Monday, October 31, 2011

Insecure Banking

from: Daytona Beach, FL, USA

I wrote a letter to one of my banks regarding the deplorable security of their online banking system. Then I scrapped it because I thought it was too mean and wrote another one. Here it is:

One of the concerns of the website I run is about security, be it personal or electronic, and I was wondering, is there was someone I could conduct a short email interview with for an article I'm writing about online bank security in the modern age?

As you're no doubt aware, electronic crime is on the rise, and banks everywhere are scrambling to keep ahead of the crooks, who are finding all kinds of new ways to break in and steal money, often without leaving much of a trace.

One of the earliest ways they broke in was by doing "brute force" attacks to find user accounts and passwords. It takes a single computer about a day to hack a password of only 8 characters, and only a few minutes if limited to letters and numbers. Some criminals have access to parallel networks of thousands of computers, which can crack otherwise strong 8 character passwords in about 5 minutes or less, which means a network of crackers can extract the passwords for 3000 banking customers in under 2 weeks. Despite this obvious gaping hole in security, many banks refuse to upgrade their passwords to defeat this, making them a class-action suit waiting to happen.

I've heard that the weak security is so the bank can still crack the passwords of its users if they "have to", but what valid reason there could be, I'd like to ask.

Lately, banks have started implementing "secret questions", which are about as secret as asking what color the sky is. Perhaps you remember the Paris Hilton scandal. Though it may cut down slightly on the random, massive thefts, it doesn't stop criminals from focusing on a big payday customer, finding out all the publicly available information about their target, and then answering the "secret questions", which only ever seem to ask for publicly available information. People with an ax to grind also find this very easy security to bypass and ruin the life of their enemy.

Things like "sister's middle name" or "grandmother's maiden name" or "street you grew up on" and so forth, are all easily available to anyone willing to invest $20 in any ad that shows up on the site. (Which is to say, those online stalking websites which allow you to get information about anyone.)

My questions entail wanting to know what proactive steps your institution is taking to safeguard their customers' money and personal information against theft, and whether you plan on taking such steps before or after a preventable theft results in a massive class-action suit which holds your board of directors personally responsible and has them jailed and bankrupted for gross incompetence.

For instance, your institution only allows passwords of up to 8 characters, and I cannot use symbols. It would take a cracker just a few minutes to break into my account. In contrast, Microsoft's minimum password security standard recommends 14 character passwords made of upper and lower case, numbers, and symbols; doing so yields passwords which require many years of effort to crack.

Why doesn't your institution allow users to have secure passwords if they want them? Security questions are often used to bypass forgotten passwords, and so they need to be approximately as secure as passwords; when will your institution no longer require that users use publicly available information like names of family members and residence addresses for these questions? Is it true that banks regularly hack the accounts of their own users? Is it true that the personal information gained for security questions is used to target advertising? Is the database of security questions itself protected by more than a simple 8 character password? Is there some law which prevents banking customers from suing the CEO and Board of Directors personally for gross negligence regarding the security of their accounts?

Thank you very much for your assistance in directing me to the person I need to talk to about this article. I'm very interested in getting all my facts straight before publishing articles, and your institution's assistance is much appreciated.

I never sent this, since it's still a little too mean. I did, however, close that account so I wouldn't get hacked.

The worries behind it, though, are still valid. Why would a bank prevent you from having a properly secure password? I realize not all customers WANT secure passwords, since they're a hassle, but for those who DO want them, why deny them?

As mentioned above, if you have a password like "hello", that can be cracked in SECONDS. Even one like "7&tND0=q" will take a few minutes. The more characters you use, and the more characters you have to choose from, the harder it is to crack. This goes up very quickly, such that a proper 16 character password can take millenia for a cracking farm to break. Check out this tool to help you make secure passwords. And here's additional information about passwords; If you don't get something, just skip to the next section.

Check your online banking passwords and make sure they are larger than 8 characters, and that they have numbers and symbols in them. If your bank doesn't allow this minimum level of security, you might want to consider keeping your money elsewhere before someone else decides to keep your money elsewhere.


No comments:

Post a Comment

Have your say-
Did you know you can leave a comment without having a Google account? Just click where it asks for one and select a different option!

You're Wondering what this Place is all About

Ever have one of those days? Ever felt like mouthing off to the world? What would it be like if Andy Rooney, Dennis Miller, and an angry teenager shared a brain? Let's find out. We're the scissors you shouldn't run with, the matches you shouldn't play with, and the dog you shouldn't tease.

Do us a Small Favor, Please:

If you like what you see here and you want to be sure you get the most out of it, here are some things you can do to make sure you don't miss out on anything, and help others make sure they don't miss out on anything either.

1. Join the site with Google Friend Connect. It's on the left side, where our other awesome Members are.
2. Add and our new Facebook page to all your forum and email signatures and tell your friends to Follow us on Twitter:
3. Link us from your websites too!
4. Leave comments, vote, and be a good neighbor to the other guests here.
5. Never be afraid to be the decent person you really are.

Terms of Use - legally binding; sadly necessary

Some of the commentary on this site is intended as sarcasm and parody of Jaycee Adams and the Mopjockey / More in Sanity team, their lives, the people they know or know of, life in general, and other subjects that cross their minds. It represents OPINION, and not all of it is flattering. Most is not meant to be taken as fact. Accessing this site or its content in any way, or even being aware of its existence, constitutes your acknowledgement of this. You hereby agree to hold Jaycee Adams,, and anyone in any way associated with them completely and utterly non-responsible for anything, ever.

Anyone claiming to BE or REPRESENT someone "famous" who does not also provide sufficient proof of this is understood to be requesting belittlement. You will be ridiculed twice as much if posting as "Anonymous," and even more if you make threats and false accusations. If you've taken great pains to hide yourself from the internet and can't prove who you are, please get someone to vouch for you, being sure they agree that YOU caused all problems, not us.

Anyone so immature as to take offense or umbrage at anything on this site must apologize publicly for making this disclaimer necessary before leaving, never to return, and never harassing anyone associated with this site in any way ever again.

Lastly, you agree that though you might not agree with everything Jaycee Adams has to say, you will defend to your last breath his right to say it, the same as HE HAS DONE FOR YOU.

This agreement is binding in perpetuity in all temporal directions, binding whether you understand it or not, and binding whether you're allowed to make such agreements or not, so help you God/Allah/Yaweh/Source.