Does anyone know of a UK bank that doesn't do this dumb thing where they ask you to enter certain characters of your password?

@stringlytyped HSBC asks for the full password and one-time code.

@mansr Oh, cool, thanks. How is their online banking in other respects?

@stringlytyped It lets you move money around and see your transaction history, just like every other bank I've used.

@darrenpmeyer Apparently it's sort of standard here? I guess as an attempt to prevent phishing?

@stringlytyped and I thought the US banks doing the "security image" thing (and calling it two-factor 🙄) was nuts…

@darrenpmeyer Oh, they're still doing the security image thing here. At least Bank of America and friends got rid of it eventually.

@stringlytyped I've seen a software company make you set up a second, short password beyond the standard password and ask for 2 of the characters of that after entering your normal password but not the normal password itself.

@SandPaper This particular bank (Santander) has two codes: a password and a "security number". They ask for certain characters from both. Surely, they would devise a crazy system like this without good reason, right? RIGHT?!

(Also, fun fact: they use SMS OTP codes on their mobile app, but don't when you log in via a browser. It's all so well thought out.)

@stringlytyped I can't remember what it was exactly but I remember infosec Twitter having a field day with Santander UK. It was probably something tied to Troy Hunt and poor passwords but maybe not this specifically. If I ever get back on there I'll try to look it up.

@SandPaper I did a search. Troy Hunt shared an article about how they don't allow pasting from password managers "for security reasons". Although, I am not sure how it would be possible to use a password manager in that fashion anyway because of this business of asking for specific characters from the password, so ¯\_(ツ)_/¯

@stringlytyped @jerry First Direct (subsidiary of HSBC) ask for your secret question answer (ie. first job location) + token code, generated on the app which requires FaceID/TouchID or manually entering your “digital key” password.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.