Follow

Does anyone know of a UK bank that doesn't do this dumb thing where they ask you to enter certain characters of your password?

@stringlytyped HSBC asks for the full password and one-time code.

@mansr Oh, cool, thanks. How is their online banking in other respects?

@stringlytyped It lets you move money around and see your transaction history, just like every other bank I've used.

@darrenpmeyer Apparently it's sort of standard here? I guess as an attempt to prevent phishing?

@stringlytyped and I thought the US banks doing the "security image" thing (and calling it two-factor 🙄) was nuts…

@darrenpmeyer Oh, they're still doing the security image thing here. At least Bank of America and friends got rid of it eventually.

@stringlytyped U.K. Bank Ltd. “Yeah, we store your password using reversible encryption.”

@djmoch
U.K. Bank Ltd. “Yeah, we store your password in plain text"

:O)
@stringlytyped

@djmoch They also ask you for part of your password when you call in, which is just SO GREAT

@stringlytyped I seem to remember T-Mobile somewhere in Europe doing this a couple years ago and the #infosec community on birdsite came down on them pretty hard.

Not sure it changed anything ...

@djmoch Yeah I remember that! People were super upset after their social media person got sassy and said asking passwords over the phone is fine because they have amazing security. 🙄

@stringlytyped I've seen a software company make you set up a second, short password beyond the standard password and ask for 2 of the characters of that after entering your normal password but not the normal password itself.

@SandPaper This particular bank (Santander) has two codes: a password and a "security number". They ask for certain characters from both. Surely, they would devise a crazy system like this without good reason, right? RIGHT?!

(Also, fun fact: they use SMS OTP codes on their mobile app, but don't when you log in via a browser. It's all so well thought out.)

@stringlytyped I can't remember what it was exactly but I remember infosec Twitter having a field day with Santander UK. It was probably something tied to Troy Hunt and poor passwords but maybe not this specifically. If I ever get back on there I'll try to look it up.

@SandPaper I did a search. Troy Hunt shared an article about how they don't allow pasting from password managers "for security reasons". Although, I am not sure how it would be possible to use a password manager in that fashion anyway because of this business of asking for specific characters from the password, so ¯\_(ツ)_/¯

@stringlytyped @jerry First Direct (subsidiary of HSBC) ask for your secret question answer (ie. first job location) + token code, generated on the app which requires FaceID/TouchID or manually entering your “digital key” password.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.