
Ask HN: A major USA bank is storing passwords in cleartext – what to do? - plsdonthack
I was having trouble accessing my account, so I gave a call to customer service.  The service rep proceeded to (accurately) describe my own password to me.  Should I report this somewhere?  I&#x27;m not really sure what to do.
======
alltakendamned
It seems you're not getting serious answers here, so here's my take.

Please report this via the US-CERT at [https://www.us-
cert.gov/report](https://www.us-cert.gov/report)

This will allow you to report it, eventually from an anonymous email address,
without exposing you directly to the bank which might react bad to you. CERT
can handle the coordination with the bank, this is what they do.

~~~
dontbenebby
This very looks cool, thank you for sharing parent.

I apologize for the nitpick, but I hope there will be some guidance on what an
"anonymous" email is.

(Ex: Guerilla at a public wifi like a library, an email created at a library,
but not your usual email from a place other than your home)

I worry sometimes that we assume people reporting security vulnerabilities
will be security experts.

I often meet people who are intelligent and technical, but either do not
understand security, or understand it in terms of confidentiality, integrity,
and availability (CIA triad) and flounder when thinking about anonymity.

~~~
otachack
An easier way may be to anonymously message a tech savvy media company or
security firm, maybe via snail mail even. You can do it anonymously yourself
but it'll take some work and a mashup of:

\- VPN service where you pay with cash (Mullvad) \- Temporary email
(Protonmail?) \- One time use computer (cybercafe, pay with cash?)

There's layers you can apply like a TOR browser usage but it'll take more
effort/learning.

~~~
aledalgrande
Or you could email Troy Hunt

------
micheljansen
Really shocked at all the handwavy comments.

> “It’s fine, there are more checks in place to prevent unauthorised
> transactions”

> “Also, it’s insured”

Well ok, that means the bank is protected, but what about my (sensitive) data
such as transaction history?

> “If anyone does anything bad, law enforcement will step in”

Yeah, I totally trust a bank that can’t even properly deal with something as
basic as passwords to notice breaches reliably.

> “It would be too expensive to replace legacy systems”

And that’s the consumer’s problem?

I really hope none of you apologists are moving fast and breaking things at
any company that is entrusted with people’s personal information or is needed
for more critical infrastructure of everyday life than cat pics and funny
polls.

In Europe banks also don’t like paying to replace legacy systems to maintain
security, but such a failure to protect consumer data and privacy would be in
serious breach of legislation and result in significant fines.

~~~
godelski
>> “If anyone does anything bad, law enforcement will step in”

>Yeah, I totally trust a bank that can’t even properly deal with something as
basic as passwords to notice breaches reliably.

As an example of this: Equifax. This happened in 2017, and not really much has
happened and people haven't been prosecuted. So everyone got some identity
theft protection for a year. That didn't solve the problem. Equifax lost a
little money. So little changes. And the claim is that it is Chinese state
actors that did this, so no one will get prosecuted (because we just let China
attack us?).

So handwavy seems defeatist.

Also, if this is a major bank, then Equifax is a great parallel to draw from.

~~~
TecoAndJix
Link to the symbolic indictment - [https://www.justice.gov/opa/pr/chinese-
military-personnel-ch...](https://www.justice.gov/opa/pr/chinese-military-
personnel-charged-computer-fraud-economic-espionage-and-wire-fraud-hacking)

------
bob1029
As someone who works in finance/banking, I can assure you that this is not
uncommon. Almost everyone is engaging in not-so-best practices with password
storage if they are using any 3rd party vendors. Only the institutions with
the resources to rebuild in-house systems with modern security standards are
the exception to this rule. There are only a handful of these. Ultimately,
it's not some malicious intent or incompetence, but simply the acknowledgement
that the legacy systems will not enjoy PBKDF hash+salt+iterations columns
being added 30 years after the fact.

The risk analysis and mitigation discussion for these institutions goes
something like this:

1) We cant have good password storage so we will require a 2nd factor and
attempt to ensure these systems reside in our most secure network.

2) There is nothing we can do, so we will simply rely on the fact that if
someone logs into an account illegally, we send in the men with guns. For some
strange reason when a bank calls the FBI things move with a high level of
expediency.

There is much more to this than just the technical aspect of "oh my goodness
why aren't you hashing your passwords". How much ripping would HN impose on
one of these institutions if they attempted a 100% best practices secure
password upgrade and then subsequently had a complete IT disaster unfold (I
can certainly link articles). For many banks and other financial institutions,
going down for even 1 hour is a complete catastrophe. If people can't get
their money out right away, they are leaving for the competition and you will
likely get dinged by regulators. Bad people will continue to do bad things
until the end of time. Killing your business to handle every edge case, even
if it seems obvious, is not a good path to go down.

I would also consider this: These banks' IT systems are storing things that
many of us would argue are much more valuable than your passwords. A bank's
core system also represents the actual monetary value of every customer's
account. We are talking about password security in a system domain where there
are arguably far more valuable assets to secure. These assets are already
implicitly protected by a massive apparatus extending as far as Ohio Class
nuclear submarines patrolling the Pacific ocean.

