Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Gmail Has Better Security Than Your Bank

Posted by timothy on from the your-mileage-may-vary dept.

Gizmodo gives some insight to a strange situation that many of us have -- at least in the U.S. -- when it comes to online security: Gmail, while free, offers two-factor authentication, while many banks don't use security tools that would make online financial transactions safer, contenting themselves with single-factor, weak password systems, or lackluster secondary screens. It's certainly true at one bank I use, which even now allows short, all-alphabetical, all lower-case passwords. U.S. banks could certainly use multi-factor authentication, and some do, but it's nothing like universal.

35 of 271 comments (clear)

  1. bank I use ... allows (weak passwords) by Nutria · · Score: 4, Insightful

    Simple solution: name names and vote with your feet.

    --
    "I don't know, therefore Aliens" Wafflebox1
    1. Re:bank I use ... allows (weak passwords) by Russ1642 · · Score: 4, Informative

      Google will send you a text to your phone every time you login from a different computer. The settings are quite adjustable from being a minor annoyance to requiring it every time you login. You can also print emergency codes for when you don't have access to your phone.

    2. Re:bank I use ... allows (weak passwords) by jacks+smirking+reven · · Score: 4, Informative

      You can enable it once you have created an account: https://www.google.com/landing/2step/

      I've been using it for years now with the Android app and it's been terrific. You can also just use it via SMS. Other software vendors can even leverage Google's app for their own products (One example I know is Guild Wars 2 can use Google's app for 2 factor on your game account)

    3. Re:bank I use ... allows (weak passwords) by MXPS · · Score: 3, Informative

      Google Authenticator, it's been around for a while now.

      https://support.google.com/accounts/answer/1066447?hl=en/

    4. Re: bank I use ... allows (weak passwords) by peragrin · · Score: 3, Insightful

      Dropbox can use the google authentication app as well.

      I have Dropbox setup to use two factor auth. In addition to my multiple gmail accounts.

      It is a pain but not impossible to even change the settings as I switched phones and changed the 2 factor system.

      --
      i thought once I was found, but it was only a dream.
    5. Re:bank I use ... allows (weak passwords) by JohnFen · · Score: 3, Interesting

      What two factor auth for Gmail?

      I've never seen anything but user/pass needed to create or access a gmail account?

      You've managed to stop GMail from pestering you to sign up for two factor authentication? How did you manage that? I can't seem to get it to stop (without actually signing up for it, which I'm not willing to do.)

    6. Re:bank I use ... allows (weak passwords) by bickerdyke · · Score: 2

      Google 2factor-auth also works sms-less if you don't trust that. Either by a seperate authenticator app that calculates the secondary code the same way as an external key-genrator would, or you can use an actual external generator.

      --
      bickerdyke
    7. Re:bank I use ... allows (weak passwords) by Damarkus13 · · Score: 2

      My bank doesn't have any password requirements. They simply truncate to 8 characters (silently, of course) and are case insensitive.

    8. Re:bank I use ... allows (weak passwords) by The+Cisco+Kid · · Score: 2

      Can't work for me.

      I have a celI rarely use text, so paying $15 for a chunk of texts I'll never use is stupid.
      I'd allow pay-per-text, but only if I only had to pay to SEND - I refuse to pay per-message for someone ELSE (perhaps spammers) sending to me.
      As a result, I have texts/SMS through my cell carrier BLOCKED.
      Instead, I use google voice for the one or two people I *occasionally* have to send or receive a text from.

      Heck, I don't even use my direct cell number for calls - I consider the number disposable, and use the google voice number instead. If I have to switch cell carriers, no mess giving people a new number - only one or two direct family members, for use in the very rare instance where there was an emergency AND google voice was down.

      So this is completely useless to me - trying to use the GV number for the 2-factor would be problematic since I have to have access to my google account to be able to see those text anyway.

      Something which helps protect against someone else accessing my account is great, but it absolutely has to first have an absolutely failsafe way of ensuring that *I* never lose access to it. Printed-out codes can be lost, as can cellphones and dongles.

      Right now my solution is to have a very good password which I absolutely remember. I suppose if I were to ever lose my memory that could be an issue too.

      I don't know what the solution is. Clearly neither does google or anyone else.

    9. Re:bank I use ... allows (weak passwords) by Rhaban · · Score: 4, Funny

      Yeah? And what if the reason you lost both your phone and computer is because they were in your house which burned down, as did your printed out pre-generated codes?

      How do you log back in after that?

      I keep a copy of the codes in google docs.

