Slashdot Mirror
Why Gmail Has Better Security Than Your Bank
Gizmodo gives some insight to a strange situation that many of us have -- at least in the U.S. -- when it comes to online security: Gmail, while free, offers two-factor authentication, while many banks don't use security tools that would make online financial transactions safer, contenting themselves with single-factor, weak password systems, or lackluster secondary screens. It's certainly true at one bank I use, which even now allows short, all-alphabetical, all lower-case passwords. U.S. banks could certainly use multi-factor authentication, and some do, but it's nothing like universal.
Simple solution: name names and vote with your feet.
"I don't know, therefore Aliens" Wafflebox1
max password of 6 alphanumeric password, no special characters allowed. Fucking lunacy, and I remind them of it at least a couple of times per year.
Contrary to the popular geek mythology about space, it was actually banks and businesses that started using computers massively. The only reason NASA could buy mainframes from IBM in the 1960s is because International BUSINESS Machines already had a huge market. Note the lack of an International Space Machines company.
Anyhow, banks are also conservative.
Google is an IT company at the cutting edge of technology. Banks have an aging IT team working mainly on administrative tasks.
Slashdot, fix the reply notifications... You won't get away with it...
Your bank may have less secure login methods than gmail, but Google doesn't have access to your bank account.
any banks that actually have a gpg key published?
After all, the flexibility to use you own tools and end up with secure communications beats cookie-cutter websites with the latest in tech-wiz sekoority gizmogadgetry that might change along with every other fad.
True but my phone is locked with a passcode/ touchid. (iPhone not android)
And you still Need to access the mini keypass file manually.
i thought once I was found, but it was only a dream.
At least your bank tracks what you purchase and sell. Anyway, when it comes to money, we'd all prefer the bank systems are at least as safe as Google accounts. No?
Slashdot, fix the reply notifications... You won't get away with it...
Not having any idea of the actual reasons behind these decisions, I'm going to pull a possibility out my... out of thin air.
Is it because their liability would increase dramatically if they implemented a more secure system and it still somehow gets compromised?
But they know where you use your credit/debit card... your mother must be so ashamed!
Help Brendan pay off his student loans
There's a very simple reason for this. Banks have bought themselves protection from any liability if your info is stolen.
All of our e-banking and credit laws are written so that the banks and credit-card companies get all the benefits of easy credit (issuing new cards), but all of the risks of this ease have been pushed to the owners of the identity. Thus, banks and merchants will issue you credit, and accept cards, with little to no verification (insisted upon by Visa), and if someone uses a stolen card with your name, that's your problem, not theirs. You have to _prove_ that you didn't buy that item, or else you're on the hook.
The day they move 100% of the responsibility for identity breaches onto the banks, merchants and credit brokers, you'll find them suddenly discovering "innovative security solutions" to protect themselves. Because the alternative is not being able to offer credit, and therefore grinding the economy to a standstill.
Both the software and hardware available for small devices from phones to access panels to laptops now allow east use of biometrics.
I predict banks and other online merchants will quickly move to biometrics, or face financial ruin. Biometrics can now be based on not just a single factor because we have video. Thus a video of a person who moves closer to his camera can identify first the facial features, then voice & ultimately iris, so you can't fake a person with a simple high res. photo.
Fingerprint readers have been criticized as being able to be circumvented, but they will likely soon have temperature/electrical signal sensing to detect a live finger. We're ramping up sensing.
Between eyes, voice, nose, ears, face and fingerprints, we can identify people 100%. Even if we only get to 99.9% identification we can likely destroy the viability of hacking for account access.
I signed up for a Citi credit card about a year ago, then found out after the fact that not only do they allow short basic passwords, but they MANDATE them. You cannot have any special character at *all* in your password. I called them on this and they told me that they had just made the change in order to "improve security". Even better, the change happened as I was initially setting up my account, so the first form I filled out let me put in a proper password because it hadn't been crippled yet, then the actual login page kicked me out after that saying my password was invalid. I had to call them up and fight through getting my password reset, then hope that the password I created through the form that still didn't check their new rules would actually let me log in.
There's got to be a way to report these outright failures to some kind of regulatory body, and force them to fix these things. I'm just worried that there might not *be* a regulatory body for this....
