Why Gmail Has Better Security Than Your Bank 271
Gizmodo gives some insight to a strange situation that many of us have -- at least in the U.S. -- when it comes to online security: Gmail, while free, offers two-factor authentication, while many banks don't use security tools that would make online financial transactions safer, contenting themselves with single-factor, weak password systems, or lackluster secondary screens. It's certainly true at one bank I use, which even now allows short, all-alphabetical, all lower-case passwords. U.S. banks could certainly use multi-factor authentication, and some do, but it's nothing like universal.
bank I use ... allows (weak passwords) (Score:5, Insightful)
Simple solution: name names and vote with your feet.
Re: (Score:2)
I've never seen anything but user/pass needed to create or access a gmail account?
Re:bank I use ... allows (weak passwords) (Score:5, Informative)
Google will send you a text to your phone every time you login from a different computer. The settings are quite adjustable from being a minor annoyance to requiring it every time you login. You can also print emergency codes for when you don't have access to your phone.
Re: (Score:2)
Fortunately, you can turn that off if you don't use a given email address for financial (e.g. important) stuff.
My primary bank is similar - use a weak password if you want to, that's on you, but real two-factor auth is free (none just this phone BS - we've already seen malware that bypasses that). I also use Chase, who doesn't do anything impressive, so I only use that account for small amounts.
Re: (Score:3)
Google 2factor-auth also works sms-less if you don't trust that. Either by a seperate authenticator app that calculates the secondary code the same way as an external key-genrator would, or you can use an actual external generator.
Re: (Score:3)
Can't work for me.
I have a celI rarely use text, so paying $15 for a chunk of texts I'll never use is stupid.
I'd allow pay-per-text, but only if I only had to pay to SEND - I refuse to pay per-message for someone ELSE (perhaps spammers) sending to me.
As a result, I have texts/SMS through my cell carrier BLOCKED.
Instead, I use google voice for the one or two people I *occasionally* have to send or receive a text from.
Heck, I don't even use my direct cell number for calls - I consider the number disposable, a
Re:bank I use ... allows (weak passwords) (Score:5, Funny)
Yeah? And what if the reason you lost both your phone and computer is because they were in your house which burned down, as did your printed out pre-generated codes?
How do you log back in after that?
I keep a copy of the codes in google docs.
Re:bank I use ... allows (weak passwords) (Score:5, Informative)
I've been using it for years now with the Android app and it's been terrific. You can also just use it via SMS. Other software vendors can even leverage Google's app for their own products (One example I know is Guild Wars 2 can use Google's app for 2 factor on your game account)
Re: bank I use ... allows (weak passwords) (Score:4, Insightful)
Dropbox can use the google authentication app as well.
I have Dropbox setup to use two factor auth. In addition to my multiple gmail accounts.
It is a pain but not impossible to even change the settings as I switched phones and changed the 2 factor system.
Schwab - max 8 chars! (Score:3, Insightful)
Charles Schwab has a *maximum* of 8 character passwords and have had the same for 15-20 years!
Passwords: We maintain strict rules to help prevent others from guessing your password, and recommend that you change your password periodically. Your password must meet the following criteria:
6-8 characters long
Include both letters and numbers
Include at least one number between the first and last character
http://www.schwab.com/public/s... [schwab.com]
Re: (Score:2)
Re:Schwab - max 8 chars! (Score:5, Insightful)
The worst thing about this isn't that it means you have to choose a weak password, but rather that it is very likely that they are storing passwords in cleartext and somebody could get access to huge numbers of accounts with a single breach. If they were just using javascript to ensure password length, then they could change the code for the form validation immediately. So the fact that it hasn't been fixed yet means that the password length restriction has to do with something on their back end that will require real work to fix. But a proper back end system should salt and hash the passwords and the site would have no idea how long your password is. Since they know and care how long the password is, they probably aren't hashing
Re: (Score:2)
Re: (Score:3)
If you're hashing the passwords the length of the password is arbitrary. There is no need to restrict length, except maybe for a minimum size.
