
The Risk of Weak Online Banking Passwords - feross
https://krebsonsecurity.com/2019/08/the-risk-of-weak-online-banking-passwords/
======
n1000
I often wonder why not all websites (especially delicate ones like ebanking)
do not show the number of failed login attempts since last successful login.

That would raise awareness with users (ok, maybe scare some people) and give
me some hints that my account may be under attack...

~~~
segmondy
Unless you have a very unique login, you are going to often seen login
attempts. Common names such as john, john123, john234, johnq, qjohn will
happen more often especially for a big site.

This will probably give rise to support calls to the bank...

~~~
choward
Then you'll learn that your username is one that's under attack and that it's
even more important to have a strong password. Put some useful documentation
on the login page that explains it. What's wrong with that?

~~~
segmondy
2FA and be done with it.

~~~
levythe
2fa is not magical. It makes an attack require more complexity, but it's not
an "and be done with it," solution.

~~~
lazzlazzlazz
Have you seen how severely 2FA drops the rate of unauthorized accesses? It's
incredible. What have you seen that moves you to hedge on the value of 2FA?

~~~
u801e
For one thing, the SIM swap attack [1]

[1] [https://krebsonsecurity.com/tag/sim-
swap/](https://krebsonsecurity.com/tag/sim-swap/)

In general, relying on a second factor whose security practices aren't the
best, could actually compromise security compared to having a strong and
unique password.

I personally wish that more banks would support 2FA authentication using a
username/password in combination witH TLS client side certificates.

~~~
ryacko
Requires forcing every PC case and laptop sold to have a slot for smart cards.
Otherwise it is too inconvenient.

~~~
u801e
You could just put it in the certificate store on the machine rather than
relying on external storage.

------
jxcl
So my understanding is that ultimately the bank is responsible for any loss on
my end as a result of someone breaking into my bank account, therefore I don't
really care if my banks don't follow best security practices.

I guess it's probably more complicated than that, so perhaps someone more
knowledgeable can expand on what I can expect to happen if someone steals
money from my bank accounts because of one of the vulnerabilities in the
article?

~~~
inetknght
> _So my understanding is that ultimately the bank is responsible for any loss
> on my end as a result of someone breaking into my bank account, therefore I
> don 't really care if my banks don't follow best security practices._

Remember that when you need to take a week off of work to deal with your bank
after a breach zeroed your account. Remember that when you can't pay your
bills during that time and miss a car/house payment.

~~~
cascom
Seems like another checking account with a month's worth of expenses in it
could be a prudent idea.

~~~
koolba
Multiple accounts are a must. If you’re smart about it, you also won’t set up
any kind of electronic transfer between them. Otherwise if one is hijacked the
crook could initiate an ACH from the other accounts.

------
whatshisface
> _even if your bank offers multi-factor authentication as part of its login
> process_

All of my banks have security questions. This protects me by combining a
password with some other passwords that are public information and that I
can't change.

~~~
NickBusey
You by no means have to give your real information.

I recommend using something like Bitwarden's passphrase generator so all your
answers are things like `concise myth bird`.

This way they are A: actually secure, and B: easily pronounceable, so that
just saying "a bunch of letters and numbers" to a phone tech shouldn't work as
I've heard people complain can happen when using normal passwords (e.g.,
c9b21s1qzs) for these fields.

~~~
stordoff
Inaccurate but plausible is the advice I've been given for these. My bank
insists on a "memorable name" (was formerly "mother's maiden name" \- I
confirmed it didn't have to be accurate), so I use one that was basically
picked out of a hat, which has no connection to me or my family.

~~~
whatshisface
How legal is it to give false information to a bank?

~~~
outworlder
> How legal is it to give false information to a bank?

Irrelevant. These are only security questions. They can be anything, and in
fact, for most of them they are not supposed to know.

If you are applying for one of their products and you get a form, and THEN you
provide false information, it's a different matter.

------
BjoernKW
Banks unfortunately often have deplorably backward as well as arbitrary
password rules such as: "Your password must not be longer than 8 characters
and must not contain any of these characters '@', '&', '/', '('." ...

