Piss poor security

User avatar
Jackleg
Posts: 132
Joined: Wed Apr 11, 2018 9:36 pm

Piss poor security

Post by Jackleg »

I've recently opened a new bank account in Australia and signed up for online banking.
Their password rules are an absolute joke; must be six characters, no special characters, all lower case, no two-step or multifactor identification available. I'm finding it hard to believe that any financial institution could be so lax in its security. When asked about their password policy, Their response was "Brute force cracking is a common means of attempting to defeat passwords but given our current password procedures is not deemed a credible threat." :roll:
User avatar
Simon
Posts: 4737
Joined: Wed Apr 11, 2018 4:03 pm

Re: Piss poor security

Post by Simon »

Which bank?
The artist formerly known as _Who_
User avatar
Jackleg
Posts: 132
Joined: Wed Apr 11, 2018 9:36 pm

Re: Piss poor security

Post by Jackleg »

Westpac.
User avatar
dinny_g
Posts: 5251
Joined: Wed Apr 11, 2018 4:31 pm

Re: Piss poor security

Post by dinny_g »

That is pretty poor alright...

Just protect yourself as much as you can by setting a nice long password.
JLv3.0 wrote: Thu Jun 21, 2018 4:26 pm I say this rarely Dave, but listen to Dinny because he's right.
Rich B wrote: Thu Jun 02, 2022 1:57 pm but Dinny was right…
User avatar
mik
Posts: 11631
Joined: Wed Apr 11, 2018 6:15 pm

Re: Piss poor security

Post by mik »

Or move banks
User avatar
Jackleg
Posts: 132
Joined: Wed Apr 11, 2018 9:36 pm

Re: Piss poor security

Post by Jackleg »

dinny_g wrote: Fri Jan 17, 2020 10:40 am That is pretty poor alright...

Just protect yourself as much as you can by setting a nice long password.
I can't Dinny; the password can only be six characters. No more, no less.

Mik, already on it.
User avatar
dinny_g
Posts: 5251
Joined: Wed Apr 11, 2018 4:31 pm

Re: Piss poor security

Post by dinny_g »

Jackleg wrote: Fri Jan 17, 2020 10:48 am
dinny_g wrote: Fri Jan 17, 2020 10:40 am That is pretty poor alright...

Just protect yourself as much as you can by setting a nice long password.
I can't Dinny; the password can only be six characters. No more, no less.

Mik, already on it.
No fucking way... that's shocking... :o
JLv3.0 wrote: Thu Jun 21, 2018 4:26 pm I say this rarely Dave, but listen to Dinny because he's right.
Rich B wrote: Thu Jun 02, 2022 1:57 pm but Dinny was right…
User avatar
Ascender
Posts: 3518
Joined: Thu Apr 12, 2018 12:07 pm
Currently Driving: 2019 M2 Competition

Re: Piss poor security

Post by Ascender »

Jackleg wrote: Fri Jan 17, 2020 10:37 amWestpac.
And what year were you born?

Any kids or treasured animals?

Just asking like.
Cheers,

Mike.
User avatar
DeskJockey
Posts: 4628
Joined: Thu Apr 12, 2018 8:58 am

Re: Piss poor security

Post by DeskJockey »

They're begging for a breach!
---
Driving a Galaxy far far away
User avatar
NotoriousREV
Posts: 6437
Joined: Wed Apr 11, 2018 4:14 pm

Re: Piss poor security

Post by NotoriousREV »

6 characters, lower case and no special characters would be broken in seconds.
Middle-aged Dirtbag
User avatar
Beany
Posts: 6267
Joined: Wed Apr 11, 2018 5:27 pm

Re: Piss poor security

Post by Beany »

NotoriousREV wrote: Fri Jan 17, 2020 2:53 pm 6 characters, lower case and no special characters would be broken in seconds.
On a mobile phone. Not even a fancy pants computer with Big Specs. A mobile phone could break that in seconds.

A mobile phone from five years ago.
User avatar
Orange Cola
Posts: 2232
Joined: Wed Apr 11, 2018 7:56 pm

Re: Piss poor security

Post by Orange Cola »

Someone should do it just to teach them a lesson.
Mustang GT 5.0 V8 -- Jaguar F-Pace
User avatar
Beany
Posts: 6267
Joined: Wed Apr 11, 2018 5:27 pm

Re: Piss poor security

Post by Beany »

Orange Cola wrote: Fri Jan 17, 2020 7:03 pm Someone should do it just to teach them a lesson.
Problem is, it'll only affect actual people, and the company clearly doesn't care.

Source: I've worked for companies who clearly don't care. Unless they get criminal case brought against them (not a civil case) they won't change a fucking thing.
User avatar
NotoriousREV
Posts: 6437
Joined: Wed Apr 11, 2018 4:14 pm

Re: Piss poor security

Post by NotoriousREV »

Orange Cola wrote: Fri Jan 17, 2020 7:03 pm Someone should do it just to teach them a lesson.
There’s a list of 100k Westpac customer emails available:

https://finance.nine.com.au/business-ne ... d973492614
Middle-aged Dirtbag
User avatar
Nefarious
Posts: 833
Joined: Wed Apr 11, 2018 5:21 pm

Re: Piss poor security

Post by Nefarious »

Beany wrote: Fri Jan 17, 2020 7:12 pm
Orange Cola wrote: Fri Jan 17, 2020 7:03 pm Someone should do it just to teach them a lesson.
Problem is, it'll only affect actual people, and the company clearly doesn't care.

