I often wonder why not all websites (especially delicate ones like ebanking) do not show the number of failed login attempts since last successful login.
That would raise awareness with users (ok, maybe scare some people) and give me some hints that my account may be under attack...
This is probably why. The signal/noise ratio of people freaking out about 'their account being hacked' or 'bank xyzs terrible security because so many people hack my account every week' would probably completely overwhelm the security benefit. E.g: '10 failed logins? why are you letting other people try to log into MY account???' etc.
Only way I could see this working is with industry wide support and a mass awareness campaign, and even then people would be annoyingly confused. (possibly worthwhile though)
Unless you have a very unique login, you are going to often seen login attempts. Common names such as john, john123, john234, johnq, qjohn will happen more often especially for a big site.
This will probably give rise to support calls to the bank...
Then you'll learn that your username is one that's under attack and that it's even more important to have a strong password. Put some useful documentation on the login page that explains it. What's wrong with that?
Have you seen how severely 2FA drops the rate of unauthorized accesses? It's incredible. What have you seen that moves you to hedge on the value of 2FA?
In general, relying on a second factor whose security practices aren't the best, could actually compromise security compared to having a strong and unique password.
I personally wish that more banks would support 2FA authentication using a username/password in combination witH TLS client side certificates.
Particularly as they need to internally collect that information to comply with PCI (which requires financial orgs to lock accounts after 6 failed login attempts).
Because this would result in tens of millions of calls to the CS team to the general effect of "OMG someone is trying to hack my account!!! Do something!" to no purpose and decrease the adoption of a technology which materially increases per-user revenue and decreases per-user costs.
Even better: just show the last logins (both successful and failed). This way it also gives you a positive feel of security, because you can also see if e.g. a family member logged in etc.
So my understanding is that ultimately the bank is responsible for any loss on my end as a result of someone breaking into my bank account, therefore I don't really care if my banks don't follow best security practices.
I guess it's probably more complicated than that, so perhaps someone more knowledgeable can expand on what I can expect to happen if someone steals money from my bank accounts because of one of the vulnerabilities in the article?
> So my understanding is that ultimately the bank is responsible for any loss on my end as a result of someone breaking into my bank account, therefore I don't really care if my banks don't follow best security practices.
Remember that when you need to take a week off of work to deal with your bank after a breach zeroed your account. Remember that when you can't pay your bills during that time and miss a car/house payment.
Multiple accounts are a must. If you’re smart about it, you also won’t set up any kind of electronic transfer between them. Otherwise if one is hijacked the crook could initiate an ACH from the other accounts.
Where do you bank that being a week late on a mortgage or car payment is even a problem? I've literally forgotten a car payment for a month and my next statement just had two payments worth. I've had my checking account zeroed, it took a 20 minute phone call and 1-2 business days to get fixed. I certainly did not have to take a week off work.
I had a "minor" issue with a transaction a few weeks back. My bank froze my card and wouldn't unfreeze it unless I called into a branch with photo ID. Said bank didn't have a branch on the right side of town, and the branches are only open 10-4 Monday through Friday, and the queues are 30+minutes. I took a half day, and it took them 5 days to send me out a replacement card (which I had to phone for, twice, because it's handled by a different department to the ID department).
It's not quite week off work, but definitely worth the hassle of using a password manager to avoid simple breaches.
So this is in the US, but I was looking at car loans just to see what the rates were compared to mine and there were reviews from people stating the bank repossessed their car a day after their first missed payment. Now this is only their side and I don't remember which banks and credit unions were receiving those reviews but I know there were multiple accounts of people with similiar experiences and some of those lenders were nationally known banks. So you mileage may vary with car loan lenders.
> Now this is only their side and I don't remember which banks and credit unions were receiving those reviews but I know there were multiple accounts of people with similiar experiences and some of those lenders were nationally known banks
It's not just only their side, the stories don't make a lick of sense.
A bank doesn't want your car. The value of the loan is much higher than the value of the car, and without the car, you probably can't go to work to pay them the balance.
If what those people claimed was true, they're probably leaving out the part about how they missed five payments in a row, and when they finally called the bank back the bank offered them a payment plan, which they also missed, and THEN the car was repossessed.
Might have gotten results for 'auto title loans' mixed in?
I could see this for those, but even then it would be a stretch - the cost of the repo and redelivery upon eventual payment for most of the cases would quickly overwhelm any benefit
>even if your bank offers multi-factor authentication as part of its login process
All of my banks have security questions. This protects me by combining a password with some other passwords that are public information and that I can't change.