~~~
Scoundreller
Up until recently, a big Canadian bank only allowed 6 character passwords, and
mapped whatever you typed into 6 numbers (e.g. Aa-Dd = 0).

------
peterwwillis
I was trying to remember wtf the name of the new MFA standard that Chrome
supports was, and it took me 10 minutes of Googling to find it (U2F[1]). If a
security nerd can't even remember the name of the thing that's supposed to
replace passwords, regular users will never figure it out.

You want to get rid of passwords? Stop allowing users to manage them. Make a
browser plug-in support U2F, make it auto-generate passwords for sites, make
it manage them internally. When you go to login to Chase, the browser will
fill in the login details, after it has verified this is the Actual Real Site
and not a phishing site. All access to this auth data will be based on a
master password entered into the user's browser at start-up.

To reset an individual site's auth creds, the site can send a re-auth e-mail
to the user. When the user clicks through, they can use the site's preferred
verification process to show they are the real user. The browser can then
generate and save new auth details for the site.

At no time did the user ever enter a password, but strong authentication data
is still being managed independently per-site, the user can still reset any
given site's auth details, and the user only has to manage one strong password
on their client machine at start-up time. They can also use U2F with a second
device for MFA.

[1]
[https://en.wikipedia.org/wiki/Universal_2nd_Factor](https://en.wikipedia.org/wiki/Universal_2nd_Factor)

~~~
Avamander
Or countries could solve the issue for their citizens instead of making
everyone invent their own, like Estonia and quite a few other european
countries have. By providing a physical card (or SIM) that allows people to
log in where they want.

~~~
JoshTriplett
Many people will not want "help" from a government to authenticate and logging
in to a non-government site.

~~~
Avamander
Many people don't like passwords either. The point being that sometimes we
have to go with things we don't find perfect, just tremendously better than
what we have now.

------
umvi
Good thing my bank artificially imposes length restrictions so that my
password is exactly between 8-12 characters

~~~
choward
My favorite is when they truncate it without telling you. It's a better UX
though!

~~~
mikeash
Mine silently truncates to 8 characters _and_ does a case insensitive
comparison. Good thing they have all the liability....

------
nesky
Why doesn't Google or Apple have 'explain like I'm 5' explanations of how
their password managers work? I don't use either service but this is a MAJOR
opportunity to encourage their users to use a password manager and
subsequently make their users more secure online.

I'm a big proponent of using a password manager and if I even remotely mention
using iCloud Keychain or Google's password manager, people have zero idea what
I'm talking about.

~~~
matt-attack
I agree. It’s odd that an article this technical goes on to recommend (or at
least enumerate popular) password managers, but doesn’t mention Apple’s own
KeyChain. It’s built into all iPhones and MacOS computers for god’s sake.

I personally don’t use any 3rd party password managers. I find KeyChain to
work amazingly. There’s even a FireFox plugin that supports it.

~~~
WorldMaker
A problem is that most users are likely in a mixed computing household, such
as using an iPhone and a Windows Desktop. It would be a lot easier to suggest
to some of my family, for instance, to use KeyChain if they had a good Windows
client. (With the recent modern iCloud update in the Microsoft Store, I could
even see this possibly happening, as opposed to the many years where iTunes
for Windows was an afterthought.)

------
Havoc
Honestly I'm more worried about remembering my username...13 digit numeric
sequence.

Nice one Mr Bank.

Trying to fight my way back in after emigrating put a lot of worries at ease.
Voice printing, secret code words, security questions, 2FA, passwords...omg
just let me in.

Nobody's getting in there...I just hope I don't lose access.

------
un_montagnard
I have a bank account whose username is a number and password is also a
number. Good thing is you need to click on a randomly distributed keypad to
input your password. /s

~~~
jrimbault
Mine too. Which is also my employer (you can find out who that is easily).
¯\\_(ツ)_/¯

Since both number are sent (separately) via physical mail, all you'd have to
do to get them would be to wait around in front on the mailbox when the
postman come, ask him he's got mail for Mr X, repeat for a few days until you
get the monthly report sheet, on this document will be the first number. Now
go online, ask for a new password. Wait around the mail box for the new
password to arrive. The mailman will just think "oooh Mr X is such a good
person, always saying good morning". Chances are the victim doesn't have any
alarms set up on their phone. I have alarms set up.