On the other extreme, I found myself having to "generate a password" for Guild Wars 2, who take http://xkcd.com/936/ as gospel and created a 4-word passphrase for me. Compound this with the fact that they kick out "any password used by you or anybody else *ever*" as a password change, which makes it absolutely clear that they store all passwords in plaintext, and I'm not really impressed with those jokers either.
GStreamer - The only way to stream!
Banks are secure because they lock your account when you fail to log in ~three consecutive times. Doesn't matter over what time period or what IP address you are using.
This is rather aggressive; somebody can lock your account with knowledge of your username, but it makes sense. One trick I use: my financial usernames are rather passwordlike (in that you're not going to guess them easily).
Use my userscript to add story images to Slashdot. There's no going back.
Because banks have insurance against these losses, while Google doesn't. Next question.
http://economictimes.indiatime...
The same goes for every e-mail provider. Email account access is the crown jewel of online identity, because if I have access to your e-mail I can reset the passwords of all of your other online accounts, including your bank account.
If you're using a short, weak password and not using two-factor on your e-mail because "it's only e-mail"... please think about what other accounts use that e-mail address as their password reset mechanism.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Banks are ran by assholes.
They do not care about your security or your money. Without federal regulation forcing it they will never do it on their own as it will dip into the record breaking profits they make every single month.
We need to go back to heavy bank regulation and forcing banks to do the right thing.
Do not look at laser with remaining good eye.
BoA has a really cool two-factor device. They put an RSA key generator in a credit card-sized device. I got mine for $10, it works great, and it's in my wallet with me all the time. They also offer text message two-factor, which I use as a backup to the RSA card.
MAXIMUM of 8 characters
That's not true at all; my password for Wells Fargo is 12 characters, and rejects if I try just the first 8.
You're not wrong that their minimum standard is weak, though. And I'm not sure about case-sensitivity.
Populus vult decipi, ergo decipiatur...
"Force shits upon Reason's back." - Poor Richard's Almanac
Charles Schwab has a *maximum* of 8 character passwords and have had the same for 15-20 years!
Passwords: We maintain strict rules to help prevent others from guessing your password, and recommend that you change your password periodically. Your password must meet the following criteria:
6-8 characters long
Include both letters and numbers
Include at least one number between the first and last character
http://www.schwab.com/public/s...
It is easy to leave a bank. Just turn off your direct deposit and take out all your money. You don't have to visit the bank to do that... you can take all your money out via a check, leave a buck or two just to make sure it clears, and you're out. Oh yes, the bank will not like this. They will charge your account a service fee. And there won't be any money in the account to cover the service fee. And so they will charge you an overdraw fee. But at the end of the statement period, many banks will see your negative balance, and then deposit a "credit to avoid account closure"... they will do this forever. And each month, they will mail you a statement, that probably cost them several dollars to create, and then pay postage to mail it to you. And each month, you get this piece of paper saying that your account balance is 0.00. And you get to see their computers dutifully charge the fees, and then post the credit. And all of it costs them money. I have an account that has been like this for about 10 years now. I just throw the envelope away now, but it always brings a smile to my face to see that they are essentially wasting all their own money and will never ever recoup it. Revenge is a dish best served cold.
Brawndo: It's what plants crave!
I'm guessing those who use gmail are some of the more tech savvy of the population. Those that use online banking I suspect include a number of less tech savvy people. The tech savvy people have little trouble with dual authentication, the less so may have more trouble with dual authentication and thus complain about how hard it is. Could even be a result of the management (Google vs bank managers) having better technology understanding.
When I started using Google's 2-factor authentication, I admit, it was tedious, but it pays dividends in peace of mind, and how!
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
I just verified that:
Your password must be 6 to 14 characters and contain at least one letter and one number. It cannot contain nine or more numbers. You may also use special characters such as @, %, &, #).
Someone who knew grammar, evidently.
While Timothy's first sentence is, by some standards, long, and, moreover, interspersed with many appositives and subordinate clauses, which collectively may, depending on the reader's tastes and background, render it unwieldy, and even disgusting to those who like their thoughts in twitter-length bites, it nevertheless has this virtue: when analyzed by diagram, it does in fact appear to be properly constructed, at least within the limits of grammatical freedom that even the most rigid critics of English have come to respect, those limits having been established in indulgence of the liberties taken by the finest authors ever to have set pen to paper, among whom we may number, as an example particularly apt to such a case, Samuel Johnson.
And the first time a bank gets hacked, everyone's fingerprints are public.
