Hacker News new | past | comments | ask | show | jobs | submit login
The Risk of Weak Online Banking Passwords (krebsonsecurity.com)
84 points by feross 72 days ago | hide | past | web | favorite | 83 comments

I often wonder why not all websites (especially delicate ones like ebanking) do not show the number of failed login attempts since last successful login.

That would raise awareness with users (ok, maybe scare some people) and give me some hints that my account may be under attack...

> (ok, maybe scare some people)

This is probably why. The signal/noise ratio of people freaking out about 'their account being hacked' or 'bank xyzs terrible security because so many people hack my account every week' would probably completely overwhelm the security benefit. E.g: '10 failed logins? why are you letting other people try to log into MY account???' etc.

Only way I could see this working is with industry wide support and a mass awareness campaign, and even then people would be annoyingly confused. (possibly worthwhile though)

Unless you have a very unique login, you are going to often seen login attempts. Common names such as john, john123, john234, johnq, qjohn will happen more often especially for a big site.

This will probably give rise to support calls to the bank...

Then you'll learn that your username is one that's under attack and that it's even more important to have a strong password. Put some useful documentation on the login page that explains it. What's wrong with that?

2FA and be done with it.

2fa is not magical. It makes an attack require more complexity, but it's not an "and be done with it," solution.

Have you seen how severely 2FA drops the rate of unauthorized accesses? It's incredible. What have you seen that moves you to hedge on the value of 2FA?

For one thing, the SIM swap attack [1]

[1] https://krebsonsecurity.com/tag/sim-swap/

In general, relying on a second factor whose security practices aren't the best, could actually compromise security compared to having a strong and unique password.

I personally wish that more banks would support 2FA authentication using a username/password in combination witH TLS client side certificates.

SIM swap is not scalable. It exists, but the scale of attacks through SIM swap is not even remotely comparable to credential stuffing.

Requires forcing every PC case and laptop sold to have a slot for smart cards. Otherwise it is too inconvenient.

You could just put it in the certificate store on the machine rather than relying on external storage.

That's actually a great idea. Or how about a simple statistics email with a chart over time?

Particularly as they need to internally collect that information to comply with PCI (which requires financial orgs to lock accounts after 6 failed login attempts).

Because this would result in tens of millions of calls to the CS team to the general effect of "OMG someone is trying to hack my account!!! Do something!" to no purpose and decrease the adoption of a technology which materially increases per-user revenue and decreases per-user costs.

Even better: just show the last logins (both successful and failed). This way it also gives you a positive feel of security, because you can also see if e.g. a family member logged in etc.

This is the type of thing that sounds like a good idea in isolation but would be terrible in aggregate and over a long period of time.

Could you explain why? It’s not immediately evident to me...

It would freak Grandma the hell out even if she has a strong password.

This would, in turn, cause a lot of panicked calls to the bank.

So my understanding is that ultimately the bank is responsible for any loss on my end as a result of someone breaking into my bank account, therefore I don't really care if my banks don't follow best security practices.

I guess it's probably more complicated than that, so perhaps someone more knowledgeable can expand on what I can expect to happen if someone steals money from my bank accounts because of one of the vulnerabilities in the article?

> So my understanding is that ultimately the bank is responsible for any loss on my end as a result of someone breaking into my bank account, therefore I don't really care if my banks don't follow best security practices.

Remember that when you need to take a week off of work to deal with your bank after a breach zeroed your account. Remember that when you can't pay your bills during that time and miss a car/house payment.

Seems like another checking account with a month's worth of expenses in it could be a prudent idea.

Multiple accounts are a must. If you’re smart about it, you also won’t set up any kind of electronic transfer between them. Otherwise if one is hijacked the crook could initiate an ACH from the other accounts.

Without reusing the password, otherwise you've barely spread the risk.

Or a month worth of cash.

Unless it is also broken into...

Where do you bank that being a week late on a mortgage or car payment is even a problem? I've literally forgotten a car payment for a month and my next statement just had two payments worth. I've had my checking account zeroed, it took a 20 minute phone call and 1-2 business days to get fixed. I certainly did not have to take a week off work.

