OV9

I've recently opened a new bank account in Australia and signed up for online banking.
Their password rules are an absolute joke; must be six characters, no special characters, all lower case, no two-step or multifactor identification available. I'm finding it hard to believe that any financial institution could be so lax in its security. When asked about their password policy, Their response was "Brute force cracking is a common means of attempting to defeat passwords but given our current password procedures is not deemed a credible threat."

Which bank?

Westpac.

That is pretty poor alright...

Just protect yourself as much as you can by setting a nice long password.

Or move banks

dinny_g wrote: ↑Fri Jan 17, 2020 10:40 am That is pretty poor alright...

Just protect yourself as much as you can by setting a nice long password.

I can't Dinny; the password can only be six characters. No more, no less.

Mik, already on it.

Jackleg wrote: ↑Fri Jan 17, 2020 10:48 am

dinny_g wrote: ↑Fri Jan 17, 2020 10:40 am That is pretty poor alright...

Just protect yourself as much as you can by setting a nice long password.

I can't Dinny; the password can only be six characters. No more, no less.

Mik, already on it.

No fucking way... that's shocking...

Jackleg wrote: ↑Fri Jan 17, 2020 10:37 amWestpac.

And what year were you born?

Any kids or treasured animals?

Just asking like.

They're begging for a breach!

6 characters, lower case and no special characters would be broken in seconds.

NotoriousREV wrote: ↑Fri Jan 17, 2020 2:53 pm 6 characters, lower case and no special characters would be broken in seconds.

On a mobile phone. Not even a fancy pants computer with Big Specs. A mobile phone could break that in seconds.

A mobile phone from five years ago.

Someone should do it just to teach them a lesson.

Orange Cola wrote: ↑Fri Jan 17, 2020 7:03 pm Someone should do it just to teach them a lesson.

Problem is, it'll only affect actual people, and the company clearly doesn't care.

Source: I've worked for companies who clearly don't care. Unless they get criminal case brought against them (not a civil case) they won't change a fucking thing.

Orange Cola wrote: ↑Fri Jan 17, 2020 7:03 pm Someone should do it just to teach them a lesson.

There’s a list of 100k Westpac customer emails available:

https://finance.nine.com.au/business-ne ... d973492614

Beany wrote: ↑Fri Jan 17, 2020 7:12 pm

Orange Cola wrote: ↑Fri Jan 17, 2020 7:03 pm Someone should do it just to teach them a lesson.

Problem is, it'll only affect actual people, and the company clearly doesn't care.

Source: I've worked for companies who clearly don't care. Unless they get criminal case brought against them (not a civil case) they won't change a fucking thing.

I thought the onus of security protection was on the banks - i.e. if someone illegally accesses your account and transfers money out, the liability is on them to refund.

Is this wrong, or is it a case of it's strictly legally right, but they'll fight you every step of the way, insist you authorised the transaction and force you to prove it was an illegal data breach (without access to any of their log data)?

Presumably, if somebody were to hack my account, it's unlikely that they'd stop at pilfering a couple of grand from my current account, and would replicate for lots and lots of other people with the same account type, so it should be pretty obvious when it's a case of one person being lax with protecting their password vs a brute force attack on hundreds of account holders at one time. Or do the banks just withhold that info and just bare-faced lie in the face of a security breach.

Nefarious wrote: ↑Sat Jan 18, 2020 12:40 pm

Beany wrote: ↑Fri Jan 17, 2020 7:12 pm

Orange Cola wrote: ↑Fri Jan 17, 2020 7:03 pm Someone should do it just to teach them a lesson.

Problem is, it'll only affect actual people, and the company clearly doesn't care.

Source: I've worked for companies who clearly don't care. Unless they get criminal case brought against them (not a civil case) they won't change a fucking thing.

I thought the onus of security protection was on the banks - i.e. if someone illegally accesses your account and transfers money out, the liability is on them to refund.

Is this wrong, or is it a case of it's strictly legally right, but they'll fight you every step of the way, insist you authorised the transaction and force you to prove it was an illegal data breach (without access to any of their log data)?

Presumably, if somebody were to hack my account, it's unlikely that they'd stop at pilfering a couple of grand from my current account, and would replicate for lots and lots of other people with the same account type, so it should be pretty obvious when it's a case of one person being lax with protecting their password vs a brute force attack on hundreds of account holders at one time. Or do the banks just withhold that info and just bare-faced lie in the face of a security breach.

Flash Bastard!

I guess in the UK at least if there was a clear security breach, they'd have to submit some sort of report to the regulators. And those same regulators say that banks must refund any unauthorised payments from accounts.

But of course there will be the small print....

Your bank can generally only refuse a refund for an unauthorised payment if:

it can prove you authorised the transaction – though your bank cannot simply say that use of your password, card or PIN conclusively proves you authorised a payment
it can prove you are at fault because you acted fraudulently or because you deliberately, or with ‘gross negligence’, failed to protect the details of your card, PIN or password in a way that allowed the transaction
you told your bank about an unauthorised payment 13 months or more after the date it left your account, so make sure you contact the bank as soon as possible.

Beany wrote: ↑Fri Jan 17, 2020 7:12 pm

Orange Cola wrote: ↑Fri Jan 17, 2020 7:03 pm Someone should do it just to teach them a lesson.

Problem is, it'll only affect actual people, and the company clearly doesn't care.

Source: I've worked for companies who clearly don't care. Unless they get criminal case brought against them (not a civil case) they won't change a fucking thing.

Every UK bank I've worked with has spent and continues to spend a lot of money investing in protecting all their IT systems. Good old fashioned fraudsters calling up the Bank and trying stuff on (identity theft & trying to "impersonate" a legitimate customer in order to get piece by piece access to their account - i.e. changing their address) is just as big, if not a bigger problem for them.

I work for a Victorian government agency.

Server 2008 OS went end of life last week. No rush for those 24 servers as the 14 x 2003 boxes haven't been sorted yet

There are federal IT rules from what I can see but only guidelines for states. Neither come close to what we had to abide for Islington Council!

From somewhere where it is compulsory to carry your driving licence while driving, you can get on an internal flight with just a ticket - no ID needed at all.