Piss poor security

Jackleg
Posts: 110
Joined: Wed Apr 11, 2018 9:36 pm

Piss poor security

Post by Jackleg »

I've recently opened a new bank account in Australia and signed up for online banking.
Their password rules are an absolute joke; must be six characters, no special characters, all lower case, no two-step or multifactor identification available. I'm finding it hard to believe that any financial institution could be so lax in its security. When asked about their password policy, Their response was "Brute force cracking is a common means of attempting to defeat passwords but given our current password procedures is not deemed a credible threat." :roll:

User avatar
Simon
Posts: 2308
Joined: Wed Apr 11, 2018 4:03 pm

Re: Piss poor security

Post by Simon »

Which bank?
The artist formerly known as _Who_

Jackleg
Posts: 110
Joined: Wed Apr 11, 2018 9:36 pm

Re: Piss poor security

Post by Jackleg »

Westpac.

User avatar
dinny_g
Posts: 1884
Joined: Wed Apr 11, 2018 4:31 pm

Re: Piss poor security

Post by dinny_g »

That is pretty poor alright...

Just protect yourself as much as you can by setting a nice long password.
JLv3.0 wrote:
Thu Jun 21, 2018 4:26 pm
I say this rarely Dave, but listen to Dinny because he's right.

User avatar
mik
Posts: 3624
Joined: Wed Apr 11, 2018 6:15 pm

Re: Piss poor security

Post by mik »

Or move banks

Jackleg
Posts: 110
Joined: Wed Apr 11, 2018 9:36 pm

Re: Piss poor security

Post by Jackleg »

dinny_g wrote:
Fri Jan 17, 2020 10:40 am
That is pretty poor alright...

Just protect yourself as much as you can by setting a nice long password.
I can't Dinny; the password can only be six characters. No more, no less.

Mik, already on it.

User avatar
dinny_g
Posts: 1884
Joined: Wed Apr 11, 2018 4:31 pm

Re: Piss poor security

Post by dinny_g »

Jackleg wrote:
Fri Jan 17, 2020 10:48 am
dinny_g wrote:
Fri Jan 17, 2020 10:40 am
That is pretty poor alright...

Just protect yourself as much as you can by setting a nice long password.
I can't Dinny; the password can only be six characters. No more, no less.

Mik, already on it.
No fucking way... that's shocking... :o
JLv3.0 wrote:
Thu Jun 21, 2018 4:26 pm
I say this rarely Dave, but listen to Dinny because he's right.

User avatar
Ascender
Posts: 776
Joined: Thu Apr 12, 2018 12:07 pm

Re: Piss poor security

Post by Ascender »

Jackleg wrote:
Fri Jan 17, 2020 10:37 am
Westpac.
And what year were you born?

Any kids or treasured animals?

Just asking like.

User avatar
DeskJockey
Posts: 1394
Joined: Thu Apr 12, 2018 8:58 am

Re: Piss poor security

Post by DeskJockey »

They're begging for a breach!
---
Driving a Galaxy far far away

User avatar
NotoriousREV
Posts: 6285
Joined: Wed Apr 11, 2018 4:14 pm

Re: Piss poor security

Post by NotoriousREV »

6 characters, lower case and no special characters would be broken in seconds.
32% prick

User avatar
Beany
Posts: 2055
Joined: Wed Apr 11, 2018 5:27 pm

Re: Piss poor security

Post by Beany »

NotoriousREV wrote:
Fri Jan 17, 2020 2:53 pm
6 characters, lower case and no special characters would be broken in seconds.
On a mobile phone. Not even a fancy pants computer with Big Specs. A mobile phone could break that in seconds.

A mobile phone from five years ago.

User avatar
Orange Cola
Posts: 1675
Joined: Wed Apr 11, 2018 7:56 pm

Re: Piss poor security

Post by Orange Cola »

Someone should do it just to teach them a lesson.
Mustang GT 5.0 V8 -- Jaguar F-Pace

User avatar
Beany
Posts: 2055
Joined: Wed Apr 11, 2018 5:27 pm

Re: Piss poor security

Post by Beany »

Orange Cola wrote:
Fri Jan 17, 2020 7:03 pm
Someone should do it just to teach them a lesson.
Problem is, it'll only affect actual people, and the company clearly doesn't care.

Source: I've worked for companies who clearly don't care. Unless they get criminal case brought against them (not a civil case) they won't change a fucking thing.

User avatar
NotoriousREV
Posts: 6285
Joined: Wed Apr 11, 2018 4:14 pm

Re: Piss poor security

Post by NotoriousREV »

Orange Cola wrote:
Fri Jan 17, 2020 7:03 pm
Someone should do it just to teach them a lesson.
There’s a list of 100k Westpac customer emails available:

https://finance.nine.com.au/business-ne ... d973492614
32% prick

User avatar
Nefarious
Posts: 487
Joined: Wed Apr 11, 2018 5:21 pm

Re: Piss poor security

Post by Nefarious »

Beany wrote:
Fri Jan 17, 2020 7:12 pm
Orange Cola wrote:
Fri Jan 17, 2020 7:03 pm
Someone should do it just to teach them a lesson.
Problem is, it'll only affect actual people, and the company clearly doesn't care.