What else you do with the passwords (salting, encryption, zero knowledge protocols, multi factor auth, usability factors etc.) is just a measure of the competence of your organization.
Re: (Score:2)
Let me rephrase. If an entity restricts password length then can one "assume" that they are keeping the passwords in cleartext and not hashing?
Re: (Score:2)
It is not conclusive proof but I think it is a fair assumption, yes.
Re: (Score:2)
Re: (Score:3)
If you're hashing the passwords the length of the password is arbitrary. There is no need to restrict length, except maybe for a minimum size.
If you use bcrypt to hash them, there's a good argument for limiting them to 64 characters, which is that bcrypt will truncate them to 64 characters regardless, so users who use longer passwords aren't getting the benefit they think they are. Unless teh user chooses an insanely weak 65-character password this probably doesn't matter in practice, but I would restrict it just to be sure.
Note that this isn't a reason not to use bcrypt; it's an excellent tunable password hashing algorithm. It just has this on
Re: (Score:2, Insightful)
Not necessarily. You might want to put a limit at some number that you think is 'reasonable', say 100chars, because otherwise someone could enter a 2GB string as their password and that's likely to have other impacts on your systems. Putting an upper bound on things gives you a testable range of inputs.
Re: (Score:2)
I was wondering about this. If an entity restricts password length then does that indicate that they are keeping the passwords in clear text?
No, my ISP allows very long and complicated passwords but still keeps them in clear text. I found this out when they came and upgraded my Internet connection, brought a Gigabit router and configured it for me... with my supposedly secret password.
So I went and changed it online to "Fuck you [ISP Name] for storing passwords in plain text!" (in my native language). At least the would be able to read some proper customer feedback.
Re: (Score:2)
Nonetheless I am more bothered by places requiring short passwords (it messes up my algorithm)
Re: (Score:2)
If they restrict password length (on the back end), then they aren't hashing. That is not the same as: if they don't hash, then they restrict password length.
Re: (Score:3)
Still beats the work password I had once. The stated password requirements were invalid. After others trying (and erring), the unofficial password requirements (that worked) were 6 letters (first caps, the rest lower) followed by two numbers, changes every 30 days and no repeat in the year, so recommend 00-15 (or so) for the last two digits. With that in mind, the entropy was tiny. But with
Re: (Score:2)
Re: (Score:2)
What two factor auth for Gmail?
Token sent by SMS.
Re: (Score:3, Informative)
https://support.google.com/accounts/answer/1066447?hl=en/ [google.com]
Re:bank I use ... allows (weak passwords) (Score:4, Interesting)
What two factor auth for Gmail?
I've never seen anything but user/pass needed to create or access a gmail account?
You've managed to stop GMail from pestering you to sign up for two factor authentication? How did you manage that? I can't seem to get it to stop (without actually signing up for it, which I'm not willing to do.)
Re: (Score:2)
I don't believe they every have asked me about it, hence I'd never heard of it.
My account is quite OLD...maybe that's it. I didn't give them any identifiable info when I set it up, I've never done G+...so, maybe I'm flying under the cloud as much as possible with Google.
I'd certainly not want to
Re: (Score:2)
My account is quite OLD...maybe that's it.
I bet that's it. Mine is relatively recent (a couple of years old), and when I signed up for it I had to sign up for Google's stupid "one ring to rule them all" Google account. I'll bet you have a grandfathered in account that is gmail-only.
I'd certainly not want to give them my phone number if that's what they use for the 2nd factor.
This is precisely why I don't do the 2FA. Google knows way too much about me as it is. They don't need my phone number as well.
Re: (Score:2)
Re: (Score:2)
Because other people will use weak passwords, and make the site vulnerable. Heck, the bank might *mandate* weak passwords.
Re: (Score:3)
my bank (Score:2)
Re: (Score:2)
What bank, and why do you still use it?
Re: (Score:2)
Re: (Score:2)
My bank have a pin code token with challenge/response authentication. Also used to sign receiving account numbers and the sum of the transaction.
There are probably "holes" in that solution as well, but it's at least standing up against brute force attacks against the banks.