I had a "minor" issue with a transaction a few weeks back. My bank froze my card and wouldn't unfreeze it unless I called into a branch with photo ID. Said bank didn't have a branch on the right side of town, and the branches are only open 10-4 Monday through Friday, and the queues are 30+minutes. I took a half day, and it took them 5 days to send me out a replacement card (which I had to phone for, twice, because it's handled by a different department to the ID department).

It's not quite week off work, but definitely worth the hassle of using a password manager to avoid simple breaches.

So this is in the US, but I was looking at car loans just to see what the rates were compared to mine and there were reviews from people stating the bank repossessed their car a day after their first missed payment. Now this is only their side and I don't remember which banks and credit unions were receiving those reviews but I know there were multiple accounts of people with similiar experiences and some of those lenders were nationally known banks. So you mileage may vary with car loan lenders.

> Now this is only their side and I don't remember which banks and credit unions were receiving those reviews but I know there were multiple accounts of people with similiar experiences and some of those lenders were nationally known banks

It's not just only their side, the stories don't make a lick of sense.

A bank doesn't want your car. The value of the loan is much higher than the value of the car, and without the car, you probably can't go to work to pay them the balance.

If what those people claimed was true, they're probably leaving out the part about how they missed five payments in a row, and when they finally called the bank back the bank offered them a payment plan, which they also missed, and THEN the car was repossessed.

> car loans

Might have gotten results for 'auto title loans' mixed in?

I could see this for those, but even then it would be a stretch - the cost of the repo and redelivery upon eventual payment for most of the cases would quickly overwhelm any benefit

>even if your bank offers multi-factor authentication as part of its login process

All of my banks have security questions. This protects me by combining a password with some other passwords that are public information and that I can't change.

You by no means have to give your real information.

I recommend using something like Bitwarden's passphrase generator so all your answers are things like `concise myth bird`.

This way they are A: actually secure, and B: easily pronounceable, so that just saying "a bunch of letters and numbers" to a phone tech shouldn't work as I've heard people complain can happen when using normal passwords (e.g., c9b21s1qzs) for these fields.

Inaccurate but plausible is the advice I've been given for these. My bank insists on a "memorable name" (was formerly "mother's maiden name" - I confirmed it didn't have to be accurate), so I use one that was basically picked out of a hat, which has no connection to me or my family.

How legal is it to give false information to a bank?

> How legal is it to give false information to a bank?

Irrelevant. These are only security questions. They can be anything, and in fact, for most of them they are not supposed to know.

If you are applying for one of their products and you get a form, and THEN you provide false information, it's a different matter.

They are _only_ used for security, and now that it's "memorable name", it's not false information anyway. If the bank were using it for any other purpose, such as a credit check, that would be a different matter, and quite well might not be legal.

The difference is whether there is an intent to deceive for gain. Lying about my income on a credit application is different from lying whether my favorite food is pizza.

My banks "security questions" were my DOB and my country of birth - verified against my passport. Not really much help.

Hey, at least those are immutable and memorable facts. Not great from the standpoint of adding security, certainly, but I'd rather have that than things like "who is your favorite band", which I'll have no hope of reproducing five years from now, and which will only serve to lock me out of my own account.

I have this beat. My credit union used social security numbers as your login and your card pin as your password. And the only security question was date of birth to reset it.

Name and shame please, this is insane.

They changed it a couple of years ago, it was a credit union for employees of a major grocery store chain.

Or possibly even replacing the former with the latter.

Banks unfortunately often have deplorably backward as well as arbitrary password rules such as: "Your password must not be longer than 8 characters and must not contain any of these characters '@', '&', '/', '('." ...

Up until recently, a big Canadian bank only allowed 6 character passwords, and mapped whatever you typed into 6 numbers (e.g. Aa-Dd = 0).

Some financial institutions have rules like that for user names. Like, it has to contain a number even if your name is unique, etc.

I was trying to remember wtf the name of the new MFA standard that Chrome supports was, and it took me 10 minutes of Googling to find it (U2F[1]). If a security nerd can't even remember the name of the thing that's supposed to replace passwords, regular users will never figure it out.

You want to get rid of passwords? Stop allowing users to manage them. Make a browser plug-in support U2F, make it auto-generate passwords for sites, make it manage them internally. When you go to login to Chase, the browser will fill in the login details, after it has verified this is the Actual Real Site and not a phishing site. All access to this auth data will be based on a master password entered into the user's browser at start-up.

