11
retnikt
6y

Hang on... If online banks ask you for the n'th, m'th and p'th character of your password, they must be storing it on plaintext! WTF? I don't even understand why they do that in the first place.

Comments
  • 3
    Sure they do.
    Nearly all banks have shitty infosec.
  • 2
    @metamourge even HSBC do this, and they're like one of the biggest banks in the world? There must be some reason.
  • 2
    @retnikt
    Most probably, because they have insurance and the lawyers to sue the hacker to hell, if he's caught.
  • 1
    @dudeking That really doesn't make it any better.
  • 0
    @M1sf3t if banks had read only access then I would use Mint in heartbeat! I don’t know why, but I’m still always surprised by how outdated such large companies can be.
  • 0
    @M1sf3t well that veered off topic pretty quickly...
  • 0
    Bank security is shit. My wife an I have an account at a german bank where we have one account, sharing the same login name, but different passwords.

    So their user management must handle multiple passwords per user.

    The real fun point is if one enters the wrong password too often, both logins are locked.

    And many banks still use a PIN for login instead of a real password.
  • 0
    @Alice No, it's really the same username.

    We both have user 'account123', she has password 'secret' and I have password 'nooneknows'. When we login, the system can differentiate between us, because we can have our own settings, authentication tokens, etc. The only criterion for the system to differentiate our login is the password.
  • 2
    In the US, banking security is absolutely obscene. I spoke to a guy who did bank infosec once and their offices were surrounded in Faraday cages, all entry required physical 2fa, and all phones were stored outside the office space, also in Faraday cages. No internet connection. All USB connections disabled at the hardware level. All machines were simply displays for a centralized VM system, meaning the computers themselves were empty. He described his office as "a hacker's worst nightmare" to crack.
  • 0
    I work at an IT-Solution-Provider for banks and at least for our clients I can say: No they don't.
  • 0
    @RantSomeWhere I have no doubts that it's not encrypted - GDPR does not require specific one-way hashing iirc
Add Comment