
South African bank advises against the use of password managers - buyx
https://twitter.com/rbjacobs/status/1163411240716255232
======
mikeash
“Bank has idiotic ideas about security” is as surprising as “sun rises at
predicted time.” Something about the industry seems to push paranoid
incompetence in security.

~~~
moviuro
Currently at a bank's security team, here's what I gathered so far that
explains (but doesn't excuse) the current state of affairs:

\- there are millions of customers who hate having to use their brains (or get
their phone to receive a 2FA code);

\- a kilometer of requirements from whatever Central Bank, local policies and
ad-hoc decisions;

\- (too) limited budget to build and run whatever service (cost of SMS 2FA for
millions .vs. cost of some limited fraud);

\- very, very bad dev education, and general disdain for security. We do have
a guide for them (the "secure development handbook"), and all our code audits
reveal that it wasn't followed in all places;

\- outdated perception of security issues (screengrabbers are still a threat
to tackle, according to some).

~~~
zzzcpan
I guess it depends on the country and the bank. My bank, for example, does
mandatory 2FA for 15+ years and uses some anomaly based approach to decide how
aggressively to ask for 2FA, like if you send money somewhere unusual, it does
phone call 2FA, instead of an SMS, and if you just pay your usual bills from
the same IP address and the same PC it doesn't even ask for 2FA at all. It
also has other optional security features like white lists for IP subnets,
internet-only credit cards, etc.

~~~
zAy0LfpBZLC8mAC
That sounds terrible. I mean, I assume they don't assume liability for bad
decisions?

If "the PC" or "the IP address" was not contractually agreed to be an
authentication factor (that you thus should protect from unauthorized use),
it's a terrible idea to use them for authentication, while also (presumably)
putting all liability on the customer.

~~~
GuB-42
In France, and I believe it is the case in many countries, in case the
customer wants to roll back a transaction, the bank has to give the money
back, unless it can prove that the transaction was legitimate.

So basically, they can't put liability on the customer unless 2FA is used. The
second factor is usually the credit card PIN.

Banks have to maintain a balance between convenience and risk of fraud.

~~~
zAy0LfpBZLC8mAC
> unless it can prove that the transaction was legitimate.

And what is the standard of evidence for that?

> So basically, they can't put liability on the customer unless 2FA is used.
> The second factor is usually the credit card PIN.

That doesn't sound like a second factor? Or are you talking about POS
transactions?

> Banks have to maintain a balance between convenience and risk of fraud.

Really, they don't. The bank should never decide to take on risks for me.
There is nothing wrong with offering a feature where the customer can select
to allow certain transactions without 2FA. There is everything wrong with
forcing that feature on customers.

------
mcv
I'm frequently baffled when I encounter a login form that doesn't allow
pasting a password. Of course with developer tools I can just remove the
attribute that causes that, but plenty of internet users lack that level of
technical knowledge and are forced to resort to easy to member and very likely
reused passwords.

I feel like this is a similar red flag as the 'no single quotes in passwords'
limitation that used to be common.

~~~
sonnk
I can understand if a government service requires this but it also happens
with a normal, ecommerce website!

~~~
kelnage
If it's a US Federal Government service, you should point out to them that
they are going against the explicit recommendation of NIST[1].

1\.
[https://pages.nist.gov/800-63-3/sp800-63b.html#sec5](https://pages.nist.gov/800-63-3/sp800-63b.html#sec5),
under 5.1.1.2 Memorized Secret Verifiers, 'Verifiers SHOULD permit claimants
to use “paste” functionality when entering a memorized secret.'

~~~
0xffff2
Sadly the US Federal Government is a massive and unwieldy collection of
organizations. I work in the Federal government and my part of it doesn't
comply with NIST's modern guidelines at all. They probably will at some point,
but department/agency level IT changes take years to be approved.

------
LilBytes
For any customers that do use said bank, take this as an indicator of their
own security practices and consider if you still trust them with your money,
data and PII.

I wonder how they share credentials without a PAM or similar. All service
accounts are using 'S3cur3P@$$w0rdzSuck'... Or more probably just a
'passwordz'?