~~~
tantalor
> For many banks and other financial institutions, going down for even 1 hour
> is a complete catastrophe.

Are you joking? It's a common trope for bank websites to go down for
"scheduled maintenance". Not to mention real-world bank branches keep bizarre
hours and close for random holidays like Presidents' Day and Veterans' Day.

 _Why do banks and credit card companies need to perform "scheduled
maintenance" during which users are unable to access their information
online?_ [https://www.quora.com/Why-do-banks-and-credit-card-
companies...](https://www.quora.com/Why-do-banks-and-credit-card-companies-
need-to-perform-scheduled-maintenance-during-which-users-are-unable-to-access-
their-information-online)

~~~
milkytron
Even though websites are really important, I think they mean other business
critical services going down for an hour.

Imagine if all credit cards with a company failed to process transactions for
an hour, or depositing/withdrawing money didn't make a change to your balance.
Those types of issues are much more severe than a customer not being able to
log in to the website.

~~~
mqus
You know, those kind of things already happen. Even I sometimes had issues
with my credit card when paying online and usually there's another way or you
could just pay an hour later.

~~~
katbyte
Really? I’ve never experienced my credit or debit card not working (except in
America where my Canadian debut card often will just not work)

------
slumdev
Name and shame. I'll start:

American Express passwords are not case sensitive.

It is possible that they UPPER(...) the password before hashing it and then
compare against that when you log in. This explanation would only be a little
dumb because it reduces the domain of the password space. It also strains
credulity.

~~~
jcims
Lol it's been that way for at least 20 years. Same with chase (well at least
the bank one half of it).

It seems remarkably stupid, but it's way cheaper for them to refund any losses
and/or pay for lifetime credit monitoring than it is to deal with customer
service calls from people getting locked out because they can't figure out how
to deal with uppercase and lowercase letters.

~~~
antisthenes
It's funny that my small-ish credit union is not only more technologically
advanced, but also way more ethical (looking at you, Wells Fargo) and
convenient, and has top notch customer service. Seriously, I've never
interacted with more pleasant customer service reps than my CU.

Why are people giving their money to big banks again? Is it just advertising
pressure?

~~~
edoceo
Well, 25 years ago, when I opened at $BigBank the CU I use now didn't exist,
and $BigBank offered services and availability that CU didn't (in 1995). Then,
for the very long time I tied so many things to that account at $BigBank that
it took almost three years for me to migrate all the accounts, business and
personal and loans, etc to the new CU.

So, to why: legacy and stickiness

------
crispyambulance
> The service rep proceeded to (accurately) describe my own password to me.

Wait, that _alone_ doesn't necessarily indicate that they're storing clear
text passwords. I notice you didn't say that they just repeated your password
to you-- why do you think they store the whole thing in clear text?

HN readers are apt to demand hardcore passphrases, salting, 2FA, etc. But the
reality is that banks have to deal with all kinds of people and situations.
Your security as a bank customer hinges on more than just one password, it's
also about monitoring patterns of behavior, being aware of what's coming and
going from your account, and protection mechanisms like the bank's insurance.

That said, one would think that large institutions have learned their lesson
about clear text passwords, perhaps this one hasn't? Is there a law against
clear text passwords? How does anyone actually know if a financial institution
has sound IT practices, by happenstance incidents like this? Really?

~~~
Recursing
> Is there a law against clear text passwords

In Europe GDPR covers that, many big websites started hashing after it

Edit: could somebody explain the downvotes? The comments seem to agree with me

Obviously GDPR is not a law about plain text passwords, but as the comments
say it forces "the use of an appropriate hashing algorithm to store your
passwords, protecting the means by which users enter their passwords,
defending against common attacks and the use of two-factor authentication."
etc.

~~~
PeterisP
GDPR does not have any wording that refers to any technical specifics (e.g.
password storage) whatsoever.

The most relevant passage is "the controller and the processor shall implement
appropriate technical and organisational measures to ensure a level of
security appropriate to the risk" from article 32; and it _could_ be argued
that having passwords in plaintext most likely does not constitute
"appropriate technical measures" and doing so opens you up to fines based on
GDPR if an incident occurs, but it's not really "a law against clear text
passwords" but rather a law that simply says that you are responsible for how
you [mis]implement your security and the consequences of that.

~~~
Recursing
Yes of course GDPR is not a law about plain text passwords, but (as the
sibling comment points out), pretty much everybody considers the use of
appropriate hashing as a requirement to to ensure a level of security
appropriate to the risk.

[https://www.gamingtechlaw.com/2019/04/first-gdpr-fine-
italy....](https://www.gamingtechlaw.com/2019/04/first-gdpr-fine-italy.html)
this fine specifically mentions password storage (among many other things)

Also see previous thread on HN:
[https://news.ycombinator.com/item?id=18531588](https://news.ycombinator.com/item?id=18531588)

~~~
micheljansen
On top of that GDPR requires companies to notify customers of data breaches,
which risks reputation damage. Another liability of shoddy security.

------
chris_overseas
One bank that has astoundingly bad password requirements is Westpac Australia.
Usernames are an 8 digit customer ID, and passwords have to be _exactly_ 6
characters long(!) consisting _only_ of numbers and uppercase letters. Try it
for yourself, note that the login form only allows you to enter 8 characters
for the username and 6 characters for the password:

[https://banking.westpac.com.au/](https://banking.westpac.com.au/)

I complained to them about this years ago, they replied explaining they knew
what they were doing and it was a balance between security and simplicity...

~~~
the_french
Even worse, a major French bank removed their perfectly fine password
requirements and replaced it with a 6 digit PIN that you have to enter via an
on-screen numpad. They explicitly block password managers from autofilling
too! And I had just managed to get my parents to start using one.

~~~
chris_overseas
Well Westpac had an onscreen keyboard for the password entry too until about
18 months ago. When they finally replaced it with a (thankfully password-safe
friendly) text box they had this to say:

"At Westpac, we are continually striving to provide the highest quality
service and security to help support our Online Banking customers.

From the end of May 2018, we will be removing the keypad from the online sign-
in screen and replacing it with an open text box, which allows you to type in
your Customer ID and password.

...

Security Guarantee. We assure you that using the open text box to enter your
sign-in details carries the same high level of security ..."

Passwords remained fixed at 6 characters however.

~~~
loeg
The US treasury does/did this on-screen keyboard thing as well (at least up
until I stopped needing to login to that website within the last year or two).
The "best" method I had around it was to copy the password out of my manager,
use developer tools to find the '<input type="password">' element, and add
'value="[paste]"' manually.

~~~
manmademagic
I used to bank with WestPac and from memory it wasn’t possible to do this as
they had some additional javascript running that would cipher every letter.

------
rasikjain
You should report to proper authorities about the severity of the issue. Reach
out to their security or technical higher up department of the bank.

In your case, they may or may not be storing the password in cleartext. They
might be using the two way encryption instead of one-way hash. Passwords
should be hashed (with salt) and it is irreversible.

For a financial institution, revealing your password by a customer service rep
is a big red flag. I would reach out to concerned authorities and do a proper
disclosure.

~~~
notyourday
> You should report to proper authorities about the severity of the issue.
> Reach out to their security or technical higher up department of the bank.

Switch your bank.

Do not reach out to the bank's security/technical! There's a non-zero chance
that the response from the bank would be to reach out to the FBI and claim
that you are the "hacker". It will create an enormous headache for you.

If you are going to reach out to anyone, reach out to the OCC.

~~~
carapace
[https://www.occ.treas.gov/](https://www.occ.treas.gov/) ?

~~~
notyourday
Yes

------
davismwfl
Wow. Did they repeat your password or some hint you typed in a long time ago?

FWIW I have seen two companies that store passwords properly in a one way hash
with salt but store statistics on every password like number of case changes
and count of numbers and total length. I personally think that practice is
infinitely stupid but can explain why they can say it has 3 numbers in it. One
major marketing firm I did work for did that until we showed them why it was
so dangerous. They were just trying to make users life easier but that wasn’t
a smart trade off.

Personally I would like to know which bank. I have accounts at a number of
major US banks and if one I use is doing this I’ll move everything out of them
immediately.

Edit: to answer your question I’d hand the info to a major investigative news
source and let them dig more. The FTC and banking regulators I don’t think
will get involved unless there was damage.

~~~
plsdonthack
They're a three letter acronym that starts with P and ends with C.

~~~
keenmaster
Wow, they should know better. That’s really mediocre if true. Call the OCC
consumer hotline which is listed at the following link
[https://www.occ.treas.gov/topics/supervision-and-
examination...](https://www.occ.treas.gov/topics/supervision-and-
examination/dispute-resolution/consumer-complaints/index-consumer-
complaints.html)

Tell them you’d like to file an “Official Complaint” regarding a serious cyber
security issue at that bank, and to transfer you to whoever handles official
consumer complaints regarding cyber security. Regulators are sensitive to the
word “complaint” (specific wording matters) and typically require that
complaints are stored, prioritized, and handled in a prescribed way.

Ask them if they can get back to you with any resolution and leave your
contact information. Update HN if you’re comfortable with that. Good luck.

------
loteck
Genuinely curious, why not name the bank here?

It certainly isn't going to be news to the bank itself, so there aren't
responsible disclosure concerns here.

And since the top advice here is to leave the bank, wouldn't the best thing
you can do be to alert the public, so others can protect themselves as well?

~~~
baron816
Looks like it’s PNC. Everyone here, move your money now.

~~~
altcognito
Or don't make financial decisions based on vague anonymous internet comments
until you've investigated for yourself.