Not to mention that detecting a live finger is meaningless if you're depending on remote systems not to lie to you.
I'm guessing those who use gmail are some of the more tech savvy of the population.
Really? I tend to assume the opposite.
That was beautiful.
I saw the Sign, and it opened up my eyes
You do know that this was about system administration and not access to user accounts, and it was the LACK of two factor on a system that resulted in a hole. This actually supports the assertion that everybody should be using it.
I can't sue google if my information is stolen. My google products are not insured by my government. My bank account, however, has a huge paper-trail, and is insured, and I can sue my bank.
It's not about access security; it's about content security. My bank has more content security. It doesn't need access security -- that's just to reduce the number of times we need to go through the content recovery procedures.
They will charge your account a service fee. And there won't be any money in the account to cover the service fee. And so they will charge you an overdraw fee. But at the end of the statement period, many banks will see your negative balance, and then deposit a "credit to avoid account closure"... they will do this forever.
And eventually the bank will send the total of all those accrued fees and overdraft loans to a collections agency, as a friend of mine found out.
It seems to me that, unless the bank REQUIRES use of short, all-alphabetical, all lower-case passwords, it's not really the bank that is insecure. Instead, it's how the individual is using the available security which is insecure.
Why Gmail Has Better Security Than Your Bank
Alright, just stop with the "your" headlines. They just sound so condescending, as if the author knows everything about everyone.
Which they don't, clearly, since my bank, like those of many other posters above, has two-factor auth. They sent me - free, without having to be asked, and presumably all their internet-enabled account holders have one - a little gizmo into which I put a number and it gives me back another number to be entered on the website.
That said, I'd rather have a username instead of "IB[10 digits]", and I'd rather just be asked for a password instead of "the name of the street you grew up on." The latter, certainly, would seem at first glance to less secure than asking for a generic password.
systemd is Roko's Basilisk.
I'm guessing you're wrong here, since my Mom uses gmail. And she's hardly tech savvy, what with being in her late 70's and all...
"I do not agree with what you say, but I will defend to the death your right to say it"
Younger techno-savvy people seem to assume that the mobile phone is the natural 2nd factor, or barring that the user will be willing to carry around some other type of device. Most of a bank's preferred customers (ie: those who move large amounts of $$ through their bank) do not revolve their life around gadgets. Hence you have banks catering to their most profitable customers which is why you do not see many technically-savvy multi-factor authentication schemes.
In other words - money speaks, and the people talking about this stuff don't typically have enough money to merit a seat at the table.
From a British perspective, this all seems.... odd. Barclays and First Direct both use one-time time-limited two-factor authentication with the codes sent to special devices, and have done for quite a while, and the other components of their security are thoughtfully designed as well. They feel pretty secure to me -- not foolproof, but definitely good enough.
What is it about a certain type of Republican lawmaker that seems to require them to insert a blender through their nose and switch it on before they take office?
I'll be half of them haven't even mastered bladder control yet.
Picking a secure password is the user's responsibility, not the web site's. I use Diceware to generate my passwords. A five-word Diceware password has 77 bits of entropy. That's equivalent to a 15-character password chosen randomly from upper and lower-case letters, numbers, and 13 special symbols. Most can memorize the Diceware password in a few minutes. Few of us can ever remember the random password. Yet many web sites refuse to allow spaces between diceware words, and demand that I use an upper case letter and a number or special symbol. I curse every time.
Google needs be thousands of times more secure than my bank. My bank will return my money when their security lapses. The Feds even get into the act. If Google loses my information, it's gone. There is no undo. So while it may seem like a big problem for banks to be less secure, it makes perfect sense to me. Besides, I've lost countless web accounts (Yahoo, etc.) due to breaches not my own. I've never lost a penny from a bank, even when they are robbed and lose the actual bills I gave them. Money is fungible. Information isn't. So it's not even a valid comparison to make. Apples, and honeydew.
Must be 6-14 characters and contain at least one letter and one number. It cannot contain nine or more numbers.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
I've had 2 factor authentication in a bank in Europe for years (I don't remember when I first got it). And it was mandatory for everybody.
what do "tech-savy" people use? the SMTP server running in their mom's basement?
RSA tokens are inadequate.
Both my banks (UK and Swiss) provide CAP devices that require you to insert a card, enter a PIN, then enter a challenge code from the screen and copy the response back.