To reset an individual site's auth creds, the site can send a re-auth e-mail to the user. When the user clicks through, they can use the site's preferred verification process to show they are the real user. The browser can then generate and save new auth details for the site.

At no time did the user ever enter a password, but strong authentication data is still being managed independently per-site, the user can still reset any given site's auth details, and the user only has to manage one strong password on their client machine at start-up time. They can also use U2F with a second device for MFA.

[1] https://en.wikipedia.org/wiki/Universal_2nd_Factor

Or countries could solve the issue for their citizens instead of making everyone invent their own, like Estonia and quite a few other european countries have. By providing a physical card (or SIM) that allows people to log in where they want.

Many people will not want "help" from a government to authenticate and logging in to a non-government site.

Many people don't like passwords either. The point being that sometimes we have to go with things we don't find perfect, just tremendously better than what we have now.

So we can either:

(1) wait for 200 countries to properly implement secure hardware tokens for every citizen (population of estonia: 1.3 million, population of the world: 7.6 billion) and wait for all apps and sites to properly support 200 different cards,

or (2) implement a universal http standard to abstract logins away into authentication managers.

The former requires bureaucracy, logistics, physical production and transportation costs, hardware adapters, and countless unknown considerations to get everyone in the world to be able to use it and get support for it.

The latter requires a browser plugin, and for web apps to implement an HTTP extension similar to a content security policy.

Or (3) implement an universal TLS standard to abstract logins away into hardware tokens... but that's exactly what we have but don't use super-widespread. Estonia has demonstrated the solution scales easily into millions, Latvia is working on it, Finland as well and a few other countries, but they're 15 years behind from Estonia, rest of the world is at least two decades behind. I've always wanted to make wild predictions, now I can try, I think such personal hardware tokens will become wildly mainstream in 25 years, totally replacing passwords.

That could be very good. Or catastrophically bad.

> Make a browser plug-in support U2F


Good thing my bank artificially imposes length restrictions so that my password is exactly between 8-12 characters

My favorite is when they truncate it without telling you. It's a better UX though!

Mine silently truncates to 8 characters and does a case insensitive comparison. Good thing they have all the liability....

What if they truncate AND lower case it without telling you?

Looking at you Wells Fargo

This aggravates me beyond belief. I have more secure passwords on random sites/accounts than I do on my financial accounts. Why do banks insist on restricting character limits to 12 - 20 characters?

> Why do banks insist on restricting character limits to 12 - 20 characters?

Because they are not hashing your password, therefore it needs to fit in plain text in their database column.

Citibank is even worse. I use a password manager and have used a 20+ character password for years. Every now and then, as happened a few months ago, they change the website in a way that breaks long passwords. So even though my password manager entered it correctly, it rejected my password until I had to reset it.

Same. At least they fixed the issue (years ago, to be fair) where you could log into your Citibank account and tweak the URL to see other customers' data...

Why doesn't Google or Apple have 'explain like I'm 5' explanations of how their password managers work? I don't use either service but this is a MAJOR opportunity to encourage their users to use a password manager and subsequently make their users more secure online.

I'm a big proponent of using a password manager and if I even remotely mention using iCloud Keychain or Google's password manager, people have zero idea what I'm talking about.

I agree. It’s odd that an article this technical goes on to recommend (or at least enumerate popular) password managers, but doesn’t mention Apple’s own KeyChain. It’s built into all iPhones and MacOS computers for god’s sake.

I personally don’t use any 3rd party password managers. I find KeyChain to work amazingly. There’s even a FireFox plugin that supports it.

A problem is that most users are likely in a mixed computing household, such as using an iPhone and a Windows Desktop. It would be a lot easier to suggest to some of my family, for instance, to use KeyChain if they had a good Windows client. (With the recent modern iCloud update in the Microsoft Store, I could even see this possibly happening, as opposed to the many years where iTunes for Windows was an afterthought.)

KeyChain is not an open standard and is not easily interoperable with other strategies or products. You shouldn't build best practice out of a single company's walled garden.

What FireFox plugin is that? I've been looking for a solution to this for ages.

Honestly I'm more worried about remembering my username...13 digit numeric sequence.

Nice one Mr Bank.

Trying to fight my way back in after emigrating put a lot of worries at ease. Voice printing, secret code words, security questions, 2FA, passwords...omg just let me in.

