That would raise awareness with users (ok, maybe scare some people) and give me some hints that my account may be under attack...
This is probably why. The signal/noise ratio of people freaking out about 'their account being hacked' or 'bank xyzs terrible security because so many people hack my account every week' would probably completely overwhelm the security benefit. E.g: '10 failed logins? why are you letting other people try to log into MY account???' etc.
Only way I could see this working is with industry wide support and a mass awareness campaign, and even then people would be annoyingly confused. (possibly worthwhile though)
This will probably give rise to support calls to the bank...
In general, relying on a second factor whose security practices aren't the best, could actually compromise security compared to having a strong and unique password.
I personally wish that more banks would support 2FA authentication using a username/password in combination witH TLS client side certificates.
This would, in turn, cause a lot of panicked calls to the bank.
I guess it's probably more complicated than that, so perhaps someone more knowledgeable can expand on what I can expect to happen if someone steals money from my bank accounts because of one of the vulnerabilities in the article?
Remember that when you need to take a week off of work to deal with your bank after a breach zeroed your account. Remember that when you can't pay your bills during that time and miss a car/house payment.
It's not quite week off work, but definitely worth the hassle of using a password manager to avoid simple breaches.
It's not just only their side, the stories don't make a lick of sense.
A bank doesn't want your car. The value of the loan is much higher than the value of the car, and without the car, you probably can't go to work to pay them the balance.
If what those people claimed was true, they're probably leaving out the part about how they missed five payments in a row, and when they finally called the bank back the bank offered them a payment plan, which they also missed, and THEN the car was repossessed.
Might have gotten results for 'auto title loans' mixed in?
I could see this for those, but even then it would be a stretch - the cost of the repo and redelivery upon eventual payment for most of the cases would quickly overwhelm any benefit
All of my banks have security questions. This protects me by combining a password with some other passwords that are public information and that I can't change.
I recommend using something like Bitwarden's passphrase generator so all your answers are things like `concise myth bird`.
This way they are A: actually secure, and B: easily pronounceable, so that just saying "a bunch of letters and numbers" to a phone tech shouldn't work as I've heard people complain can happen when using normal passwords (e.g., c9b21s1qzs) for these fields.
Irrelevant. These are only security questions. They can be anything, and in fact, for most of them they are not supposed to know.
If you are applying for one of their products and you get a form, and THEN you provide false information, it's a different matter.
You want to get rid of passwords? Stop allowing users to manage them. Make a browser plug-in support U2F, make it auto-generate passwords for sites, make it manage them internally. When you go to login to Chase, the browser will fill in the login details, after it has verified this is the Actual Real Site and not a phishing site. All access to this auth data will be based on a master password entered into the user's browser at start-up.
To reset an individual site's auth creds, the site can send a re-auth e-mail to the user. When the user clicks through, they can use the site's preferred verification process to show they are the real user. The browser can then generate and save new auth details for the site.
At no time did the user ever enter a password, but strong authentication data is still being managed independently per-site, the user can still reset any given site's auth details, and the user only has to manage one strong password on their client machine at start-up time. They can also use U2F with a second device for MFA.
(1) wait for 200 countries to properly implement secure hardware tokens for every citizen (population of estonia: 1.3 million, population of the world: 7.6 billion) and wait for all apps and sites to properly support 200 different cards,
or (2) implement a universal http standard to abstract logins away into authentication managers.
The former requires bureaucracy, logistics, physical production and transportation costs, hardware adapters, and countless unknown considerations to get everyone in the world to be able to use it and get support for it.
The latter requires a browser plugin, and for web apps to implement an HTTP extension similar to a content security policy.
Looking at you Wells Fargo
Because they are not hashing your password, therefore it needs to fit in plain text in their database column.
I'm a big proponent of using a password manager and if I even remotely mention using iCloud Keychain or Google's password manager, people have zero idea what I'm talking about.
I personally don’t use any 3rd party password managers. I find KeyChain to work amazingly. There’s even a FireFox plugin that supports it.
Nice one Mr Bank.
Trying to fight my way back in after emigrating put a lot of worries at ease. Voice printing, secret code words, security questions, 2FA, passwords...omg just let me in.
Nobody's getting in there...I just hope I don't lose access.
Since both number are sent (separately) via physical mail, all you'd have to do to get them would be to wait around in front on the mailbox when the postman come, ask him he's got mail for Mr X, repeat for a few days until you get the monthly report sheet, on this document will be the first number. Now go online, ask for a new password. Wait around the mail box for the new password to arrive. The mailman will just think "oooh Mr X is such a good person, always saying good morning". Chances are the victim doesn't have any alarms set up on their phone. I have alarms set up.
Should I ever get scammed on this account, I'll claim that their security BS must have been the entry and let them try and disprove that.
See his excellent, if depressing, 2018 exploration of banking security, "What Is Your Bank’s Security Banking On?". Sadly, the industry is dominated by a small handful of banking platform providers. Four, Fiserv, Jack Henry, FIS, and CSI, serv over 80% of the market. Bank regulators, responding to Krebs, said that "small to mid-sized banks are massively beholden to their platform providers, and many banks simply accept the defaults instead of pushing for stronger alternatives."
This is not a good situation.
Digging further into the matter, I turned up a set of publications by Experian -- the credit rating agency which hasn't been breached ... yet -- on risk and fraud, including credential compromise. One of these mentions in. passing that the typical person has "about 100" service-based accounts. That's not all that far off the count of 700 accounts HN users have reported having.
1. https://krebsonsecurity.com/2018/03/what-is-your-banks-secur... (HN: https://news.ycombinator.com/item?id=20203482)
2. Stealthily hidden around Experian's website, though this search presently lists several of the beter ones: https://www.experian.com/innovation/thought-leadership/fraud.... (https://web.archive.org/web/*/https://www.experian.com/innov...)
3. "Upcoming fraud trends and how to combat them: Ebook" https://www.experian.com/innovation/thought-leadership/upcom....
4. packet_nerd reports that here, though I recall an earlier mention as well: https://news.ycombinator.com/item?id=19488899
"Wait a minute...what? Match-the-picture and security questions are going to count as '2FA'?! Are you fucking kidding me?"
I still work for a living, and drive something Japanese, not Italian. I have no idea what current status is in the U. S.