One difference (Score:5, Insightful)
Re:One difference (Score:5, Insightful)
If Google is hacked, Google takes the hit and looks bad.
If your bank gets hacked, you take the hit, the merchant takes the hit, the bank walks away clean.
It is not identity theft (this makes the individual responsible to resolve.) it is fraud (causing the banks and fed to be responsible to clean it up).
Someone needs to sue the bank because they allowed the fraud to happen then called it identity theft so they could wash their hands of it.
Re: (Score:2)
If Google is hacked, Google takes the hit and looks bad. If your bank gets hacked, you take the hit, the merchant takes the hit, the bank walks away clean.
It is not identity theft (this makes the individual responsible to resolve.) it is fraud (causing the banks and fed to be responsible to clean it up). Someone needs to sue the bank because they allowed the fraud to happen then called it identity theft so they could wash their hands of it.
Well, not quite. FDIC (e.g government) takes the hit as the bank's insurer. So yes, the bank isn't risking much anything by not implementing strong protections.
This is why government is usually not the solution. However, the FDIC is necessary but perhaps the FDIC should start requiring stronger online protections as part of the insurance program...then again, the FDIC might not care enough....
Re:One difference (Score:5, Insightful)
If Google is hacked, Google takes the hit and looks bad.
If your bank gets hacked, you take the hit, the merchant takes the hit, the bank walks away clean.
In what scenario? Maybe if 3rd-party debit card readers get hacked?
If your banks ATM gets hacked, that's on the bank. If your account gets hacked via online access, or plain-old in-person fraud, most banks these days will take the hit, or most of it.
I don't much care if access to my account gets hacked - sure there's privacy issues, so I care a little. I care if money gets stolen as a result. Money laundering prevention is a much easier job for security, and last I heard it was the choke point in online theft. The bad guys already have more compromised accounts that they can find any use for, because actually getting money out of that is pretty limited. Crackdowns on "money muleing" and other techniques works much better than password security and doesn't annoy the customers.
I order to transfer money out of my primary bank to another account, the account must be in my name (easy enough for an attacker), and my email gets spammed for 3 days with warnings before any money movement is allowed. Nothing is bulletproof, but that's pretty good, and once it's set up there's no inconvenience at all.
Security geeks never seem to get this - if password strength matters you're doing it wrong.
Re: (Score:2)
If your banks ATM gets hacked, that's on the bank. If your account gets hacked via online access, or plain-old in-person fraud, most banks these days will take the hit, or most of it.
If your account is hacked by someone who broke PIN security, they will assume that it's because you gave your PIN to bad guys, and put 100% of the loss on you, unless you can prove otherwise (which is impossible, as you don't have access to the evidence the bank uses).
I order to transfer money out of my primary bank to another account, the account must be in my name (easy enough for an attacker), and my email gets spammed for 3 days with warnings before any money movement is allowed.
Yeah, so you can't move money fast, and your kind of rules prevent me from sending money to myself. I have to add a relative to my account and have them walk into the bank to send a transfer. I can't send money outside the bank without going
Re: (Score:2)
If your account is hacked by someone who broke PIN security,
Why would you call that the "account" being hacked? That's the "debit card" being hacked, and most banks limit that to a few hundred dollars a day. You're not talking about the internet here right? (The part where password strength would be relevant)
Yeah, so you can't move money fast
You can't add a new account fast. Moving money is the usual ACH delay (which depends on transfer size).
your kind of rules prevent me from sending money to myself
I'm not sure what you mean? I transfer money between accounts I own all the time. (After the delay involved in configuring the accounts). And these are
Re:One difference (Score:5, Interesting)
If your bank gets hacked, you take the hit, the merchant takes the hit, the bank walks away clean.
Not usually. I spent a number of years doing software development for banks, and amongst the interesting things that I learned was that banks get hacked a lot more often than you think. You usually don't hear about it because the banks typically just replace the money that was taken from their customer's account and shut up about the whole thing. The odds aren't terrible that at least once, you've had money stolen from your account and never noticed that it happened.