~~~
prklmn
Do you want this person to mount a full blast investigation on their own? Most
banks are mostly interchangeable nowadays unless you live in a small town and
there’s only one bank you must use because you’re transacting with cash. They
pay nearly zero interest, and they treat their customers like trash with
monthly fees galore.

~~~
thinkingemote
Thank you, yes I will certainly change all my financial set up based on no
further information these two alarming comments. Who needs to look further
into things - they are all the same after all.

------
_Understated_
Why not reach out to someone like Brian Krebs? He has a pretty large reach and
can potentially make people take notice.

Try @briankrebs on Twitter.

~~~
Wheaties466
Alternatively I feel like Troy Hunt may also be able to help

[https://twitter.com/troyhunt](https://twitter.com/troyhunt)

He runs the @haveibeenpwned service

~~~
daveoc64
Troy has actually covered a similar topic to this in the past:

[https://www.troyhunt.com/banks-arbitrary-password-
restrictio...](https://www.troyhunt.com/banks-arbitrary-password-restrictions-
and-why-they-dont-matter/)

His viewpoint seems to be that poor security practices around passwords in
banks are not a big deal, due to the overall processes that banks use to
prevent fraud.

~~~
loeg
I would tend to agree, for now, except that banks are doing their best to
shunt responsibility for fraud onto merchants and customers. There are obvious
financial incentives that will encourage them to continue trying to do so.

------
thdrdt
Can you explain what you mean with "describe my own password to me".

As other point out: maybe they store some things about your password like "has
four digits, starts with an S".

This does not mean they store your password in plain text.

Everybody here starts shaming and naming but be very careful with that. Before
you know it you shame a company while there is nothing going on.

------
loufe
My bank just changed from a 6-number password (literally no option for more or
less characters nor anything but digits) to rational passwords this month. I
don't know how my WoW account 10 years ago needed an authenticator but the
people managing my retirement savings didn't light a fire under asses to get
that done.

Legislation should have and likely still should be put in place.

~~~
nolok
Your wow account security was done with post-2000 tech, your life saving
account security still depends on 1970s mainframe rules.

I agree about the legislation part.

------
bodhi_mind
Hashing passwords has been ingrained into our brains as it's an easy way to
reduce risk. That said, sometimes sensitive information needs to be stored in
a retrievable format (subscription credit card processing comes to mind).
Every data decision that's made has an element of risk involved while
accomplishing an end goal. With the right processes in place (encryption,
limiting access (auditing that access), decryption authorization), the risk
can be reduced to an acceptable level.

I don't think we have enough knowledge of the risk and processes in place at
this bank to say if it's an issue.

~~~
coenhyde
I think you're prematurely jumping to the defense of this bank. What we do
know is that the customer service rep was able to read the user's password in
plaintext. Even if there is a "legitimate" reason for storing in a retrievable
format (probably due to compatibility with legacy systems) the fact that the
customer service rep could access that password tells me they do not have
appropriate access control.

~~~
bodhi_mind
Just to play devil's advocate:

What is a secure hypothetical way of granting access to an account when the
customer lost access to their email and phone (so no pw reset or 2 factor
authentication will work)?

The bank has to have other processes in place. They're not going to keep your
money from you. Let's say they accept a driver's license as authentication or
a debit card. These methods are way less secure than a secret password and
_possibly_ introduce more security risk than a rep having access to view a
password.

A bad actor rep could then [almost] just as easily get a fake ID created to
get the same access the password would have granted. I'm also assuming that
the password was completely visible, not just a truncated version.

This is the root of my concern of not knowing all the risks and processes
involved. I don't want to jump to conclusions without knowing the whole
ecosystem.

------
jonplackett
Banking security is a joke.

My bank calls me to talk to me and insists I give them my date of birth and
address to ‘verify’ myself.

Meaning anyone can call me, pretend to be my bank, I am supposed to give them
this info, and then they have what they need to verify themself as me.

Banks are dumb.

~~~
anonsivalley652
I did some tech consulting with some ex-banking Wall St. consultants. It's not
a monolith. That industry is very conservative.. and some companies get so
frozen in time that they become complacent and go full Equifax. They're always
playing catch-up because every criminal and most people would like to rob a
bank without a gun, so their threats are numerous and perpetual. (And then
there's Wells Fargo.)

It seems like banks should adopt that credit-file-based challenge protocol
with the multiple choice questions containing ~50% or so spurious data that
answers (None of these). I had to do it to reset a hospital's patient login
for myself the other day.

DOB, SSN, address, phone number aren't secret-enough "things you know" or
"things you can do." For signatures, I always sign a smiley face because
they're completely worthless.

