on your card reader, though.

    FWIW, my bank requires me to log in first over https, using a username and password (username supplied by the bank, basically random letters and numbers, password by me, and ditto — though I suspect many people will have less-secure passwords). It then requires an authorisation code to transfer money. The normal way to get one is by SMS, but I've opted for the old-fashioned paper way, which means I’ve got a list with a hundred six-digit numbers, each of which will be used only once; by the time it starts running out they’ll mail me a new one.



  • It's really terrible feeling reading this topic from Poland, where chip cards are standard since at least fifteen years ago, even for phone booths back when they still operated. I've never seen anyone ever using magnetic payment card until I received magnetic-only one from my current employee - but you can only use it at restaurants. My bank's website accepts passwords that are 8-20 characters long (with mandatory special and digit), and there's option to ask you only for some of your password's letters as to protect from keylogger malware. All money transfers must be confirmed via SMS and there's daily limit on how much you can pour out of ATM. And it's the same country where it took a full week to count votes in elections, and average net salary is $9000 yearly with 70% of people earning less than average.



  • @Gaska said:

    where it took a full week to count votes in elections

    Which goes to show they're using paper, which despite this fiasco I still rate as way, way less susceptible to tampering than anything more automated.

    I was a happy little Australian with my chip-and-PIN card... and then all the banks started issuing all this NFC bullshit, where just putting the card near the reader for two seconds is enough to authorize any transaction of up to $100. Didn't ask for that. Didn't want that. No way to turn it off either, without risking destruction to the chip.

    The slot in my wallet where my EFT card lives now has a copper foil lining, with little bumps positioned to press onto all the chip contact pads and short them all together. With any luck that's enough to discourage most remote readers.


  • Discourse touched me in a no-no place

    Asked for a replacement AmEx and got an chipped card. No PIN, though. I assume it's set up for Chip-and-signature mode, which is way less good than chip-and-PIN.

    I am yet to locate a payment terminal that'll take it to find out.



  • I keep expecting to hear they're introducing a revolutionary new system (in the US) where you can store small amounts of cash on your chip, so you can do small payments without needing to enter your pin.

    We've had such a system for 20 years. It's getting retired next week because of lack of use.



  • I think they are a good idea because some will need to know you account number, you pin and have the PIN.

    I don't tend to do anything financial related unless I am at home or I have actually gone to the bank.


  • Discourse touched me in a no-no place

    @Gaska said:

    My bank's website accepts passwords that are 8-20 characters long (with mandatory special and digit), and there's option to ask you only for some of your password's letters as to protect from keylogger malware.
    Problem: The only practical way for them to do that is plaintext (or reversible encrypted) storage.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.