Re: (Score:2)
That is totally not an excuse. Banks have some of the biggest profit margins of any industry [yahoo.com]. If there's any industry which can afford to hire top-notch IT staff, it's banks.
Re: (Score:2)
Re:One difference (Score:4, Insightful)
Don't be ridiculous - that would interfere with executive bonuses, the entire raison d'etre of the banking industry.
Re: (Score:2)
Banks often require weaker passwords because many are afraid of SQL injection attacks that could be opened up by allowing passwords with symbols.
Re: (Score:2)
You do know that this was about system administration and not access to user accounts, and it was the LACK of two factor on a system that resulted in a hole. This actually supports the assertion that everybody should be using it.
Depends on how you count (Score:2)
Your bank may have less secure login methods than gmail, but Google doesn't have access to your bank account.
Re: (Score:2)
Your bank may have less secure login methods than gmail, but Google doesn't have access to your bank account.
yet.
Re: (Score:3)
Re: (Score:2)
Your bank may have less secure login methods than gmail, but Google doesn't have access to your bank account.
Google Wallet - they very well may.
Liability? (Score:2)
Not having any idea of the actual reasons behind these decisions, I'm going to pull a possibility out my... out of thin air.
Is it because their liability would increase dramatically if they implemented a more secure system and it still somehow gets compromised?
Re: (Score:3)
I'd suggest it might be because of the support costs of all those people having trouble logging in, forgetting their passwords etc, or getting compromised because they wrote down their hard-to-remember password, if they went more secure. My bank allows a weak password (plus some nominated characters from a secondary "memorable phrase"), and no requirement to change it ever. TBH I'm pretty cool with that because I can remember both, so if I'm ever caught without access to my password manager, I won't be scre
Biometrics Looking Better (Score:2)
Both the software and hardware available for small devices from phones to access panels to laptops now allow east use of biometrics.
I predict banks and other online merchants will quickly move to biometrics, or face financial ruin. Biometrics can now be based on not just a single factor because we have video. Thus a video of a person who moves closer to his camera can identify first the facial features, then voice & ultimately iris, so you can't fake a person with a simple high res. photo.
Fingerprint
The password you can never change (Score:2)
And the first time a bank gets hacked, everyone's fingerprints are public.
Not to mention that detecting a live finger is meaningless if you're depending on remote systems not to lie to you.
Re: (Score:2)
Biometrics are not acceptable for secure authentication for a whole host of reasons, including too high of an error rate (both false positives and false negatives) and that they aren't that secure -- fingerprint scanners are easily fooled, as you point out (even when they take pains to ensure the finger is a living one), and face recognition is even worse.
This may change in the future, but it appears that effective biometrics at a reasonable price point are many years away.
Citi is the worst, GW2 at the other end (Score:2)
Re: (Score:2)
http://xkcd.com/936/
Easier to remember. But who likes to type a 28 chars password?
Re: (Score:2)
The result is that I now have an email I sent to myself, in a folder, which very clearly states "GW2 password is 'aaa bbb ccc ddd'". It's in a Gmail [apps] account at least (so as per the article it's reasonably secure), but it's really no different than
Re: (Score:2)
My longest password is more than 28 characters you insensitive clod!
Been a while since I could do a good insensitive clod joke on Slashdot.
Re: (Score:2)
they had just made the change in order to "improve security".
Read: They are terrified they didn't handle things right and might have some sort of injection attack somewhere.
makes it absolutely clear that they store all passwords in plaintext
Well, not necessarily but it does suggest that they have it in plain text *or* fail to use a salt, which is nearly as bad.
Re: (Score:2)
Or they store a salted hash attached to the user record and put an unsalted hash in a global "used passwords" set - which isn't tied to any account and so wouldn't be very useful to an attacker. Not saying that's what they do, but it could be.
Re: (Score:2)
> Compound this with the fact that they kick out "any password used by you or anybody else *ever*" as a password change, which makes it absolutely clear that they store all passwords in plaintext, and I'm not really impressed with those jokers either.
No, no it doesn't. You dont need to know what the source text was to do a digest comparison.