The key is .... when transferring money to a new account you haven't sent to before, you have to enter a part of the destination account number as the challenge. The idea is a virus can't swap the instructions you see (well, it can swap the account number perhaps but this is verifiable out of band). When using SMS, unless the message includes the transaction details, you don't know what you're authorising.
I'd say "whoosh", but that just seems inadequate. You'd need to spend a good ten minutes or so standing in a wind tunnel to get the right effect.
Unless you are being totally dumb and storing passwords in plain text or something instead of hashing them, there is no good reason why any website should have a maximum password length.
My server is in my closet, but most of the tech-savvy people I know use a real mail service and avoid gmail. A lot of them refuse to send email to gmail addresses as well.
can you give examples? what "real mail services"?
but most of the tech-savvy people I know use a real mail service and avoid gmail.
Really? I would consider myself somewhat tech savvy, I run Linux, but I do use gmail as a secondary e-mail. I use it via IMAP (with SSL enabled) with a real mail client, not via webpage. So no ads for me. I've also got gpg and S/MIME keys.
A lot of them refuse to send email to gmail addresses as well.
I understand that some people prefer not to use gmail themselves, but why refuse to send e-mail to gmail addresses. If one is worried about Google analyzing messages, that's what gpg and S/MIME are for.
2 factor auth?
Is that, when Google blocks my account every fucking time my mail program tries to download my mail when my VPN is active?
The idea is good, but it's fucked by the fact that it is not universally usable across all software and systems. This means they had to come up with the atrocious idea of "app-specific passwords," which are just... passwords. One for each application adds extra insecurity, and they're already insecure to begin with, being all lower-case letters in the form of "xxxx xxxx xxxx xxxx" (with the spaces optional for easier reading). I'm sorry, but my actual Google passwords are a hell of a lot stronger than that, consisting of both capital and lower case letters, numbers, spaces and various symbols... and easily double that 16-letter string that Google generates. I tend to make as few of these insecure things as possible, and re-use them when it makes sense (I group them by system or general usage instead of one specific use per password; ie. one for each phone, laptop, desktop, etc.), deleting and creating new ones to replace the old every once in a while. You could get by without making a single app-specific password, but have fun connecting your Android phone to your Google account. And if you want to use a standard desktop-based e-mail client? No two-factor authentication there, so you will *have* to make a new weak Google-generated password for that.
Your bank is going to lock down your account after a certain amount of retries. Sure, a password can be insecure, but you aren't going to brute force a bank account. Most banks also do some form of two factor authentication, in my case, three things I know, pin, password, and picture.
Gmail security is not even close to that of most major banks. One of the main reasons for that is unlimited tries on the number of password attempts, no account lockout, and until not that long ago they were allowing http connnections, which are not that difficult to intercept on a public wifi. This is one of the main problems in online security - email providers, and online identity providers, like twitter, facebook, etc... are not as secure as they would like you to believe. Most major banks do have more restrictions in what passwords can be used, how many attempts, https only traffic, etc... They would be the better identity providers if they wanted to be in that business. And yes, gmail with two factor and a strong password, strong forgotten password setup, is still reasonably strong, but most people don't use it and opt for the bare minimum. Then when their email password gets cracked by one of the bots and starts sending spam they change the password to something else thats marginally more secure until the next bot cracks it. One final thought, banks have a different view on privacy than online providers. I don't mind providing my phone number to the bank for risk-based authentication based on ip address. I do mind giving that information up to google and facebook.
It's one of the reasons I signed up is that they offer a free security token for signing in.
There are no fees and sadly, when I asked them how popular it is, they said virtually no one uses it.
I suspect it's not so popular because most accounts are insured against most fraud so there's little incentive to using them for most users.
What I'd like is to use that token (or even SMS) for an ATM pin...
Login requires a set of 3 numbers from PIN and a set of 4 letters from password. If the browser is not recognized, it needs more verification.
Money transfer requires me to insert the debit card into a card reader, give it the correct PIN and then allow the card reader to process a number provided by the website (website gives me the number, I enter it into card reader, which then replies with a new number. I enter that number into the website.
The real "Libtards" are the Libertarians!
