Piss poor security
Piss poor security
I've recently opened a new bank account in Australia and signed up for online banking.
Their password rules are an absolute joke; must be six characters, no special characters, all lower case, no two-step or multifactor identification available. I'm finding it hard to believe that any financial institution could be so lax in its security. When asked about their password policy, Their response was "Brute force cracking is a common means of attempting to defeat passwords but given our current password procedures is not deemed a credible threat."
Their password rules are an absolute joke; must be six characters, no special characters, all lower case, no two-step or multifactor identification available. I'm finding it hard to believe that any financial institution could be so lax in its security. When asked about their password policy, Their response was "Brute force cracking is a common means of attempting to defeat passwords but given our current password procedures is not deemed a credible threat."
Re: Piss poor security
That is pretty poor alright...
Just protect yourself as much as you can by setting a nice long password.
Just protect yourself as much as you can by setting a nice long password.
Re: Piss poor security
No fucking way... that's shocking...
- DeskJockey
- Posts: 4729
- Joined: Thu Apr 12, 2018 8:58 am
- NotoriousREV
- Posts: 6437
- Joined: Wed Apr 11, 2018 4:14 pm
Re: Piss poor security
6 characters, lower case and no special characters would be broken in seconds.
Middle-aged Dirtbag
Re: Piss poor security
On a mobile phone. Not even a fancy pants computer with Big Specs. A mobile phone could break that in seconds.NotoriousREV wrote: ↑Fri Jan 17, 2020 2:53 pm 6 characters, lower case and no special characters would be broken in seconds.
A mobile phone from five years ago.
- Orange Cola
- Posts: 2232
- Joined: Wed Apr 11, 2018 7:56 pm
Re: Piss poor security
Someone should do it just to teach them a lesson.
Mustang GT 5.0 V8 -- Jaguar F-Pace
Re: Piss poor security
Problem is, it'll only affect actual people, and the company clearly doesn't care.
Source: I've worked for companies who clearly don't care. Unless they get criminal case brought against them (not a civil case) they won't change a fucking thing.
- NotoriousREV
- Posts: 6437
- Joined: Wed Apr 11, 2018 4:14 pm
Re: Piss poor security
There’s a list of 100k Westpac customer emails available:
https://finance.nine.com.au/business-ne ... d973492614
Middle-aged Dirtbag
Re: Piss poor security
I thought the onus of security protection was on the banks - i.e. if someone illegally accesses your account and transfers money out, the liability is on them to refund.
Is this wrong, or is it a case of it's strictly legally right, but they'll fight you every step of the way, insist you authorised the transaction and force you to prove it was an illegal data breach (without access to any of their log data)?
Presumably, if somebody were to hack my account, it's unlikely that they'd stop at pilfering a couple of grand from my current account, and would replicate for lots and lots of other people with the same account type, so it should be pretty obvious when it's a case of one person being lax with protecting their password vs a brute force attack on hundreds of account holders at one time. Or do the banks just withhold that info and just bare-faced lie in the face of a security breach.
"If everything seems under control, you're just not going fast enough"
Re: Piss poor security
Flash Bastard!Nefarious wrote: ↑Sat Jan 18, 2020 12:40 pmI thought the onus of security protection was on the banks - i.e. if someone illegally accesses your account and transfers money out, the liability is on them to refund.
Is this wrong, or is it a case of it's strictly legally right, but they'll fight you every step of the way, insist you authorised the transaction and force you to prove it was an illegal data breach (without access to any of their log data)?
Presumably, if somebody were to hack my account, it's unlikely that they'd stop at pilfering a couple of grand from my current account, and would replicate for lots and lots of other people with the same account type, so it should be pretty obvious when it's a case of one person being lax with protecting their password vs a brute force attack on hundreds of account holders at one time. Or do the banks just withhold that info and just bare-faced lie in the face of a security breach.
Re: Piss poor security
I guess in the UK at least if there was a clear security breach, they'd have to submit some sort of report to the regulators. And those same regulators say that banks must refund any unauthorised payments from accounts.
But of course there will be the small print....
But of course there will be the small print....
Your bank can generally only refuse a refund for an unauthorised payment if:
it can prove you authorised the transaction – though your bank cannot simply say that use of your password, card or PIN conclusively proves you authorised a payment
it can prove you are at fault because you acted fraudulently or because you deliberately, or with ‘gross negligence’, failed to protect the details of your card, PIN or password in a way that allowed the transaction
you told your bank about an unauthorised payment 13 months or more after the date it left your account, so make sure you contact the bank as soon as possible.
Cheers,
Mike.
Mike.
Re: Piss poor security
Every UK bank I've worked with has spent and continues to spend a lot of money investing in protecting all their IT systems. Good old fashioned fraudsters calling up the Bank and trying stuff on (identity theft & trying to "impersonate" a legitimate customer in order to get piece by piece access to their account - i.e. changing their address) is just as big, if not a bigger problem for them.
Cheers,
Mike.
Mike.
Re: Piss poor security
I work for a Victorian government agency.
Server 2008 OS went end of life last week. No rush for those 24 servers as the 14 x 2003 boxes haven't been sorted yet
There are federal IT rules from what I can see but only guidelines for states. Neither come close to what we had to abide for Islington Council!
Server 2008 OS went end of life last week. No rush for those 24 servers as the 14 x 2003 boxes haven't been sorted yet
There are federal IT rules from what I can see but only guidelines for states. Neither come close to what we had to abide for Islington Council!
The Evo forum really is a shadow of its former self. I remember when the internet was for the elite and now they seem to let any spastic on
IaFG Down Under Division
IaFG Down Under Division
Re: Piss poor security
From somewhere where it is compulsory to carry your driving licence while driving, you can get on an internal flight with just a ticket - no ID needed at all.
The Evo forum really is a shadow of its former self. I remember when the internet was for the elite and now they seem to let any spastic on
IaFG Down Under Division
IaFG Down Under Division