------
Scoundreller
I had a colleague who always knew, to the quarter, how long he had been
working there. During the quarterly password changes, he'd increment the
numbers ;)

------
black_puppydog
My bank (BNP) opted to force me to click on big clear text buttons instead of
typing my login code. And yes, it's a six digit numeric code. So the username
is a clear text field, and you could read my code from 5m away without zooming
while I login.

Should I ever get scammed on this account, I'll claim that their security BS
must have been the entry and let them try and disprove that.

------
jobigoud
My bank has a "helpful" mobile app secured by a 6 digit code. The worst part
is that some sensitive operations like adding an external wire transfer target
and changing transfer ceilings can be done from the app and only from the app.

------
skunkworker
I'm still annoyed that one of my banks, only offers 2 factor though email &
sms and doesn't offer TOTP. Does anyone know if this is a PCI thing or is it
just bureaucracy?

~~~
crgwbr
I’ve spent a good bit of time reading PCI requirements and I can’t think of
anything that’d prevent using TOTP or Yubikey type devices. My guess is that
they don’t implement it because they don’t think anyone would use it. Honestly
I can’t say they’re wrong either—I’d love to use a Yubikey on my bank
accounts, but I can’t imagine anyone else in my circle of non-programmer
friends/family doing so.

~~~
Rafert
With WebAuthn it doesn't have to be a USB fob - it can be built into your
device too.

------
ryanthedev
Chase doesn't allow special chars. Lmao.

------
bryanmgreen
Not just weak passwords, but reusued ones (which to me is an equal sin)

------
yboris
Thank you for the PSA -- I just changed my old insecure password!

------
darkhorn
Then why there is no law for 2FA in the banks? In Turkey all banks must
provide 2FA for logins. It is required by law.

~~~
dredmorbius
Krebs has covered this previously; oligopoly service providers.

See his excellent, if depressing, 2018 exploration of banking security, "What
Is Your Bank’s Security Banking On?".[1] Sadly, the industry is dominated by a
small handful of banking platform providers. Four, Fiserv, Jack Henry, FIS,
and CSI, serv over 80% of the market. Bank regulators, responding to Krebs,
said that "small to mid-sized banks are massively beholden to their platform
providers, and many banks simply accept the defaults instead of pushing for
stronger alternatives."

This is not a good situation.

Digging further into the matter, I turned up a set of publications by Experian
-- the credit rating agency which hasn't been breached ... yet -- on risk and
fraud, including credential compromise.[2] One of these mentions in. passing
that the typical person has "about 100" service-based accounts.[3] That's not
all that far off the count of 700 accounts HN users have reported having.[4]

________________________________

Notes:

1\. [https://krebsonsecurity.com/2018/03/what-is-your-banks-
secur...](https://krebsonsecurity.com/2018/03/what-is-your-banks-security-
banking-on/) (HN:
[https://news.ycombinator.com/item?id=20203482](https://news.ycombinator.com/item?id=20203482))

2\. Stealthily hidden around Experian's website, though this search presently
lists several of the beter ones: [https://www.experian.com/innovation/thought-
leadership/fraud...](https://www.experian.com/innovation/thought-
leadership/fraud..).
([https://web.archive.org/web/*/https://www.experian.com/innov...](https://web.archive.org/web/*/https://www.experian.com/innov...))

3\. "Upcoming fraud trends and how to combat them: Ebook"
[https://www.experian.com/innovation/thought-
leadership/upcom...](https://www.experian.com/innovation/thought-
leadership/upcom..).

4\. packet_nerd reports that here, though I recall an earlier mention as well:
[https://news.ycombinator.com/item?id=19488899](https://news.ycombinator.com/item?id=19488899)