  2. my bank by szmccauley · · Score: 2

    max password of 6 alphanumeric password, no special characters allowed. Fucking lunacy, and I remind them of it at least a couple of times per year.

    1. Re:my bank by emohawk · · Score: 2

      Westpac is similar, 6 characters alphanumeric and only uppercase, no special characters.

  3. One difference by hcs_$reboot · · Score: 4, Insightful

    Google is an IT company at the cutting edge of technology. Banks have an aging IT team working mainly on administrative tasks.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
    1. Re:One difference by jriding · · Score: 4, Insightful

      If Google is hacked, Google takes the hit and looks bad.
      If your bank gets hacked, you take the hit, the merchant takes the hit, the bank walks away clean.

      It is not identity theft (this makes the individual responsible to resolve.) it is fraud (causing the banks and fed to be responsible to clean it up).
      Someone needs to sue the bank because they allowed the fraud to happen then called it identity theft so they could wash their hands of it.

      --
      love the taste, hate the texture
    2. Re:One difference by Immerman · · Score: 3, Insightful

      Don't be ridiculous - that would interfere with executive bonuses, the entire raison d'etre of the banking industry.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    3. Re:One difference by lgw · · Score: 4, Insightful

      If Google is hacked, Google takes the hit and looks bad.
      If your bank gets hacked, you take the hit, the merchant takes the hit, the bank walks away clean.

      In what scenario? Maybe if 3rd-party debit card readers get hacked?

      If your banks ATM gets hacked, that's on the bank. If your account gets hacked via online access, or plain-old in-person fraud, most banks these days will take the hit, or most of it.

      I don't much care if access to my account gets hacked - sure there's privacy issues, so I care a little. I care if money gets stolen as a result. Money laundering prevention is a much easier job for security, and last I heard it was the choke point in online theft. The bad guys already have more compromised accounts that they can find any use for, because actually getting money out of that is pretty limited. Crackdowns on "money muleing" and other techniques works much better than password security and doesn't annoy the customers.

      I order to transfer money out of my primary bank to another account, the account must be in my name (easy enough for an attacker), and my email gets spammed for 3 days with warnings before any money movement is allowed. Nothing is bulletproof, but that's pretty good, and once it's set up there's no inconvenience at all.

      Security geeks never seem to get this - if password strength matters you're doing it wrong.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    4. Re:One difference by JohnFen · · Score: 4, Interesting

      If your bank gets hacked, you take the hit, the merchant takes the hit, the bank walks away clean.

      Not usually. I spent a number of years doing software development for banks, and amongst the interesting things that I learned was that banks get hacked a lot more often than you think. You usually don't hear about it because the banks typically just replace the money that was taken from their customer's account and shut up about the whole thing. The odds aren't terrible that at least once, you've had money stolen from your account and never noticed that it happened.

  4. Re:Depends on how you count by briancox2 · · Score: 2

    Doesn't access to my Gmail account allow people to "recover" my password to just about everything?

    --
    We should learn what we need to know about issues, before we decide what we need to feel about them.
  5. Moral hazard by goodmanj · · Score: 2

    Because banks have insurance against these losses, while Google doesn't. Next question.

    http://economictimes.indiatime...

  6. Gmail *should* have better security by swillden · · Score: 5, Insightful

    The same goes for every e-mail provider. Email account access is the crown jewel of online identity, because if I have access to your e-mail I can reset the passwords of all of your other online accounts, including your bank account.

    If you're using a short, weak password and not using two-factor on your e-mail because "it's only e-mail"... please think about what other accounts use that e-mail address as their password reset mechanism.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    1. Re:Gmail *should* have better security by bloodhawk · · Score: 4, Insightful

      because if I have access to your e-mail I can reset the passwords of all of your other online accounts, including your bank account.

      If your bank accounts is using your email as a primary source of online identity then it is time you found a new bank.

  7. Schwab - max 8 chars! by Anonymous Coward · · Score: 3, Insightful

    Charles Schwab has a *maximum* of 8 character passwords and have had the same for 15-20 years!

    Passwords: We maintain strict rules to help prevent others from guessing your password, and recommend that you change your password periodically. Your password must meet the following criteria:

    6-8 characters long
    Include both letters and numbers
    Include at least one number between the first and last character
    http://www.schwab.com/public/s...