Re: (Score:2)
which makes it absolutely clear that they store all passwords in plaintext
they may be rejecting if your password hashes to any used / previously used hash.
Re: (Score:2)
Moral hazard (Score:3)
Because banks have insurance against these losses, while Google doesn't. Next question.
http://economictimes.indiatime... [indiatimes.com]
Re: (Score:2)
Not Google's loss. Just like the bank, Google is holding their users' property for them: it's the users who lose, and the users who demand better security. But only if the users know their property is actually at risk.
Think about it: if you knew that one stolen password would permanently wipe out your life savings, you wouldn't touch online banking with a ten-foot pole. But you know that the bank (and the FDIC) will cover it, so you don't give a shit.
Gmail *should* have better security (Score:5, Insightful)
The same goes for every e-mail provider. Email account access is the crown jewel of online identity, because if I have access to your e-mail I can reset the passwords of all of your other online accounts, including your bank account.
If you're using a short, weak password and not using two-factor on your e-mail because "it's only e-mail"... please think about what other accounts use that e-mail address as their password reset mechanism.
Re:Gmail *should* have better security (Score:5, Insightful)
because if I have access to your e-mail I can reset the passwords of all of your other online accounts, including your bank account.
If your bank accounts is using your email as a primary source of online identity then it is time you found a new bank.
Re: (Score:2)
That's a US specific issue again. No bank I've ever used lets you reset account access via email.
Simple answer.... (Score:2, Insightful)
Banks are ran by assholes.
They do not care about your security or your money. Without federal regulation forcing it they will never do it on their own as it will dip into the record breaking profits they make every single month.
We need to go back to heavy bank regulation and forcing banks to do the right thing.
Bank Of America Two Factor (Score:2)
BoA has a really cool two-factor device. They put an RSA key generator in a credit card-sized device. I got mine for $10, it works great, and it's in my wallet with me all the time. They also offer text message two-factor, which I use as a backup to the RSA card.
Google two-factor authentication user. (Score:2, Interesting)
When I started using Google's 2-factor authentication, I admit, it was tedious, but it pays dividends in peace of mind, and how!
Not at all true (Score:4, Insightful)
I can't sue google if my information is stolen. My google products are not insured by my government. My bank account, however, has a huge paper-trail, and is insured, and I can sue my bank.
It's not about access security; it's about content security. My bank has more content security. It doesn't need access security -- that's just to reduce the number of times we need to go through the content recovery procedures.
My bank has two-factor auth (Score:3)
Why Gmail Has Better Security Than Your Bank
Alright, just stop with the "your" headlines. They just sound so condescending, as if the author knows everything about everyone.
Which they don't, clearly, since my bank, like those of many other posters above, has two-factor auth. They sent me - free, without having to be asked, and presumably all their internet-enabled account holders have one - a little gizmo into which I put a number and it gives me back another number to be entered on the website.
That said, I'd rather have a username instead of "IB[10 digits]", and I'd rather just be asked for a password instead of "the name of the street you grew up on." The latter, certainly, would seem at first glance to less secure than asking for a generic password.
They do things differently in the UK (Score:5, Informative)
From a British perspective, this all seems.... odd. Barclays and First Direct both use one-time time-limited two-factor authentication with the codes sent to special devices, and have done for quite a while, and the other components of their security are thoughtfully designed as well. They feel pretty secure to me -- not foolproof, but definitely good enough.
I despise password rules (Score:3, Interesting)
Well I sure hope so... (Score:2, Insightful)
Google needs be thousands of times more secure than my bank. My bank will return my money when their security lapses. The Feds even get into the act. If Google loses my information, it's gone. There is no undo. So while it may seem like a big problem for banks to be less secure, it makes perfect sense to me. Besides, I've lost countless web accounts (Yahoo, etc.) due to breaches not my own. I've never lost a penny from a bank, even when they are robbed and lose the actual bills I gave them. Money is
Why restrict the length of passwords? (Score:2)
Unless you are being totally dumb and storing passwords in plain text or something instead of hashing them, there is no good reason why any website should have a maximum password length.
