Horrible bank security practices (not really news)



  • This is great description by a technical user of their horrible experience using schwab.com which is a large investment banking firm.

    Basically passwords are 8 chars max and the hilarity ensues from there...

    On the plus side, at least he didn't complain of getting sent other peoples emails like a few other banks have trouble with..



  • I just was looking at data where all of the user passwords started with a caret (^), followed by encrypted or hashed characters. Why do I think regex when I see that...



  • What I think my password is: pAssWord1LaLaLaL

    What Schwab stored my password as: password

    That is a buttumption. We just had a thread recently about the Git vulnerability, where someone pointed out that case insensitivity, and case folding, are two separate things.

    So they might store the password as pAssWord, but the comparison is case-insensitive.



  • Well, my bank's only "password" is an 8-digit PIN. And the "username" is your national ID card number, which is not terribly hard to find out for someone else. And until recently, their login page didn't use https by default. It's a fucking big bank by the way.

    They do however have a "2-factor authentication" in the form of a code card, which is required for all transfers. And they repeatedly claim that they will refund any money lost in fraudulent online or credit card operations (up to 10,000€, if you report it within 30 days).

    And now they're doing all kinds of weird stuff with social networks and mobile apps in a desperate effort to stay with the times. It's not bad stuff, I mean, but you can clearly see they're throwing shit to the wall to see what sticks. I'll make a thread about them soon.



  • @anonymous234 said:

    And they repeatedly claim that they will refund any money lost in fraudulent online or credit card operations (up to 10,000€, if you report it within 30 days).

    The "we'll fix it in post" brand of security!



  • Well, I've always said that banks just treat security as a legal problem instead of a technical one.

    Which also explains why they sometimes decide to prosecute the people who find and report security holes in their system. In our mindset, if a system is not secure, it's their fault, but in theirs, it's you who should avoid poking where you have no permission to poke.



  • @ben_lubar said:

    The "we'll fix it in post" brand of security!

    More like "the VISA and Mastercard corporations force this on us so we can use their payment points" brand of security.



  • @anonymous234 said:

    Well, my bank's only "password" is an 8-digit PIN. And the "username" is your national ID card number, which is not terribly hard to find out for someone else. And until recently, their login page didn't use https by default. It's a fucking big bank by the way.

    They do however have a "2-factor authentication" in the form of a code card, which is required for all transfers. And they repeatedly claim that they will refund any money lost in fraudulent online or credit card operations (up to 10,000€, if you report it within 30 days).

    And now they're doing all kinds of weird stuff with social networks and mobile apps in a desperate effort to stay with the times. It's not bad stuff, I mean, but you can clearly see they're sticking shit at the wall to see what happens. I'll make a thread about them soon.

    O god the mobile shit. Everytime I log into my credit union's online banking page it asks if I want to enable mobile services. Every. Single. Fucking. Time.

    NO YOU CUNTS, I DONT WANT A GIGANTIC HOLE EXPOSING MY MONEY ON A PHONE THAT CAN BE STOLEN EASILY. STOP ASKING.



  • My bank's password is 6 char, case-insensitive alpha-numeric only, entered by mouse using an on-screen alphabetical keyboard.
    Customer numbers are provided on pretty much every piece of paper correspondence.

    Two-factor authentication is only available/mandated for business users.

    Dissenting feedback is ignored.


  • SockDev

    @mratt said:

    Dissenting feedback is ignored.

    in that case I would be saying "Hello Customer support. Close my account. no i will not stay i am leaving your bank because your website has convinced me that my money is not secure with you."



  • I'm only still with them because as long as I follow the rules then I'm covered if unauthorised access occurs.
    They have recently introduced two-factor (SMS security code) for any funds transfer to a new payee, which is a small improvement.



  • I got some money from my grandpa for the holidays so I put it on Steam with my dad's help. Steam needed to make two additional fake charges and ask for how much they were in order to verify that the credit card belonged to my dad. You know, as opposed to some kind of non-WTF-worthy web interface or something.



  • @mratt said:

    My bank's password is 6 char, case-insensitive, entered by mouse using an on-screen alphabetical keyboard.Customer numbers are provided on pretty much every piece of paper correspondence.

    westpac.PNG1095x686 74.6 KB

    Two-factor authentication is only available/mandated for business users.

    Dissenting feedback is ignored.

    My bank started out as a credit union. It had phone and online banking before any of the Big Four, and did it right, and still hasn't fucked it up. It also craps upon the Big Four from a great height on service, price, straightforwardness and staff welfare grounds.

    Logging in with KeePass is super-smooth because input focus automatically goes to the user ID field on page load, and you get a choice of phone or dongle 2FA.

    I can honestly say that I have never had cause to complain about this bank. It Just Works. Recommended.



  • You and your decent banks... I live in Murika, the land of Wish-It-Was-Two Factor where Chip & PIN is met with uncomprehending stares and any suggested security improvements are met with a noncommittal shrug.


    Filed under: 0.01% APY, we need a new tag cloud to attack


  • Discourse touched me in a no-no place

    @TwelveBaud said:

    where Chip & PIN is met with uncomprehending stares

    Actually, given that C&P is coming to the US in the not-too-distant future, if you look you will probably see that many places have already updated their card readers. I've seen a whole bunch of places that have a slot for those cards. I even saw one woman using one.


  • Discourse touched me in a no-no place

    @FrostCat said:

    Actually, given that C&P is coming to the US in the not-too-distant future, if you look you will probably see that many places have already updated their card readers. I've seen a whole bunch of places that have a slot for those cards. I even saw one woman using one.

    It probably helps that all their suppliers want to produce C&P devices anyway so they can also sell into non-US markets.



  • Oh! That's so cute (or sad), since we're moving to the NFC cards, so no slots for us.



  • They're catching on over here too but the limit is £20 for "contactless" so still falls back to Chip & Pin for anything above that or the significant amount of places that still don't take it.
    I'm still waiting until I can use my phone rather than my cards.



  • October 2015, here we come!

    Also, I happen to have an EMV card, which I tried to use at a local Subway. The card reader, in addition to a small screen with a Subway logo and my total, had a swipe slot and a C&P slot and an Apple Pay antenna. I tried to pay by swiping, but since the terminal supported C&P the swipe was declined. I tried to pay by Chip & PIN, but the software didn't even register that I put my card in the slot. Finally I tried to pay by EMV contactless and the card reader rebooted. Progress!

    Also this.



  • @anonymous234 said:

    but in theirs, it's you who should avoid poking where you have no permission to poke.

    Yes, I love that brand of thinking willful blindness.

    Local kid: "Hey I found this security hole and wanted to tell you about it..." whisked off to jail

    Later: Same security hole exploited by Russian Mafia, funds drained, bank subject to lawsuits by their customers and risks going bankrupt.

    But they nabbed and jailed that first offender!

    @delfinom said:

    O god the mobile shit. Everytime I log into my credit union's online banking page it asks if I want to enable mobile services. Every. Single. Fucking. Time.

    NO YOU CUNTS, JUST BECAUSE EVERY IDIOT AND THEIR MOTHER WANTS I DONT WANT A GIGANTIC HOLE EXPOSING MY THEIR MONEY ON A PHONE THAT CAN BE STOLEN EASILY DOESN'T MEAN I REALLY WANT THAT FEATURE TOO. STOP ASKING.

    FTFY


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.