Perhaps even better would be to:

0\. have the bank have a relationship with the customer

1\. issue 2FA device or soft-2FA

2\. use per-customer colors, pictures and words on the password screen to
deter impersonation and phishing attacks

3\. It seems like hardware is so cheap these days, the bank could issue
customers a hardened tablet with a pin, biometrics & face recognition that
VPN'ed back to them and functioned only for their banking apps. It's much
easier to support and harden one controlled device than zillions of likely
malware-infected Chrome on Windows 10 or macOS Catalina's Safari on unsecured
public WiFi.

~~~
gruez
>2\. use per-customer colors, pictures and words on the password screen to
deter impersonation and phishing attacks

I've seen this on multiple sites, and I always thought it was snakeoil. All
you need to do to bypass it would be to make your phishing server contact tho
bank to request the per-customer color/picture/word.

------
wj
Wells Fargo used to require that a new password be sufficiently different from
an old password. e.g. if my password was "Madison111$" I could change it to
"Madison222$" except that when I did so I would be prompted to change it again
the next time I logged in. Since I always iterated on a version of my password
this was an issue. The reason was explained to me when I finally called and
asked why I was being required to change my password every single time I
logged in. So, I changed Madison to Matthew and was good to go.

Not sure how they were doing that if they weren't storing the password in
plaintext.

~~~
apocalyptic0n3
It is definitely possible to do that. When the user submits a password to
save, it hashes it and saves it to the database. At the same time, it
calculates x number of variations of the passwords, hashes those, and saves
those to the database as well. The next time you go to update your password,
the hash gets compared against the actual previous hash as well as the x
number of hashed variations and if any match, it gets rejected.

Not super efficient and in most cases, probably not worth the effort. But
completely doable to do.

~~~
StavrosK
How many variations will you store? It's very easy to calculate the
Levenshtein distance on plaintext data, but basically impossible to enumerate
all the variants and hash them.

------
foreigner
Something similar happened to me once. An e-commerce platform gave my wife my
plaintext password. It was my "low security" password, the same one I used in
dozens of sites. That's when I started using a password manager so now every
site gets a different random password.

------
vegardx
It never ceases to amaze me what the state of online banking is around the
world.

Here we have something called BankID which comes in two flavors, one that is a
physical token that generates TOPT used to log in, either in a combination
with a password or a PIN on the token device itself, referred to as BankID.
And the other, much slicker solution, called BankID on Mobile, which runs as
SIM-application on your phone where you digitally sign the login request using
a PIN. The user can also verify the request visually on both the computer and
phone using a unique keyword.

One killer feature with BankID is that you can use it to log in to any service
that has BankID, like your insurance company, looking at your tax return,
other banks, etc. This is perhaps the biggest issue with it since the system
can get overloaded when there's a country wide rollouts of tax returns and
such. This has become much better lately since they've started to roll out
things like tax returns as soon as they're ready instead of doing bulk
releases.

~~~
rimliu
Sweden? Here (Baltics) we have SmartID or mobile signature or hardwire
password generators (TOTP). No stupid passwords.

~~~
vegardx
Norway, but I would imagine it's the same or same-ish solution given that
banks in Scandinavia and Baltics operate more or less the same way.

------
rs23296008n1
Move your money to a different bank.

Now that banks aren't paying useful interest rates they are mostly only
tolerable for security and convenient access to your money. If they can't do
those two then... what exactly are they for? Likely nothing.

~~~
plsdonthack
It's for an auto loan.

~~~
rs23296008n1
Be extra careful with your details associated with that account and anything
it touches. eg any direct debits might "change" without notice. Enable all
added security you can.

But realistically, there's no silver bullets. Refinancing can be expensive.
Cost/benefit applies: Might not be worth refinancing just for this. Just be
vigilent about the accounts involved.

I had a phone company that bragged about its security. So I tested them out.
Yup they sent my password via text. Ok then. Contract was for six months. Not
worth switching. But also not worth _renewing_.

------
tentboy
Since it seems this is PNC, I am one of those who now needs to find a new
bank. Any recommendations? I used PNC for my checking/credit but already use
an american express high yield savings.

I was thinking maybe Capital One?

~~~
Spooky23
Why? The compliance requirements don't require hashing (iirc, "commercially
reasonable" protection is/was the standard), so you should assume that any
other bank is doing the same thing, as they probably are.

All that is needed to steal your money is the bank account number, which you
probably have mailed out or otherwise provided to numerous random third
parties, who process them with other third parties. There's almost no
information in there that isn't already available to anyone who cares to look.

A more reasonable approach that actually impacts your security would be:

\- Opt-out of electronic communication and get paper statements and account
notifications. (This ensures that you receive notice, in the mail, about
changes of address and other changes)

\- Opt-in to notifications about large transfers or low balances.

\- Disable Bill Pay features at the bank.

\- Disable external ACH transfers.

\- Request wire transfer privileges, which with some banks allows you to get a
physical token to secure access to your account.

\- Use a dedicated PC/iPad/Chromebook/etc for your banking to reduce the risk
of malware capturing your banking details.

If you're going to switch banks over this, look for a credit union small
enough that they use an off the shelf banking solution, and figure out what
the default configuration of the solution is.

~~~
tentboy
Thanks for recommendations. I will admit I overreacted when I saw the headline
and found out it was PNC. Just not the thing I expected to start my day
hearing.

I already use 2FA, a unique password only with PNC and alerts on all account
activity, including logins.

I will look into some of the things you listed!

------
huac
Fidelity's passwords map to characters on the phone keymap, e.g. the
characters "j,k,l,J,K,L,5" can all be represented by the number 5 on the
phone. Holy entropy, Batman!

~~~
euix
I can attest to this. When you call in you just have to type in your
alphanumeric password completely using the 10 digit phone pad. Just like in
the 90s. On the other hand Fidelity has the best customer service I have ever
experienced so I guess everyone has competencies.

------
topkai22
Does anyone know if PCI rules call for non reversible storage of passwords
(hashing)?

I looked quickly online but the only reference I could find was that
"passwords are protected by strong cryptography in transit and at rest", which
seems to allow wiggle room to store passwords in reversible but encrypted
format.

------
zxcvbn4038
There is not much you can do, I’ve tried to inform banks of security issues in
the past and all that happens is you get a form letter saying thanks for
writing we are doing that on purpose for reasons we can’t explain to you and
we’re not interested in outside help. Synchrony and Citibank, I’m looking at
you.

------
alkonaut
What does the password give access to? Full online banking (e.g. being able to
do transactions?). Does login not require any further authentication beyond
the password?

If the authentication still requires using some kind of good 2FA then it's
less serious to have the password in plaintext. Still bad of course.

If this is for some other service that doesn't let you do any transactions
then it's not as serious either (still bad and embarrassing, but not that
serious)

Even with properly hashed passwords etc I'd be worried if my bank allowed
login with only a username/password and no further security. I didn't think
even that was a thing in 2020.

------
lpilot
Santander in the UK does this too. You can tell because they only ask for 3
characters out of your password whenever you log in. What's ironic is that
whoever did that propably thought they were being super clever.

~~~
deforciant
Other banks in UK do that as well, shouldn't they all be reported for this?

~~~
daveoc64
To whom, and on what basis?

There is nothing in UK law that says banks have to store your passwords
"securely".

Issues like this have been raised in the past, and authorities like the ICO
have said no law is being broken. GDPR, for example, does not specify
technical mechanisms required to store any form of data.

~~~
Recursing
See
[https://news.ycombinator.com/item?id=22356101](https://news.ycombinator.com/item?id=22356101)

~~~
daveoc64
Unfortunately, they are still non-committal on what is required. They advise
that passwords should be hashed, but there is nothing that makes that a
binding requirement.

The gist is still "do what you think is appropriate".

The ICO talks about balancing risks and convenience, and the banks will argue
that their systems are secure overall, and don't make the consumer liable
anyway.

Under the ICO's guidance, an organisation could argue that plain text (or
reversibly encrypted) passwords allow them to do things like password
reminders.

You or I might think that's terrible, but they can argue that it's a better
user experience.

~~~
Recursing
Are you sure? What about the fines they're already giving?
[https://news.ycombinator.com/item?id=18531588](https://news.ycombinator.com/item?id=18531588)

~~~
daveoc64
That's in Germany. It's up to the regulator in each country to enforce the
rules.

The ICO has a reputation for being toothless.

------
overgard
I once did an API integration with a very popular well known brokerage. When
we asked for a test account for their API... well they didn't have a test
environment, so they just gave us a real account with 10k dollars in it with
instructions to be careful. The test account was something like "apitest11"
and the password was like "11apitest". Did that money mysteriously get stolen?
Yup! (Not by me definitely, but that account must have been shared with 15 or
so people, with a trivial password if it had been an outsider)

------
akerro
When I went to TSB (UK) open an account for my partner and she was asked to
type her password on their computer she asked when she can change the
password, are they any limitations, like wait 3 days before changing password.
The assistant responded "why would you ever want to change your password? you
can type any password you want now, just please type your password". This was
so weird we didnt use the account for a few days, changed the password, waited
a few days again and after that deposited money.

~~~
mehh
But you were talking to a clueless bank clerk, not their Chief Infosec
Officer, so not really that significant.

------
satya71
That's still better than the SSA. Every employer must use SSA to submit W-3 to
report employee wages. They only accept case-insensitive passwords up to 8
alpha-numeric characters.

------
benmmurphy
A popular bot protection system provided by a third party used by a number of
US banks would accidentally disclose plaintext usernames and passwords to the
bot protection software.

I'm not sure how the bot protection software was deployed but looking at
marketing materials I suspect the data was sent to the third party as part of
a SAAS service.

We believe this was accidental because a later version of the software stopped
doing it. I'm not sure if there was a notification by the third party to users
about this flaw.

------
aichi
Same surprise for me when I got back my password from AMEX over phone.

------
speedplane
The law is not behind or antiquated in this case. Bank cybersecurity has been
regulated for quite some time now, and failing to adequately secure your
digital assets is a compliance violation no different than failing to catch
obvious fraud.

It's very likely that your bank is based and regulated by New York State, even
if it isn't physically based there. Contact the NY State attorney general's
office, they should take you seriously.

------
avbanks
There's a similar issue with Wells Fargo. I think it has to do with banks they
acquired (in my case Wachovia). My passwords are not case sensitive.