Re: Gmail's 2F Auth sucks too (Score:2)
True but my phone is locked with a passcode/ touchid. (iPhone not android)
And you still Need to access the mini keypass file manually.
Re: (Score:2)
Re: (Score:2)
But they know where you use your credit/debit card... your mother must be so ashamed!
Re: (Score:2)
if someone uses a stolen card with your name, that's your problem, not theirs. You have to _prove_ that you didn't buy that item, or else you're on the hook.
Must be Europe, since it's sure and hell not like that in the US!!!
Re: (Score:2)
Your parent is wrong. If my card gets stolen, or even if I simply lose it, the credit card company will refund me (that is so everywhere on the world, afaik we onlu have like 6 or 7 credit card companies on the world).
Re: (Score:2)
All of our e-banking and credit laws are written so that the banks and credit-card companies get all the benefits of easy credit (issuing new cards), but all of the risks of this ease have been pushed to the owners of the identity. Thus, banks and merchants will issue you credit, and accept cards, with little to no verification (insisted upon by Visa), and if someone uses a stolen card with your name, that's your problem, not theirs. You have to _prove_ that you didn't buy that item, or else you're on the hook.
um, what? i don't know about the laws to be honest, but i've had, and have had many friends and family that have experienced CC fraud. in all cases the issuer completely refunded the loss.
Re: (Score:2)
MAXIMUM of 8 characters
That's not true at all; my password for Wells Fargo is 12 characters, and rejects if I try just the first 8.
You're not wrong that their minimum standard is weak, though. And I'm not sure about case-sensitivity.
Re: (Score:2)
Must be 6-14 characters and contain at least one letter and one number. It cannot contain nine or more numbers.
Re: (Score:2)
Re: (Score:2)
They will charge your account a service fee. And there won't be any money in the account to cover the service fee. And so they will charge you an overdraw fee. But at the end of the statement period, many banks will see your negative balance, and then deposit a "credit to avoid account closure"... they will do this forever.
And eventually the bank will send the total of all those accrued fees and overdraft loans to a collections agency, as a friend of mine found out.
Re: (Score:2)
Re: (Score:2)
I'm guessing those who use gmail are some of the more tech savvy of the population.
Really? I tend to assume the opposite.
Re: (Score:2)
what do "tech-savy" people use? the SMTP server running in their mom's basement?
Re: (Score:2)
My server is in my closet, but most of the tech-savvy people I know use a real mail service and avoid gmail. A lot of them refuse to send email to gmail addresses as well.
Re: (Score:2)
I'm guessing you're wrong here, since my Mom uses gmail. And she's hardly tech savvy, what with being in her late 70's and all...
Re:First Run On Sentence (Score:5, Funny)
Someone who knew grammar, evidently.
While Timothy's first sentence is, by some standards, long, and, moreover, interspersed with many appositives and subordinate clauses, which collectively may, depending on the reader's tastes and background, render it unwieldy, and even disgusting to those who like their thoughts in twitter-length bites, it nevertheless has this virtue: when analyzed by diagram, it does in fact appear to be properly constructed, at least within the limits of grammatical freedom that even the most rigid critics of English have come to respect, those limits having been established in indulgence of the liberties taken by the finest authors ever to have set pen to paper, among whom we may number, as an example particularly apt to such a case, Samuel Johnson.
Re: (Score:2, Redundant)
Re: (Score:2)
What is it about a certain type of Republican lawmaker that seems to require them to insert a blender through their nose and switch it on before they take office?
I'll be half of them haven't even mastered bladder control yet.
Re: (Score:2)
Apparently JP Morgan does use gpg for ACH file transfers.
https://www.jpmorgan.com/cm/Co... [jpmorgan.com]
Re: (Score:2)
RSA tokens are inadequate.
Both my banks (UK and Swiss) provide CAP devices that require you to insert a card, enter a PIN, then enter a challenge code from the screen and copy the response back.
The key is .... when transferring money to a new account you haven't sent to before, you have to enter a part of the destination account number as the challenge. The idea is a virus can't swap the instructions you see (well, it can swap the account number perhaps but this is verifiable out of band). When using SMS, u