Nobody's getting in there...I just hope I don't lose access.

I have a bank account whose username is a number and password is also a number. Good thing is you need to click on a randomly distributed keypad to input your password. /s

Mine too. Which is also my employer (you can find out who that is easily). ¯\_(ツ)_/¯

Since both number are sent (separately) via physical mail, all you'd have to do to get them would be to wait around in front on the mailbox when the postman come, ask him he's got mail for Mr X, repeat for a few days until you get the monthly report sheet, on this document will be the first number. Now go online, ask for a new password. Wait around the mail box for the new password to arrive. The mailman will just think "oooh Mr X is such a good person, always saying good morning". Chances are the victim doesn't have any alarms set up on their phone. I have alarms set up.

I had a colleague who always knew, to the quarter, how long he had been working there. During the quarterly password changes, he'd increment the numbers ;)

My bank (BNP) opted to force me to click on big clear text buttons instead of typing my login code. And yes, it's a six digit numeric code. So the username is a clear text field, and you could read my code from 5m away without zooming while I login.

Should I ever get scammed on this account, I'll claim that their security BS must have been the entry and let them try and disprove that.

My bank has a "helpful" mobile app secured by a 6 digit code. The worst part is that some sensitive operations like adding an external wire transfer target and changing transfer ceilings can be done from the app and only from the app.

I'm still annoyed that one of my banks, only offers 2 factor though email & sms and doesn't offer TOTP. Does anyone know if this is a PCI thing or is it just bureaucracy?

I’ve spent a good bit of time reading PCI requirements and I can’t think of anything that’d prevent using TOTP or Yubikey type devices. My guess is that they don’t implement it because they don’t think anyone would use it. Honestly I can’t say they’re wrong either—I’d love to use a Yubikey on my bank accounts, but I can’t imagine anyone else in my circle of non-programmer friends/family doing so.

With WebAuthn it doesn't have to be a USB fob - it can be built into your device too.

Chase doesn't allow special chars. Lmao.

Not just weak passwords, but reusued ones (which to me is an equal sin)

Thank you for the PSA -- I just changed my old insecure password!

Then why there is no law for 2FA in the banks? In Turkey all banks must provide 2FA for logins. It is required by law.

Krebs has covered this previously; oligopoly service providers.

See his excellent, if depressing, 2018 exploration of banking security, "What Is Your Bank’s Security Banking On?".[1] Sadly, the industry is dominated by a small handful of banking platform providers. Four, Fiserv, Jack Henry, FIS, and CSI, serv over 80% of the market. Bank regulators, responding to Krebs, said that "small to mid-sized banks are massively beholden to their platform providers, and many banks simply accept the defaults instead of pushing for stronger alternatives."

This is not a good situation.

Digging further into the matter, I turned up a set of publications by Experian -- the credit rating agency which hasn't been breached ... yet -- on risk and fraud, including credential compromise.[2] One of these mentions in. passing that the typical person has "about 100" service-based accounts.[3] That's not all that far off the count of 700 accounts HN users have reported having.[4]



1. https://krebsonsecurity.com/2018/03/what-is-your-banks-secur... (HN: https://news.ycombinator.com/item?id=20203482)

2. Stealthily hidden around Experian's website, though this search presently lists several of the beter ones: https://www.experian.com/innovation/thought-leadership/fraud.... (https://web.archive.org/web/*/https://www.experian.com/innov...)

3. "Upcoming fraud trends and how to combat them: Ebook" https://www.experian.com/innovation/thought-leadership/upcom....

4. packet_nerd reports that here, though I recall an earlier mention as well: https://news.ycombinator.com/item?id=19488899

There at least used to be in the U. S. (Haven't worked in that space in ten years, and haven't kept up.) Worked on a 2FA system just as such a law was going into place (too lazy to look it up; call me on it, and I'll take the five minutes.) Woo hoo, do I want to go Ferrari or Lambo? Banks are going to have to use something, and ours is hardware-free and works on any browser.

"Wait a minute...what? Match-the-picture and security questions are going to count as '2FA'?! Are you fucking kidding me?"

I still work for a living, and drive something Japanese, not Italian. I have no idea what current status is in the U. S.

look up PSD2, which is an EU directive with the same objective, coming into effect in september this year. But I'm not entirely sure if 2fa is also necessary for login and not only for transactions.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact