It's insane that my personal blog is more secure than my bank.
Something was left open and exposed in the central infrastructure for this to happen, or some kind of supply-chain exploit, or a key administrator account credential was phished.
Regardless, I believe my point still stands. I want better options for security; I shouldn't need a better reason than it's where I keep all my money.
(Or at least, a better option should be required to be available.)
Not that it would help in this specific case I guess.
I wonder that with one of my banks, the password is case insensitive. Of course they could lower case it before the hashing but I suspect they don't.
Yikes, that’s scary. Legitimately would make me think about leaving that bank
It's insane to imagine that that is true. :)
Seriously though, if banks and their customers were being defrauded by superficially poor password/MFA hygiene, obviously they would fix that. They are not.
The 6 characters designed to be mapped to 6 numbers for a telephone banking PIN.
So aA-cC would all be treated the same (and be a 0 for telephone banking), dD-fF would be 1, etc.
So in reality; there were only a million different passwords.
I thought this stopped ~10 years ago. Or did it?
The communication about the change, and the way the old system worked (without warning nor notification) left a lot to be desired.
> According to Bloomberg and CNN, citing sources, SitusAMC sent data breach notifications to several financial giants, including JPMorgan Chase, Citigroup, and Morgan Stanley. SitusAMC also counts pension funds and state governments as customers, according to its website.
Meaning that when there is a breach, if you don't personally sue them and take on the costs of investigating and proving the root cause of the breach yourself, then it's likely nothing will happen to them at all. And this is only for the institutions actually covered by a regulation.
And assuming an investigation is done, and proof found of negligence, they'll be given a fine or settle for a small amount of their yearly profit. Nobody goes to jail or is personally fined, and the company has a minor dip in earnings. Problem solved!
Have we gotten to the point yet where simple possession or knowledge of personal data is insufficient to prove identity? Seems like we should have been there years ago.
Banks servers ordinary people and most useful way to identify those people are 'what you know'. DOB are the most commonly used.
some banks and other organizations start to give up 'what you know' as most people give up too much personal information over social media and bad guys can easily acquire them. now they transfer 'what you have'. like sending you a message and you have to click the link to prove you are the person who you claimed.
That era has to end if it hasn't already. Just because an unknown voice can answer questions about me doesn't mean it's me. And these days, you might not even be able to trust a voice-print.
All this "personal data" has to be made valueless. Then people will stop stealing it, and if they do, it won't matter.
Explain how that would have worked about 150 years ago? Being a stranger back then was far riskier in a lot of places and they'd have no idea if your identity was fake or not. Moving from these old systems to new digital systems was a slow process and even to today I see old people go into the DMV with out many life records and have issues because many of their state records are in storage on paper in some warehouse and not digitized.
Things of the past are to this day catching up with the future we live in.
But these huge data breaches have been happening for a few decades now. Pretty much anyone who's had any accounts with banks, insurance companies, credit card companies, utilities, or any online services has been included in one or more of them. It must be the assumption going forward that this information is no longer secret.