You by no means have to give your real information.
I recommend using something like Bitwarden's passphrase generator so all your answers are things like `concise myth bird`.
This way they are A: actually secure, and B: easily pronounceable, so that just saying "a bunch of letters and numbers" to a phone tech shouldn't work as I've heard people complain can happen when using normal passwords (e.g., c9b21s1qzs) for these fields.
Inaccurate but plausible is the advice I've been given for these. My bank insists on a "memorable name" (was formerly "mother's maiden name" - I confirmed it didn't have to be accurate), so I use one that was basically picked out of a hat, which has no connection to me or my family.
They are _only_ used for security, and now that it's "memorable name", it's not false information anyway. If the bank were using it for any other purpose, such as a credit check, that would be a different matter, and quite well might not be legal.
The difference is whether there is an intent to deceive for gain. Lying about my income on a credit application is different from lying whether my favorite food is pizza.
Hey, at least those are immutable and memorable facts. Not great from the standpoint of adding security, certainly, but I'd rather have that than things like "who is your favorite band", which I'll have no hope of reproducing five years from now, and which will only serve to lock me out of my own account.
I have this beat. My credit union used social security numbers as your login and your card pin as your password. And the only security question was date of birth to reset it.
Banks unfortunately often have deplorably backward as well as arbitrary password rules such as: "Your password must not be longer than 8 characters and must not contain any of these characters '@', '&', '/', '('." ...
I was trying to remember wtf the name of the new MFA standard that Chrome supports was, and it took me 10 minutes of Googling to find it (U2F[1]). If a security nerd can't even remember the name of the thing that's supposed to replace passwords, regular users will never figure it out.
You want to get rid of passwords? Stop allowing users to manage them. Make a browser plug-in support U2F, make it auto-generate passwords for sites, make it manage them internally. When you go to login to Chase, the browser will fill in the login details, after it has verified this is the Actual Real Site and not a phishing site. All access to this auth data will be based on a master password entered into the user's browser at start-up.
To reset an individual site's auth creds, the site can send a re-auth e-mail to the user. When the user clicks through, they can use the site's preferred verification process to show they are the real user. The browser can then generate and save new auth details for the site.
At no time did the user ever enter a password, but strong authentication data is still being managed independently per-site, the user can still reset any given site's auth details, and the user only has to manage one strong password on their client machine at start-up time. They can also use U2F with a second device for MFA.
Or countries could solve the issue for their citizens instead of making everyone invent their own, like Estonia and quite a few other european countries have. By providing a physical card (or SIM) that allows people to log in where they want.
Many people don't like passwords either. The point being that sometimes we have to go with things we don't find perfect, just tremendously better than what we have now.
(1) wait for 200 countries to properly implement secure hardware tokens for every citizen (population of estonia: 1.3 million, population of the world: 7.6 billion) and wait for all apps and sites to properly support 200 different cards,
or (2) implement a universal http standard to abstract logins away into authentication managers.
The former requires bureaucracy, logistics, physical production and transportation costs, hardware adapters, and countless unknown considerations to get everyone in the world to be able to use it and get support for it.
The latter requires a browser plugin, and for web apps to implement an HTTP extension similar to a content security policy.
Or (3) implement an universal TLS standard to abstract logins away into hardware tokens... but that's exactly what we have but don't use super-widespread. Estonia has demonstrated the solution scales easily into millions, Latvia is working on it, Finland as well and a few other countries, but they're 15 years behind from Estonia, rest of the world is at least two decades behind. I've always wanted to make wild predictions, now I can try, I think such personal hardware tokens will become wildly mainstream in 25 years, totally replacing passwords.
This aggravates me beyond belief. I have more secure passwords on random sites/accounts than I do on my financial accounts. Why do banks insist on restricting character limits to 12 - 20 characters?
Citibank is even worse. I use a password manager and have used a 20+ character password for years. Every now and then, as happened a few months ago, they change the website in a way that breaks long passwords. So even though my password manager entered it correctly, it rejected my password until I had to reset it.
Same. At least they fixed the issue (years ago, to be fair) where you could log into your Citibank account and tweak the URL to see other customers' data...
Why doesn't Google or Apple have 'explain like I'm 5' explanations of how their password managers work? I don't use either service but this is a MAJOR opportunity to encourage their users to use a password manager and subsequently make their users more secure online.
I'm a big proponent of using a password manager and if I even remotely mention using iCloud Keychain or Google's password manager, people have zero idea what I'm talking about.
