undefined | Better HN

0 pointsLiquix1y ago0 comments

Financial institutions are very slow to adopt new tech. Especially tech that will inevitably cost $$$ in support hours when users start locking themselves out of their accounts. There is little to no advantage to being the first bank to implement YubiKey 2FA. To a risk-averse org, the non-zero chance of a botched rollout or displeased customers outweighs any potential benefit.

0 comments

monksy1y ago

They're pretty terrible when they do.

For the longest time the max password size was 8 characters and the csr knew what your password was.

Heck I've had Chase security tell me they'd call me back.. dude that's exactly how people get compromised.

biglost1y ago

A friensd bank, hopefully not the one i use, only allow a password off 6 digits. Yes You read it right, 6 fucking digits to login, i hace him the asvice to run away from that shitty bank

foepys1y ago

Did this bank start out as a "telephone bank"? One of the largest German consumer banks still does this because they were the first "direct bank" without locations and typing in digits on the telephone pad was the most secure way of authenticating without telling the "bank teller" your password. So it was actually a good security measure but it is apparently too complicated to update their backend to modern standards.

They do require 2FA, though.

1 more reply

doubled1121y ago

Exactly. 8 character password in the 2010s as the only factor was fine. It was only my money we're talking about.

Now I have to wait for an SMS. Great...

throwaway29901y ago

SMS is fine on most countries. It’s just America is dumb and allows number transfers to anyone.

hwertz1y ago

Nope, I read The Register (UK based) and they've had scandals from celebrities having their confidential SMS messages leaked; SMS spoofing; I think they even have SIM cloning going on every now and then in UK and some European countries. (since The Register is a tech site, my recollection is some carriers took technical measures to prevent these issues while quite a few didn't.)

I don't think it's a thing that happens that often in UK etc.; but, it doesn't happen that frequently in the US either. It's just a thing that can potentially happen.

1 more reply

dewey1y ago

SS7 is a global issue, and so is social engineering to get a number transferred or SIM card transferred.

https://hitcon.org/2015/CMT/download/day1-d-r0.pdf

KiwiJohnno1y ago

Its also been a problem in Australia, Optus (2nd biggest teleco) used to allow number porting or activating sim against an existing account with a bare minimum of detail - Like a name, address and date of birth. If you had those details of a target you could clone their SIM and crack any SMS based MFA.

1 more reply

vladvasiliu1y ago

I don’t know about other parts, but here in France SMS is a shitshow. I regularly fail to receive them even though I know I have good reception.

This happened the other day while I was on a conference call with perfect audio and video using my phone’s mobile data.

A few weeks back, had some shop which sends out an SMS to inform you the job’s done tell me this is usually hit and miss when I complained about not hearing from them.

1 more reply

StillBored1y ago

SMS is not E2E encrypted, so for all intents is just a plain text message that can/has been snooped. Might as well just send a plaintext emails as well.

eru1y ago

Number transfers in other countries is also mostly just a question of a bit of social engineering.

1 more reply

darkr1y ago

> There is little to no advantage to being the first bank to implement YubiKey 2FA

Ideally they’d just implement passkeys (webauthn/fido). More secure, and it works with iOS, android, 1password, and yubikeys

grepfru_it1y ago

Uh many banks provide MFA. And secure with hardware keys. It’s just that your level of assets doesn’t warrant that kind of protection.

Source: worked at all the major banks, all the wealthy clients use hardware MFA

wsc9811y ago

The bank I used in The Netherlands provides a MFA device as well. The device requires an ATM card as well to generate a random number.

This is the default for all their customers, wealthy or not.

https://www.abnamro.nl/en/commercialbanking/internetbanking/...

grepfru_it1y ago

I meant to say in the us :)

heyoni1y ago

They’re a bank. If they can secure their portals with hardware keys, at least allow customers to onboard their own keys.

LtWorf1y ago

My bank gave me an hardware token to protect my 5k€ account.

Get better banks people :)

grepfru_it1y ago

I meant to say in the us. You know how backwards we are here :)

j / k navigate · click thread line to collapse

0 comments

monksy1y ago

They're pretty terrible when they do.

For the longest time the max password size was 8 characters and the csr knew what your password was.

Heck I've had Chase security tell me they'd call me back.. dude that's exactly how people get compromised.

biglost1y ago

A friensd bank, hopefully not the one i use, only allow a password off 6 digits. Yes You read it right, 6 fucking digits to login, i hace him the asvice to run away from that shitty bank

foepys1y ago

They do require 2FA, though.

1 more reply

doubled1121y ago

Exactly. 8 character password in the 2010s as the only factor was fine. It was only my money we're talking about.

Now I have to wait for an SMS. Great...

throwaway29901y ago

SMS is fine on most countries. It’s just America is dumb and allows number transfers to anyone.

hwertz1y ago

I don't think it's a thing that happens that often in UK etc.; but, it doesn't happen that frequently in the US either. It's just a thing that can potentially happen.

1 more reply

dewey1y ago

SS7 is a global issue, and so is social engineering to get a number transferred or SIM card transferred.

https://hitcon.org/2015/CMT/download/day1-d-r0.pdf

KiwiJohnno1y ago

1 more reply

vladvasiliu1y ago

I don’t know about other parts, but here in France SMS is a shitshow. I regularly fail to receive them even though I know I have good reception.

This happened the other day while I was on a conference call with perfect audio and video using my phone’s mobile data.

A few weeks back, had some shop which sends out an SMS to inform you the job’s done tell me this is usually hit and miss when I complained about not hearing from them.

1 more reply

StillBored1y ago

SMS is not E2E encrypted, so for all intents is just a plain text message that can/has been snooped. Might as well just send a plaintext emails as well.

eru1y ago

Number transfers in other countries is also mostly just a question of a bit of social engineering.

1 more reply

darkr1y ago

> There is little to no advantage to being the first bank to implement YubiKey 2FA

Ideally they’d just implement passkeys (webauthn/fido). More secure, and it works with iOS, android, 1password, and yubikeys

grepfru_it1y ago

Uh many banks provide MFA. And secure with hardware keys. It’s just that your level of assets doesn’t warrant that kind of protection.

Source: worked at all the major banks, all the wealthy clients use hardware MFA

wsc9811y ago

The bank I used in The Netherlands provides a MFA device as well. The device requires an ATM card as well to generate a random number.

This is the default for all their customers, wealthy or not.

https://www.abnamro.nl/en/commercialbanking/internetbanking/...

grepfru_it1y ago

I meant to say in the us :)

heyoni1y ago

They’re a bank. If they can secure their portals with hardware keys, at least allow customers to onboard their own keys.

LtWorf1y ago

My bank gave me an hardware token to protect my 5k€ account.

Get better banks people :)

grepfru_it1y ago

I meant to say in the us. You know how backwards we are here :)

j / k navigate · click thread line to collapse