~~~
viggity
Wells Fargo isn't really Wells Fargo. It was a massive bank in the midwest
called Norwest (based in MN, but offices all over midwest). Norwest acquired
WF primarily for the superior name recognition. The merger with Wachovia
happened after that.

for the longest time they you could set your password to be anything, but they
only checked the first 8 characters and it wasn't case sensitive. Just chalk
it up to shit being written in the 80s.

------
neutrin0
You definitely need to tell somebody that they should be encrypting their
passwords using something like Format Preserving Encryption. FPE
[https://www.tokenex.com/blog/format-preserving-encryption-
an...](https://www.tokenex.com/blog/format-preserving-encryption-and-
nist-800-38g-what-you-need-to-know)

------
pedalpete
This is doubly bad because not only is your password in plaintext, it also
means that anybody who works for the bank is able to view said password.

Don't get me wrong, plaintext stored in a DB is bad enough, if the DB gets
compromised, but apparently they don't even need that as they have an
interface that customer service can use to view your password.

How secure do you think that system is?

------
mindslight
Use a generated unique password for every site, preferably with a password
manager. Along with the _absolutely most important_ thing you can possible do
for banking security, which is to check your statements/transactions promptly
every 30 days. Beyond that it's not really your worry, besides having to
possibly attend to helping them clean up any messes.

------
imtringued
It is possible that this is intended and that they will prompt you to enter a
new password on login.

Ask yourself these questions:

Are you sure it was your password? Did they generate a password for you? Did
they verify that you are the account owner by asking you to enter the
"hotline-pin"?

------
solumos
A friend of mine wrote a newsletter on this topic last year - banks are full
of anti-patterns!

[https://whyisthisinteresting.substack.com/p/why-is-this-
inte...](https://whyisthisinteresting.substack.com/p/why-is-this-interesting-
the-security)

------
tibbydudeza
My bank uses 2FA or biometric via their android app to approve all payments
and adding of new beneficiaries on their online banking platform.

But it is a pain when I switch phones and need to get the old one deactivated
and the new one authorized.

------
INTPenis
Some people have noted that they might store part of your password, but they
could also be using some sort of master key to encrypt their passwords.
Meaning they can also decrypt them and provide a UI for their help desk.

Still awful, but not as awful.

~~~
FractalParadigm
Hypothetically, if that were the case, it creates a single point of failure
for the whole system and is effectively "security by obscurity," imo. A
malicious actor with the time, resources, and/or internal connections could
obtain said master key and have access to the entire bank's database.

------
tylerburnam
You should give them 7 days and tell them you have a responsibility to let the
community know what bank it is. You should communicate this clearly to the
bank and then let us know.

------
exabrial
Nearly all of them do unfortunately. They will only change this after getting
hit with massive fines from a data breach.

What you should do: Never reuse a password when working with financial
institutions older than 5 years old.

------
fazilakhtar
I got locked out of my account (forgot my password) with said bank and they
had no way of telling me my password. Had to wait for them to send me a OTP
mailer so that I could login and create a new password.

------
mywacaday
I was going to say vote with your money and leave but then it occurred to me
where do you go, is there any public list of banks or institutions that have
passed some kind of security audit?

------
baby
They have to no? If you want to link some other bank accounts you have to give
them the associated credentials that they pretty much have to store in clear
(or encrypted at rest whatever).

------
drenginian
Just do a Tell HN: Bank of Foogistan stores passwords in plain text.

Don’t agonize about it so much it’s not like you’re going to hurt the banks
feelings.

No one will notice or care anyway and banks deserve what they get if they do
this.

And if the bank does pay attention they’ll just fix it and move on. Don’t know
why you feel this is such a big deal.

Who would you tell that would even care? I can’t imagine the police jumping
into their car with sirens screaming. “I wish to report a terrible crime”.

------
rlewkov
1) Inform the bank 2) Inform the FDIC 3) After a reasonable amount of time
inform the public

------
throwbanktest
(Throwaway for obvious reasons)

Proud of my bank in India (State Bank of India) which is crazy over security.
Secure password requirements for login. Another completely different password
for managing my banking profile and adding bank transfer beneficiaries. OTP
for each money transfer related activities I do from the bank.

------
robjan
Was it a password or secret question like "mother's maiden name"?

------
greenie_beans
can you tell us the name of this bank so we can avoid business with them ?!

------
jacobsenscott
perhaps it is encrypted, rather than hashed.

------
daebersold
Move your money. Support your local/regional banks.

~~~
gruez
Are local/regional banks more likely to have better security practices? I'd
think they have worse ones, especially since they don't have the money for
cybersecurity consultants which are usually fixed cost.

------
paulie_a
Name and shame

------
riffic
name and shame.

------
NicoJuicy
Of the bank is in Europe also, it's a GDPR breach

~~~
szatkus
How? My qwerty123 password isn't information directly connected to my
identity.

~~~
NicoJuicy
GDPR Password Policy: Critical Components

[https://www.enzoic.com/gdpr-password-policy-critical-
compone...](https://www.enzoic.com/gdpr-password-policy-critical-components/)

------
mgamache
The password is probably encrypted using a two-way hash. It's not as secure as
a one-way has, but you can't see passwords by running a SQL query.

~~~
resoluteteeth
What is a "two-way hash" and how is it different from normal encryption?

~~~
mgamache
[https://cs.stackexchange.com/questions/69422/two-way-hash-
fu...](https://cs.stackexchange.com/questions/69422/two-way-hash-functions)

------
Urgo
If this is really happening this is a serious issue that needs to be fixed
ASAP and everyone alerted..

but.. something doesn't look right here..

OP is a throwaway account created today, which I can understand for this type
of thing.. but...

they withheld the bank name in the title/desc.. okay again a responsible thing
to do.. but...

when asked what the bank name was in the comments they were not shy at naming
it..

Something just doesn't feel right. Why the sudden change of heart?

For everyone's sake I hope I'm right, that this is just FUD.. to the OP if you
really are serious I'm sorry, and please do report this ASAP.

~~~
plsdonthack
Unfortunately I'm not awake at all hours of the day to respond to internet
comments. But if you want further evidence that their passwords are indeed
stored in plaintext, consider that their password rule prohibits the special
characters !, /, \, <, >, etc. You can verify that yourself.

~~~
perpetualpatzer
This is weak evidence as these rules could be implemented at the point of new
password entry, prior to encryption/storage.

------
matz1
Is there actual damage? At the end of day, as a customer，all I care is my
money is available (not stolen) and I can access it when I need it. Why should
I care about implementation details ?

~~~
danbolt
I feel the bank should be liable for stolen funds or information in the case
of a security breach.

~~~
matz1
Yes, I expect the bank to protect my money. What I'm saying is how they
actually do it, clear text pwd or whatever is not really my concern. Why
should I ?

~~~
jakelazaroff
You’re right, you’ll probably get your money back if your password gets
stolen.

Eventually. Might be real disruptive if you’re in the middle of buying a
house.

I’d probably choose my bank to minimize my chances of dealing with a giant
bureaucracy for however long (and the non–zero possibility that I actually
_won’t_ get my money back). But if that’s not “damage” to you, feel free to
keep doing business with them!

~~~
matz1
>Might be real disruptive if you’re in the middle of buying a house.

Agree, I consider this a damage but if the bank can avoid causing me any
disturbance despite of using clear text password or <insert any other
questionable security practice> then why should I be concerned ?

~~~
afarrell
The same reason you might be concerned even if a doctor can deliver a baby
safely despite not washing his hands in between a cadaver examination and
touching your wife.

Do you feel lucky? Well, do ya?

~~~
matz1
Sure, If the doctor can deliver baby safely and not causing any other damage
despite not washing hands then what's the issue?

That's why I asked what is the actual damage. Is the money is stolen ? Is the
money can't be accessed ? If the bank doesn't do me any actual damage despite
the clear text password then I don't see why I should be concerned.

I guess I can see that for some people, clear text password usage can cause
them anxiety and lose some sleep.

~~~
afarrell
Are you genuinely saying that when you see someone putting you at risk, that
you do not see a problem with it _until_ a problem actually occurs?

Imagine you worked in a building for a week and didn’t die in a fire. Would
you have a problem with discovering that the writing was done by a amateur,
there were piles of lint and fabric everywhere, and there was only one
revolving-door exit?

If yes, then you understand the problem of risk and its just a question of
magnitude.

If not, then you should be aware that you see the world _dramatically_
differently than most people.

~~~
matz1
The risk are highly exaggerated, the damage may never occurs in the first
place.

It may seem unlikely that the bank can keep my money save by using plain text
pwd but if they can somehow do that, why do I care.

Even in the unlikely event that the money is stolen but if the bank can handle
that without causing me disruption then whats the issue.

------
0x3RO
Do you really think the only thing the bank does to log people on is to check
the username and password? Banks are way more sophisticated than this and it
goes well beyond merely string-matching credentials; there's all sorts of
other environment, behavioral and heuristic patterns used to establish
legitimacy. Even if you rose this issue with the bank, they'll hardly change
their modes of operation, and you certainly won't ever see a bank telling you
how they do it, but those "hidden security features" make a significant
contribution to the bank's security posture; ie:
[https://twitter.com/mbna/status/1016270694299127809?s=20](https://twitter.com/mbna/status/1016270694299127809?s=20)

~~~
0x3RO
In addition to this, you might be interested enough to take note of a number
of your banks arbitrary password rules, that one could follow to make
similarly negative assumptions. ie; "hey [bank], because my password is
limited to 16 characters, does that mean you've got a varchar(16) column
somewhere storing plaintext?"