I agree. It’s odd that an article this technical goes on to recommend (or at least enumerate popular) password managers, but doesn’t mention Apple’s own KeyChain. It’s built into all iPhones and MacOS computers for god’s sake.
I personally don’t use any 3rd party password managers. I find KeyChain to work amazingly. There’s even a FireFox plugin that supports it.
A problem is that most users are likely in a mixed computing household, such as using an iPhone and a Windows Desktop. It would be a lot easier to suggest to some of my family, for instance, to use KeyChain if they had a good Windows client. (With the recent modern iCloud update in the Microsoft Store, I could even see this possibly happening, as opposed to the many years where iTunes for Windows was an afterthought.)
KeyChain is not an open standard and is not easily interoperable with other strategies or products. You shouldn't build best practice out of a single company's walled garden.
Honestly I'm more worried about remembering my username...13 digit numeric sequence.
Nice one Mr Bank.
Trying to fight my way back in after emigrating put a lot of worries at ease. Voice printing, secret code words, security questions, 2FA, passwords...omg just let me in.
Nobody's getting in there...I just hope I don't lose access.
I have a bank account whose username is a number and password is also a number. Good thing is you need to click on a randomly distributed keypad to input your password. /s
Mine too. Which is also my employer (you can find out who that is easily). ¯\_(ツ)_/¯
Since both number are sent (separately) via physical mail, all you'd have to do to get them would be to wait around in front on the mailbox when the postman come, ask him he's got mail for Mr X, repeat for a few days until you get the monthly report sheet, on this document will be the first number. Now go online, ask for a new password. Wait around the mail box for the new password to arrive. The mailman will just think "oooh Mr X is such a good person, always saying good morning". Chances are the victim doesn't have any alarms set up on their phone. I have alarms set up.
I had a colleague who always knew, to the quarter, how long he had been working there. During the quarterly password changes, he'd increment the numbers ;)
My bank (BNP) opted to force me to click on big clear text buttons instead of typing my login code. And yes, it's a six digit numeric code. So the username is a clear text field, and you could read my code from 5m away without zooming while I login.
Should I ever get scammed on this account, I'll claim that their security BS must have been the entry and let them try and disprove that.
My bank has a "helpful" mobile app secured by a 6 digit code. The worst part is that some sensitive operations like adding an external wire transfer target and changing transfer ceilings can be done from the app and only from the app.
I'm still annoyed that one of my banks, only offers 2 factor though email & sms and doesn't offer TOTP. Does anyone know if this is a PCI thing or is it just bureaucracy?
I’ve spent a good bit of time reading PCI requirements and I can’t think of anything that’d prevent using TOTP or Yubikey type devices. My guess is that they don’t implement it because they don’t think anyone would use it. Honestly I can’t say they’re wrong either—I’d love to use a Yubikey on my bank accounts, but I can’t imagine anyone else in my circle of non-programmer friends/family doing so.
Krebs has covered this previously; oligopoly service providers.
See his excellent, if depressing, 2018 exploration of banking security, "What Is Your Bank’s Security Banking On?".[1] Sadly, the industry is dominated by a small handful of banking platform providers. Four, Fiserv, Jack Henry, FIS, and CSI, serv over 80% of the market. Bank regulators, responding to Krebs, said that "small to mid-sized banks are massively beholden to their platform providers, and many banks simply accept the defaults instead of pushing for stronger alternatives."
This is not a good situation.
Digging further into the matter, I turned up a set of publications by Experian -- the credit rating agency which hasn't been breached ... yet -- on risk and fraud, including credential compromise.[2] One of these mentions in. passing that the typical person has "about 100" service-based accounts.[3] That's not all that far off the count of 700 accounts HN users have reported having.[4]
There at least used to be in the U. S. (Haven't worked in that space in ten years, and haven't kept up.) Worked on a 2FA system just as such a law was going into place (too lazy to look it up; call me on it, and I'll take the five minutes.) Woo hoo, do I want to go Ferrari or Lambo? Banks are going to have to use something, and ours is hardware-free and works on any browser.
"Wait a minute...what? Match-the-picture and security questions are going to count as '2FA'?! Are you fucking kidding me?"
I still work for a living, and drive something Japanese, not Italian. I have no idea what current status is in the U. S.
look up PSD2, which is an EU directive with the same objective, coming into effect in september this year. But I'm not entirely sure if 2fa is also necessary for login and not only for transactions.
That would raise awareness with users (ok, maybe scare some people) and give me some hints that my account may be under attack...