My huge chain bank does not allow many items to be used in passwords such as punctuation marks, ASCI2 symbols and the characters that are over the numbers on your keyboards. Being unable to use these symbols makes password cracking far easier than it should be. The strange part is that banls surely know about this but are too cheap to purchase software that can handle more symbols in their passwords. For their own internal security they use super long passwords that in the past were limited to a 2,500 character string. there was consideration of going to a 5,000 character string but I'm not in the loop to know if it was actually implemented. For end users a 5,000 symbol password is not going to happen.
I love you, whoever you are. You may collect your prize of an internets at your convenience.
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
My bank has pain-in-the-ass 2FA. There is a piece of partly public info (social security), followed by a short pin code, that leads to a challenge-response with a grey box that has my unique token in it as a smart card. Although the box is USB the browser plugin demands custom device drivers that do horrific things to ensure they are "alone" on the system.
All of this protects me against a hacker breaking my password, which would be impossible, and has no effect on the much more likely attack of a hacker targeting the bank itself. So I have to access my bank from a custom VM because the other plebs like to choose "bigtits" as their secure password.
2FA is the overrated wet dream of sysadmins everywhere.
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
My bank over here in Germany requires the use of a TAN-generator device to make transfers/pay bills online. You put your card in the device, press a button, hold it to the screen, check the details shown on it, and then type the TAN back in to the website to finalise the transaction. That seems pretty secure to me, but I'm no expert.
My bank has more secure 2 factor authorization than Gmail.
I stick my card in this little device called a "Random Reader". I enter my PIN on that device. Then I get a code that I have to enter together with my bank account number and my card number (both printed on the card).
Then I get access to viewing my account and preparing payment orders.
To send the payment orders I have to sign them. To do this I need to enter my PIN again (on the random reader), enter a code from the bank website, enter the total amount and (if it includes a large payment to an unusual account I also need to enter that account number). Only then the payment orders are processed.
Since the random readers are available for free at any branch of my bank it's easy to have a few laying around. The random reader is not personal so I can easily borrow one from my parents or friends in a pinch when I am there (assuming they have the same bank).
Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
By "real mail services", I mean ones that at least appear to value your privacy and say so in their ToS. (That's the condition that makes gmail fail). Typically, this means ones that you pay for. One example would be the email account provided by your ISP.
Really? I would consider myself somewhat tech savvy, I run Linux, but I do use gmail as a secondary e-mail.
Well, I did say "most", not "all", and I was also talking jsut about the people I personally know. I don't pretend that I know the stats overall. That said, even you admit you use it as a secondary, not primary. I do the same -- which means that I'm not using gmail for much of anything.
I use it via IMAP (with SSL enabled) with a real mail client, not via webpage. So no ads for me.
Ads aren't the issue. Spying is.
I understand that some people prefer not to use gmail themselves, but why refuse to send e-mail to gmail addresses. If one is worried about Google analyzing messages, that's what gpg and S/MIME are for.
They don't send to gmail addresses because they want to avoid the tracking. Yes, crypto is another way to address it, but amongst the people I know who routinely use crypto for their emails, none of them use gmail. And even amongst the tech-savvy, only a minority of people encrypt their emails no matter what. Also, crypto doesn't do anything about traffic analysis.
Is this two factor authentication? My bank has a list of 8 questions I provided to which I alone know the one word answer. When I log into my account, or do an online visa transaction, I am transferred to their security routine. I may be asked my data of birth, and randomly one of my questions for an answer that I provided. As I stated I alone know the answer. If my responses are correct, its an OK to accept my access or VISA transaction.
Off topic.
In Canada our debit and credit cards have the integrated chip since the late 1990's. We are shocked when we visited an American Casino this past month, and noted they did not as yet have support for such a system. I had to swipe the card, which was a true backward step, as far as security is concerned. In a way this is the other two factor authentication. I hold the card. Eventually, banks will demand Desktops with smart card readers for online shopping, or verification of your caller id.
Leslie Satenstein Montreal Quebec Canada
My bank tracks all my transactions. And Google doesn't (And can't) track everything I do online.
Learn to love Alaska
I'm curious as to where this "they can track what you buy" comes from, credit card statements very rarely detail what you actually bought at the store.
They track what you spend, where, and when. Yes, they don't know that you bought a pound of potatoes, rather than a pound of apples, but they will have a pretty good idea of what you buy in most cases. $39.99 at onlineporn.com is exactly the 6 months subscription, so wonder what that purchase was... (I have no idea if that site or price is real, if it is, it's a coincidence, I swear).
Learn to love Alaska