Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Gmail Has Better Security Than Your Bank

Posted by timothy on from the your-mileage-may-vary dept.

Gizmodo gives some insight to a strange situation that many of us have -- at least in the U.S. -- when it comes to online security: Gmail, while free, offers two-factor authentication, while many banks don't use security tools that would make online financial transactions safer, contenting themselves with single-factor, weak password systems, or lackluster secondary screens. It's certainly true at one bank I use, which even now allows short, all-alphabetical, all lower-case passwords. U.S. banks could certainly use multi-factor authentication, and some do, but it's nothing like universal.

14 of 271 comments (clear)

  1. bank I use ... allows (weak passwords) by Nutria · · Score: 4, Insightful

    Simple solution: name names and vote with your feet.

    --
    "I don't know, therefore Aliens" Wafflebox1
    1. Re: bank I use ... allows (weak passwords) by peragrin · · Score: 3, Insightful

      Dropbox can use the google authentication app as well.

      I have Dropbox setup to use two factor auth. In addition to my multiple gmail accounts.

      It is a pain but not impossible to even change the settings as I switched phones and changed the 2 factor system.

      --
      i thought once I was found, but it was only a dream.
  2. One difference by hcs_$reboot · · Score: 4, Insightful

    Google is an IT company at the cutting edge of technology. Banks have an aging IT team working mainly on administrative tasks.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
    1. Re:One difference by jriding · · Score: 4, Insightful

      If Google is hacked, Google takes the hit and looks bad.
      If your bank gets hacked, you take the hit, the merchant takes the hit, the bank walks away clean.

      It is not identity theft (this makes the individual responsible to resolve.) it is fraud (causing the banks and fed to be responsible to clean it up).
      Someone needs to sue the bank because they allowed the fraud to happen then called it identity theft so they could wash their hands of it.

      --
      love the taste, hate the texture
    2. Re:One difference by Immerman · · Score: 3, Insightful

      Don't be ridiculous - that would interfere with executive bonuses, the entire raison d'etre of the banking industry.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    3. Re:One difference by lgw · · Score: 4, Insightful

      If Google is hacked, Google takes the hit and looks bad.
      If your bank gets hacked, you take the hit, the merchant takes the hit, the bank walks away clean.

      In what scenario? Maybe if 3rd-party debit card readers get hacked?

      If your banks ATM gets hacked, that's on the bank. If your account gets hacked via online access, or plain-old in-person fraud, most banks these days will take the hit, or most of it.

      I don't much care if access to my account gets hacked - sure there's privacy issues, so I care a little. I care if money gets stolen as a result. Money laundering prevention is a much easier job for security, and last I heard it was the choke point in online theft. The bad guys already have more compromised accounts that they can find any use for, because actually getting money out of that is pretty limited. Crackdowns on "money muleing" and other techniques works much better than password security and doesn't annoy the customers.

      I order to transfer money out of my primary bank to another account, the account must be in my name (easy enough for an attacker), and my email gets spammed for 3 days with warnings before any money movement is allowed. Nothing is bulletproof, but that's pretty good, and once it's set up there's no inconvenience at all.

      Security geeks never seem to get this - if password strength matters you're doing it wrong.

      --
      Socialism: a lie told by totalitarians and believed by fools.
  3. Gmail *should* have better security by swillden · · Score: 5, Insightful

    The same goes for every e-mail provider. Email account access is the crown jewel of online identity, because if I have access to your e-mail I can reset the passwords of all of your other online accounts, including your bank account.

    If you're using a short, weak password and not using two-factor on your e-mail because "it's only e-mail"... please think about what other accounts use that e-mail address as their password reset mechanism.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    1. Re:Gmail *should* have better security by bloodhawk · · Score: 4, Insightful

      because if I have access to your e-mail I can reset the passwords of all of your other online accounts, including your bank account.

      If your bank accounts is using your email as a primary source of online identity then it is time you found a new bank.

  4. Simple answer.... by Lumpy · · Score: 1, Insightful

    Banks are ran by assholes.

    They do not care about your security or your money. Without federal regulation forcing it they will never do it on their own as it will dip into the record breaking profits they make every single month.

    We need to go back to heavy bank regulation and forcing banks to do the right thing.

    --
    Do not look at laser with remaining good eye.
  5. Schwab - max 8 chars! by Anonymous Coward · · Score: 3, Insightful

    Charles Schwab has a *maximum* of 8 character passwords and have had the same for 15-20 years!

    Passwords: We maintain strict rules to help prevent others from guessing your password, and recommend that you change your password periodically. Your password must meet the following criteria:

    6-8 characters long
    Include both letters and numbers
    Include at least one number between the first and last character
    http://www.schwab.com/public/s...

    1. Re:Schwab - max 8 chars! by njnnja · · Score: 5, Insightful

      The worst thing about this isn't that it means you have to choose a weak password, but rather that it is very likely that they are storing passwords in cleartext and somebody could get access to huge numbers of accounts with a single breach. If they were just using javascript to ensure password length, then they could change the code for the form validation immediately. So the fact that it hasn't been fixed yet means that the password length restriction has to do with something on their back end that will require real work to fix. But a proper back end system should salt and hash the passwords and the site would have no idea how long your password is. Since they know and care how long the password is, they probably aren't hashing

    2. Re:Schwab - max 8 chars! by Anonymous Coward · · Score: 2, Insightful

      Not necessarily. You might want to put a limit at some number that you think is 'reasonable', say 100chars, because otherwise someone could enter a 2GB string as their password and that's likely to have other impacts on your systems. Putting an upper bound on things gives you a testable range of inputs.

  6. Not at all true by holophrastic · · Score: 3, Insightful

    I can't sue google if my information is stolen. My google products are not insured by my government. My bank account, however, has a huge paper-trail, and is insured, and I can sue my bank.

    It's not about access security; it's about content security. My bank has more content security. It doesn't need access security -- that's just to reduce the number of times we need to go through the content recovery procedures.

  7. Well I sure hope so... by Anonymous Coward · · Score: 2, Insightful

    Google needs be thousands of times more secure than my bank. My bank will return my money when their security lapses. The Feds even get into the act. If Google loses my information, it's gone. There is no undo. So while it may seem like a big problem for banks to be less secure, it makes perfect sense to me. Besides, I've lost countless web accounts (Yahoo, etc.) due to breaches not my own. I've never lost a penny from a bank, even when they are robbed and lose the actual bills I gave them. Money is fungible. Information isn't. So it's not even a valid comparison to make. Apples, and honeydew.