What a shocking state of affairs.

~~~
nomad010
I use said bank and they are generally pretty good. Also note they even said
in the tweet that they acknowledge the role of password managers so I think
you may have read a bit too much into the tweet. Almost every time I log on to
their online banking site, I get a page detailing the latest scams and what to
look out for.

I also agree with their statement for the most part. The general public, at
least here in SA, aren't too discerning when it comes to tech matters who will
probably download any random app from the play store. If you don't trust
pretty much anyone with your credentials, why trust a probably unknown 3rd
party with them.

I think the best idea in this case is to choose a strong password, try and
remember it or write it down and store it in a safe.

------
caseysoftware
Thirty minutes ago I closed my account with Wells Fargo because of their lack
of security. Last month, they called to validate my identity. I called back,
they asked for my mother's maiden name.

Me: "Since that information is on Facebook, I use a big random string
starting.."

Them: "That's good enough, so what we want to talk about is.."

Then when I went into the local branch, the receptionist wanted to swipe my
debit card in their tablet to add me to the line. Forget that, I'm out.

------
zxcvbn4038
Over the weekend I had to call Time Warner Cable for support. Their support
representative was willing to send an e-mail verification to any address I
provided - in fact she refused to send an e-mail to the address on file
because she couldn’t be sure the address was valid or who she was sending too.
All this when I accessed a live chat feature from within a logged in context
where I had already authenticated myself.

------
tibbydudeza
Considering how much S.A banks charge us in service fees they can afford to
give folks who uses online banking a security fob.

------
angry_octet
If you can only remember a few long term complex secrets, then using one slot
for your bank password seems reasonable to me. The other big ones for me are:
google/microsoft account, password manager, FDE passphrase.

If you use hardware 2FA and have lots of bank accounts (business, trading,
etc) then using a password manager starts to make sense.

------
arunc
American Banks are no different, they just don't tell you out loud. Here's a
similar thing with Citi Bank credit card.

[https://twitter.com/aruncxy/status/1163447301592891392?s=09](https://twitter.com/aruncxy/status/1163447301592891392?s=09)

~~~
c17r
I have a 30 character password with upper, lower, numbers, and special
characters for Citi and Bitwarden works just fine on their website. What
problems are you running into?

------
peterwwillis
Password managers are a very useful idea for general accounts, but I would not
trust my financial solvency to them. If you only have one or two bank
accounts, generate a long complex password, memorize it, don't save it
anywhere, and use a mnemonic or other method to vary the password between the
two accounts.

Even if password managers are implemented perfectly, there are various attacks
that they can still fall victim to that a memorized password won't. Most
password managers are not implemented perfectly.

~~~
consp
> a memorized password won't

Memorized password are usually highly insecure due to being reused and short
_in general_. So they are usually implemented as imperfect systems for most
people. What is the difference to a password manager here?

The fact _you_ remember long passwords doesn't mean everyone does.

~~~
peterwwillis
If you're the type of person who uses no master password, and every password
you would ever create is '1234', then a password manager will be a definite
improvement. But if you have the ability to memorize two complex passwords,
that is more secure.

My advice is solely for the person who already has a password manager, has
memorized one complex password for it, and is willing to memorize another one.

------
sonnk
Even this is a wrong move from the bank, I think that using password to have
access to sensible service is not the safest way. Would be better if the bank
can use some ID-verification service, preferably provided by the government
independent company.

------
alkonaut
Is there no 2FA? Why is there a password field at all on an online banking
page?

~~~
nomad010
Most transactions require an OTP to successfully complete, you also get
notifications whenever a login to your account is performed.

I think it would probably be a good idea to have some sort of separate 2FA
device linked at home but I doubt they'll ever implement it. You would want it
separate to your phone because if your wallet and phone get stolen you can
login to the online banking account and deactivate your stolen cards without
having to go to the bank.

~~~
alkonaut
If the phone has a PIN or similar (I realize not everyone has) and the 2FA app
has a pin/password, then that does seem like a reasonable level of security.

~~~
nomad010
No, because getting your phone and wallet stolen (they are likely to both be
on your person so both would likely be stolen at the same time) means you
couldn't then log on to online banking and deactivate your credit cards (which
you would want to do as soon as possible)

Edit: Just to clarify a bit more, most cards here have a tap and go function
requiring no PIN up to a certain amount. Although the amount is small I'd
still rather have it that no one spends my money.

~~~
alkonaut
That's a good point. I have done it a few times and it can be done quickly by
phone at least.

------
marvel_boy
Half of Android "password managers" are scams.

~~~
rhinoceraptor
I’d bet half of all Android apps are scams.

~~~
chopin
I bid higher...

~~~
thrownaway954
I'm sure there is an app that could tell us the true count.

------
izzydata
Aren't password managers sacrificing security for convenience? Remembering
hundreds of long unique passwords being the most secure, but too difficult. If
you could remember everything then you would have an uncompromisable storage
system.

Personally I use password managers for most things, but exclude them when
money is involved and opt to remember those.

~~~
oconnor663
One of the security features that a password manager provides is retrieving
passwords based on what domain you're on. They're a lot better than the human
brain at making sure you don't get phished by an evil site that looks exactly
like Gmail or whatever.

~~~
izzydata
I'd like to believe I know better than that, but I see your point.