Source: I've worked for companies who clearly don't care. Unless they get criminal case brought against them (not a civil case) they won't change a fucking thing.
I thought the onus of security protection was on the banks - i.e. if someone illegally accesses your account and transfers money out, the liability is on them to refund.

Is this wrong, or is it a case of it's strictly legally right, but they'll fight you every step of the way, insist you authorised the transaction and force you to prove it was an illegal data breach (without access to any of their log data)?

Presumably, if somebody were to hack my account, it's unlikely that they'd stop at pilfering a couple of grand from my current account, and would replicate for lots and lots of other people with the same account type, so it should be pretty obvious when it's a case of one person being lax with protecting their password vs a brute force attack on hundreds of account holders at one time. Or do the banks just withhold that info and just bare-faced lie in the face of a security breach.
"If everything seems under control, you're just not going fast enough"

User avatar
Gavin
Posts: 859
Joined: Wed Apr 11, 2018 4:27 pm

Re: Piss poor security

Post by Gavin »

Nefarious wrote:
Sat Jan 18, 2020 12:40 pm
Beany wrote:
Fri Jan 17, 2020 7:12 pm
Orange Cola wrote:
Fri Jan 17, 2020 7:03 pm
Someone should do it just to teach them a lesson.
Problem is, it'll only affect actual people, and the company clearly doesn't care.

Source: I've worked for companies who clearly don't care. Unless they get criminal case brought against them (not a civil case) they won't change a fucking thing.
I thought the onus of security protection was on the banks - i.e. if someone illegally accesses your account and transfers money out, the liability is on them to refund.

Is this wrong, or is it a case of it's strictly legally right, but they'll fight you every step of the way, insist you authorised the transaction and force you to prove it was an illegal data breach (without access to any of their log data)?

Presumably, if somebody were to hack my account, it's unlikely that they'd stop at pilfering a couple of grand from my current account, and would replicate for lots and lots of other people with the same account type, so it should be pretty obvious when it's a case of one person being lax with protecting their password vs a brute force attack on hundreds of account holders at one time. Or do the banks just withhold that info and just bare-faced lie in the face of a security breach.
Flash Bastard! :lol:

User avatar
Ascender
Posts: 776
Joined: Thu Apr 12, 2018 12:07 pm

Re: Piss poor security

Post by Ascender »

I guess in the UK at least if there was a clear security breach, they'd have to submit some sort of report to the regulators. And those same regulators say that banks must refund any unauthorised payments from accounts.

But of course there will be the small print....
Your bank can generally only refuse a refund for an unauthorised payment if:

it can prove you authorised the transaction – though your bank cannot simply say that use of your password, card or PIN conclusively proves you authorised a payment
it can prove you are at fault because you acted fraudulently or because you deliberately, or with ‘gross negligence’, failed to protect the details of your card, PIN or password in a way that allowed the transaction
you told your bank about an unauthorised payment 13 months or more after the date it left your account, so make sure you contact the bank as soon as possible.

User avatar
Ascender
Posts: 776
Joined: Thu Apr 12, 2018 12:07 pm

Re: Piss poor security

Post by Ascender »

Beany wrote:
Fri Jan 17, 2020 7:12 pm
Orange Cola wrote:
Fri Jan 17, 2020 7:03 pm
Someone should do it just to teach them a lesson.
Problem is, it'll only affect actual people, and the company clearly doesn't care.

Source: I've worked for companies who clearly don't care. Unless they get criminal case brought against them (not a civil case) they won't change a fucking thing.
Every UK bank I've worked with has spent and continues to spend a lot of money investing in protecting all their IT systems. Good old fashioned fraudsters calling up the Bank and trying stuff on (identity theft & trying to "impersonate" a legitimate customer in order to get piece by piece access to their account - i.e. changing their address) is just as big, if not a bigger problem for them.

User avatar
unzippy
Posts: 635
Joined: Wed Apr 11, 2018 11:02 pm

Re: Piss poor security

Post by unzippy »

I work for a Victorian government agency.

Server 2008 OS went end of life last week. No rush for those 24 servers as the 14 x 2003 boxes haven't been sorted yet :lol: :shock: :roll:

There are federal IT rules from what I can see but only guidelines for states. Neither come close to what we had to abide for Islington Council!
The Evo forum really is a shadow of its former self. I remember when the internet was for the elite and now they seem to let any spastic on

IaFG Down Under Division

User avatar
unzippy
Posts: 635
Joined: Wed Apr 11, 2018 11:02 pm

Re: Piss poor security

Post by unzippy »

From somewhere where it is compulsory to carry your driving licence while driving, you can get on an internal flight with just a ticket - no ID needed at all.
The Evo forum really is a shadow of its former self. I remember when the internet was for the elite and now they seem to let any spastic on

IaFG Down Under Division

Post Reply