14
retnikt
5d

Hang on... If online banks ask you for the n'th, m'th and p'th character of your password, they must be storing it on plaintext! WTF? I don't even understand why they do that in the first place.

Comments
  • 4
    Sure they do.
    Nearly all banks have shitty infosec.
  • 3
    @metamourge even HSBC do this, and they're like one of the biggest banks in the world? There must be some reason.
  • 3
    I read somewhere while researching finntech that most banks are still using dated security measures. I can't remember the details now but thats why most of them don't have an option that allows for a read-only login to use with budgeting apps such as mint.
  • 6
    Obviously hashed and saved each character in a different field and compares with them. /if only
  • 1
    @retnikt
    Most probably, because they have insurance and the lawyers to sue the hacker to hell, if he's caught.
  • 0
    passwords are prob hashed char per char and its compared
  • 3
    @dudeking That really doesn't make it any better.
  • 1
    @M1sf3t if banks had read only access then I would use Mint in heartbeat! I don’t know why, but I’m still always surprised by how outdated such large companies can be.
  • 2
    @52cal try moven. its a digibank with a budgeting system built in. Not that there aren't others that have similar software but as of 6 months ago, them and varo were the only one's that claimed to allow for a "funding bank" in which you could transfer money via ach and not have to give them you login info.

    I tried varo and the claim turned out to be false at the time but as I was deleting the app I noticed the changelog for a new update that said they had forgotten to add the button and it was now on there (at least they listen to customer feedback 🤷🏻‍♂️). Varo is also backed by Bancorp as well which as research would indicate, is something to be wary of all in itself.

    Moven, on the other hand, is backed by a small one branch bank in the midwest that was purchased by an ex-google engineer and her husband back when the banking crisis caused it to nearly go under. Since then their numbers have been skyrocketing.
  • 0
    In any case, sorry for the tangent, the budgeting software still won't keep up with your funding bank, but if you leave it as just that and spend money only from you moven or any other linked account (ie paypal, payoneer, amazon etc) it shouldn't be a problem. It also doesn't have any fees attached to the debit card, not even an overdraft. Instead it works more like prepaid card in that unless the vendor forces the payment, it automatically declines. And even when forced, your account simply goes into the negative in which you get so much time to pay back or they close your account. Still no fee though.

    All that being said, there is the one hiccup still that comes with all the digital banks in that the security algorythms are quite picky and an abnormal purchase will cause you to have to submit to a verification check, so its best to leave a little money in your funding bank at all times for emergencies.
  • 1
    @M1sf3t well that veered off topic pretty quickly...
  • 1
    @retnikt my bad. I need to finish that comparison article I was writing about them so that I can just post a quick link and be done with it 😅
  • 1
    In that case, you can sue them, it’s forbidden as per the GDPR.
    Source: https://netsec.news/gdpr-password-p...

    > A GDPR password policy should also cover the storage of passwords. “In order to maintain security and to prevent processing in infringement of [the GDPR], the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.” All stored passwords must therefore be encrypted to current industry standards to be compliant with GDPR. Salting the passwords would add an additional level of security to the process.
  • 1
    Bank security is shit. My wife an I have an account at a german bank where we have one account, sharing the same login name, but different passwords.

    So their user management must handle multiple passwords per user.

    The real fun point is if one enters the wrong password too often, both logins are locked.

    And many banks still use a PIN for login instead of a real password.
  • 2
    @ddephor Hello firstname.lastname.lasttwodigitsofbirthyear, please enter your 4-digits pin in the field below.
  • 0
    @Alice No, it's really the same username.

    We both have user 'account123', she has password 'secret' and I have password 'nooneknows'. When we login, the system can differentiate between us, because we can have our own settings, authentication tokens, etc. The only criterion for the system to differentiate our login is the password.
  • 3
    In the US, banking security is absolutely obscene. I spoke to a guy who did bank infosec once and their offices were surrounded in Faraday cages, all entry required physical 2fa, and all phones were stored outside the office space, also in Faraday cages. No internet connection. All USB connections disabled at the hardware level. All machines were simply displays for a centralized VM system, meaning the computers themselves were empty. He described his office as "a hacker's worst nightmare" to crack.
  • 1
    I work at an IT-Solution-Provider for banks and at least for our clients I can say: No they don't.
  • 0
    @RantSomeWhere I have no doubts that it's not encrypted - GDPR does not require specific one-way hashing iirc
Your Job Suck?
Get a Better Job
Add Comment