Source: I've worked for companies who clearly don't care. Unless they get criminal case brought against them (not a civil case) they won't change a fucking thing.
I thought the onus of security protection was on the banks - i.e. if someone illegally accesses your account and transfers money out, the liability is on them to refund.

Is this wrong, or is it a case of it's strictly legally right, but they'll fight you every step of the way, insist you authorised the transaction and force you to prove it was an illegal data breach (without access to any of their log data)?

Presumably, if somebody were to hack my account, it's unlikely that they'd stop at pilfering a couple of grand from my current account, and would replicate for lots and lots of other people with the same account type, so it should be pretty obvious when it's a case of one person being lax with protecting their password vs a brute force attack on hundreds of account holders at one time. Or do the banks just withhold that info and just bare-faced lie in the face of a security breach.
"If everything seems under control, you're just not going fast enough"
User avatar
Gavin
Posts: 1817
Joined: Wed Apr 11, 2018 4:27 pm
Currently Driving: Skoda Superb, R56 Cooper S

Re: Piss poor security

Post by Gavin »

Nefarious wrote: Sat Jan 18, 2020 12:40 pm
Beany wrote: Fri Jan 17, 2020 7:12 pm
Orange Cola wrote: Fri Jan 17, 2020 7:03 pm Someone should do it just to teach them a lesson.
Problem is, it'll only affect actual people, and the company clearly doesn't care.

Source: I've worked for companies who clearly don't care. Unless they get criminal case brought against them (not a civil case) they won't change a fucking thing.
I thought the onus of security protection was on the banks - i.e. if someone illegally accesses your account and transfers money out, the liability is on them to refund.

Is this wrong, or is it a case of it's strictly legally right, but they'll fight you every step of the way, insist you authorised the transaction and force you to prove it was an illegal data breach (without access to any of their log data)?

Presumably, if somebody were to hack my account, it's unlikely that they'd stop at pilfering a couple of grand from my current account, and would replicate for lots and lots of other people with the same account type, so it should be pretty obvious when it's a case of one person being lax with protecting their password vs a brute force attack on hundreds of account holders at one time. Or do the banks just withhold that info and just bare-faced lie in the face of a security breach.
Flash Bastard! :lol:
User avatar
Ascender
Posts: 3518
Joined: Thu Apr 12, 2018 12:07 pm
Currently Driving: 2019 M2 Competition

Re: Piss poor security

Post by Ascender »

I guess in the UK at least if there was a clear security breach, they'd have to submit some sort of report to the regulators. And those same regulators say that banks must refund any unauthorised payments from accounts.

But of course there will be the small print....
Your bank can generally only refuse a refund for an unauthorised payment if:

it can prove you authorised the transaction – though your bank cannot simply say that use of your password, card or PIN conclusively proves you authorised a payment
it can prove you are at fault because you acted fraudulently or because you deliberately, or with ‘gross negligence’, failed to protect the details of your card, PIN or password in a way that allowed the transaction
you told your bank about an unauthorised payment 13 months or more after the date it left your account, so make sure you contact the bank as soon as possible.
Cheers,

Mike.
User avatar
Ascender
Posts: 3518
Joined: Thu Apr 12, 2018 12:07 pm
Currently Driving: 2019 M2 Competition

Re: Piss poor security

Post by Ascender »

Beany wrote: Fri Jan 17, 2020 7:12 pm
Orange Cola wrote: Fri Jan 17, 2020 7:03 pm Someone should do it just to teach them a lesson.
Problem is, it'll only affect actual people, and the company clearly doesn't care.

Source: I've worked for companies who clearly don't care. Unless they get criminal case brought against them (not a civil case) they won't change a fucking thing.
Every UK bank I've worked with has spent and continues to spend a lot of money investing in protecting all their IT systems. Good old fashioned fraudsters calling up the Bank and trying stuff on (identity theft & trying to "impersonate" a legitimate customer in order to get piece by piece access to their account - i.e. changing their address) is just as big, if not a bigger problem for them.
Cheers,

Mike.
User avatar
unzippy
Posts: 892
Joined: Wed Apr 11, 2018 11:02 pm

Re: Piss poor security

Post by unzippy »

I work for a Victorian government agency.

Server 2008 OS went end of life last week. No rush for those 24 servers as the 14 x 2003 boxes haven't been sorted yet :lol: :shock: :roll:

There are federal IT rules from what I can see but only guidelines for states. Neither come close to what we had to abide for Islington Council!
The Evo forum really is a shadow of its former self. I remember when the internet was for the elite and now they seem to let any spastic on

IaFG Down Under Division
User avatar
unzippy
Posts: 892
Joined: Wed Apr 11, 2018 11:02 pm

Re: Piss poor security

Post by unzippy »

From somewhere where it is compulsory to carry your driving licence while driving, you can get on an internal flight with just a ticket - no ID needed at all.
The Evo forum really is a shadow of its former self. I remember when the internet was for the elite and now they seem to let any spastic on

IaFG Down Under Division
Post Reply