What Is Your Bank’s Security Banking On?

72 点作者 andimm大约 7 年前

9 条评论

HoyaSaxa大约 7 年前

(Disclaimer: I'm the co-founder of Narmi which provides online banking, mobile banking, and banking APIs to banks and credit unions in the United States)For anyone interested, Associated Bank (mentioned in the article) is using Fiserv's Corillian [1] product.The U.S. financial ecosystem is quite different than others around the world. Despite the asset base being consolidated heavily with a handful of institutions, there are still over 11,000 banks and credit unions around the country. Of those 11,000, I would estimate that less than 5% have any significant in house engineering teams (and that is a generous estimate). The rest rely entirely on third parties to run the technology and software that makes a bank a bank. The market is dominated by Fiserv, FIS and Jack Henry & Associates as the article mentions, but there is also a long tail of providers.Very few bank and credit union executives understand the basics of cybersecurity. The vast majority of CEOs come from some type of lending centric leadership position since that has been the main source of revenue traditionally.Unabashed plug: If you know a credit union or bank that is need of a better digital banking experience, I would greatly appreciate the plug/intro for Narmi.[1] <a href="https://www.fiserv.com/customer-channel-management/online-banking/corillian-online.aspx" rel="nofollow">https://www.fiserv.com/customer-channel-management/online-ba...</a>

评论 #16537029 未加载

评论 #16538897 未加载

评论 #16537541 未加载

lakechfoma大约 7 年前

Discord has stronger authentication methods than any of the 8 or so financial institutions I have accounts with.All 8+ do their auth quite differently yet they're all broken and they all fall back on SSN. Why hasn't this industry standardized around one process that is actually effective?Recently I made an account with Fidelity brokerage. Username maxes at 12 chars or something, password at 20. Not the worst, but then I had to get phone support and to authenticate over the phone you need to enter either your username or SSN on the keypad, and then the password on the keypad. The charspace of both the username and password have thus been reduced to 0-9 and * for all specials.Another institution is for my employee share purchase plan. The phone support can initiate sells and transfers I'm pretty sure, yet their only auth is for my full name, employee number, and birthday. My employee number is literally printed on my laptop and some other stuff next to my full name, my birthday easily googleable with my name.

评论 #16536800 未加载

ekns大约 7 年前

All or most Finnish banks use an ~8 digit account ID and a 4-6 digit one-time password from a slip of paper that has 80 to 300 of them. Some have a separate PIN/password too.For confirming large transactions (>5000 or 10000 eur) there's a separate phone call or SMA verification.Nowadays there's apps for 2FA instead of always requiring the use of a one-time password. My corporate bank account still uses the paper backed one-time passwords though.

评论 #16540015 未加载

zaarn大约 7 年前

The security of my bank is pretty good, any account management action (password reset, card pin change, mailing address, email, name, etc.) requires physical presence in the closest branch. Not any arbitrary branch, the closest. With my passport. Not some bill or mail on my address. My passport.The password reset will then setup a new password with 12 characters, number and specials included. This password is then sent via german postal service to my house, I can't pick it up on my local branch or have it told to me. Send via mail. Period.The letter advices me to change the password to something secure immediately and destroy the letter securely afterwards. The banking website enforces this and you cannot change your password to any temporary password that your account previously had. (So if someone intercepted the letter, you would either notice or it would be useless)The only downside is they have an ancient COBOL mainframe doing the accounts, so they're case insensitive and encoded in ECBDIC, although they are properly hashed using bcrypt, there is an upper limit of 24 characters because it still passes through there.So I would say my bank is banking on the customer picking a good enough password and hoping they can replace the COBOL mainframe at some point.

评论 #16536663 未加载

评论 #16535678 未加载

PeterStuer大约 7 年前

For my bank it is:- Log in: Two factor authentication based on chip card / chip card reader [1] with 4 digit PIN attached to card.- 3 wrong PIN attempts blocks card, and requires phone unlock - The 'call' is secured by asking you the typical weak questions that are easily guessed- each transaction requires using the same device to generate an 8 digit electronic signatureYou could argue the 'security questions' part is weak, but I guess in the context of the process (buying you another 3 attempts)it's an ok'ish trade-off.We have come a long way since the first 'Phone Banking' where all that was needed to access the account and make whatever transaction was punching in a 4 digit 'password' on a tone-dial.[1] <a href="http://c621460.r60.cf3.rackcdn.com/Kaartlezer---kaart.jpg" rel="nofollow">http://c621460.r60.cf3.rackcdn.com/Kaartlezer---kaart.jpg</a>

ocfnash大约 7 年前

To log in to an account for my Irish bank, AIB, you just need:<pre><code> * A theoretically-secret 8-decimal-digit id * Three digits from a secret 5-decimal-digit PIN </code></pre> For many years all new online credentials were assigned an 8-decimal-digit id of the form: ddmmyynn where ddmmyy was the account holder birth date and nn was a sequence number.I don't know how many accounts still have these birth-date-style ids but I have good reason to believe it is a great many.

评论 #16536284 未加载

rocqua大约 7 年前

In the Netherlands, most banks use a system that depends on the security of the chip-debit card, and a specific hardware device that each customer gets sent.In my case (rabobank), whenever the bank needs authentication (i.e. when logging in, transfering money, or changing details) they present me with a QR-like code. I then use their supplied hardware [1]. This requires I enter my card and enter my PIN. I can then scan the QR-ish code with a camera built into the device.The device then prompts me with what I am doing. Something like "You are sending € X to account Y " or "Login into account Z". Upon clicking confirm, it outputs a numerical code I have to enter into the website.I really love this system, I like it the best of all dutch systems I know. One bank I know of (ANB-amro) has a similar hardware device, without using the QR codes, but numbers you enter. They also provide a USB connection so you don't need to enter numerical codes twice. Another bank I know of uses standard password and SMS 2-factor authentication.The mobile app for rabobank is quite a bit worse though. You need the scanner once to set up a PIN on the device. With that PIN, you can immediately login and see all account details. Moreover, small amounts to accounts you've previously sent money too can be sent using only that PIN. The idea being that these are your 'friends' and it is nice to pay your friends quickly. There is even a setting that will allow you to send amounts below a threshold (I think €100) to any account using only that PIN. Luckly, you can turn that off, and it takes the scanner to turn it back on. However, you cannot turn of the transfer to 'friends' unless you simply refuse to install the app.[1] dutch wikipedia link: <a href="https://nl.wikipedia.org/wiki/Rabo_Scanner" rel="nofollow">https://nl.wikipedia.org/wiki/Rabo_Scanner</a>

评论 #16536339 未加载

评论 #16536010 未加载

评论 #16536994 未加载

cupofjoakim大约 7 年前

In Sweden the standard is something called BankID, which is basically a digitally bank issued id that ties into 2FA and works kind of like the Blizzard authenticator or the Googla Auth app, but I'm not sure about the solutions for people without smartphones. It's becoming kind of big here and is regarded as the most secure solution. The startup I'm at now use it for logging into both the admin dashboard and the customer pages.The user fills in his SSN to our form, we push a request to bankid, they send a request to the users phone, user types a min 6 digit code which is posted to bankid, bankid tells us to go ahead with the login. For iPhone X there's even support for skipping the code and using FaceId.