    1. Re:Schwab - max 8 chars! by njnnja · · Score: 5, Insightful

      The worst thing about this isn't that it means you have to choose a weak password, but rather that it is very likely that they are storing passwords in cleartext and somebody could get access to huge numbers of accounts with a single breach. If they were just using javascript to ensure password length, then they could change the code for the form validation immediately. So the fact that it hasn't been fixed yet means that the password length restriction has to do with something on their back end that will require real work to fix. But a proper back end system should salt and hash the passwords and the site would have no idea how long your password is. Since they know and care how long the password is, they probably aren't hashing

    2. Re:Schwab - max 8 chars! by AK+Marc · · Score: 2

      Same with me and John Hancock. I think the big, old ones are more likely to still be using systems that max at 8.

      Still beats the work password I had once. The stated password requirements were invalid. After others trying (and erring), the unofficial password requirements (that worked) were 6 letters (first caps, the rest lower) followed by two numbers, changes every 30 days and no repeat in the year, so recommend 00-15 (or so) for the last two digits. With that in mind, the entropy was tiny. But with having to change it every 30 days, it has to be secure, right?

      --
      Learn to love Alaska
    3. Re:Schwab - max 8 chars! by TechyImmigrant · · Score: 2

      If you're hashing the passwords the length of the password is arbitrary. There is no need to restrict length, except maybe for a minimum size.

      What else you do with the passwords (salting, encryption, zero knowledge protocols, multi factor auth, usability factors etc.) is just a measure of the competence of your organization.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    4. Re:Schwab - max 8 chars! by Anonymous Coward · · Score: 2, Insightful

      Not necessarily. You might want to put a limit at some number that you think is 'reasonable', say 100chars, because otherwise someone could enter a 2GB string as their password and that's likely to have other impacts on your systems. Putting an upper bound on things gives you a testable range of inputs.

    5. Re:Schwab - max 8 chars! by swillden · · Score: 2

      If you're hashing the passwords the length of the password is arbitrary. There is no need to restrict length, except maybe for a minimum size.

      If you use bcrypt to hash them, there's a good argument for limiting them to 64 characters, which is that bcrypt will truncate them to 64 characters regardless, so users who use longer passwords aren't getting the benefit they think they are. Unless teh user chooses an insanely weak 65-character password this probably doesn't matter in practice, but I would restrict it just to be sure.

      Note that this isn't a reason not to use bcrypt; it's an excellent tunable password hashing algorithm. It just has this one odd restriction.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    6. Re: Schwab - max 8 chars! by Anonymous Coward · · Score: 2, Funny

      My password is dopeymickeyplutodumbocinderelladancerfoghornleghornHarrisburg because it needed to be seven characters and a capitol.

  8. Re:Liability? by Tx · · Score: 2

    I'd suggest it might be because of the support costs of all those people having trouble logging in, forgetting their passwords etc, or getting compromised because they wrote down their hard-to-remember password, if they went more secure. My bank allows a weak password (plus some nominated characters from a secondary "memorable phrase"), and no requirement to change it ever. TBH I'm pretty cool with that because I can remember both, so if I'm ever caught without access to my password manager, I won't be screwed. In order to add a new payment recipient, they do require a code sent to my registered phone to be entered. I feel it's a reasonable balance between security and convenience.

    --
    Oh no... it's the future.
  9. Re:First Run On Sentence by Anonymous Coward · · Score: 5, Funny

    Someone who knew grammar, evidently.

    While Timothy's first sentence is, by some standards, long, and, moreover, interspersed with many appositives and subordinate clauses, which collectively may, depending on the reader's tastes and background, render it unwieldy, and even disgusting to those who like their thoughts in twitter-length bites, it nevertheless has this virtue: when analyzed by diagram, it does in fact appear to be properly constructed, at least within the limits of grammatical freedom that even the most rigid critics of English have come to respect, those limits having been established in indulgence of the liberties taken by the finest authors ever to have set pen to paper, among whom we may number, as an example particularly apt to such a case, Samuel Johnson.

  10. Not at all true by holophrastic · · Score: 3, Insightful

    I can't sue google if my information is stolen. My google products are not insured by my government. My bank account, however, has a huge paper-trail, and is insured, and I can sue my bank.

    It's not about access security; it's about content security. My bank has more content security. It doesn't need access security -- that's just to reduce the number of times we need to go through the content recovery procedures.

  11. My bank has two-factor auth by wonkey_monkey · · Score: 2

    Why Gmail Has Better Security Than Your Bank

    Alright, just stop with the "your" headlines. They just sound so condescending, as if the author knows everything about everyone.

    Which they don't, clearly, since my bank, like those of many other posters above, has two-factor auth. They sent me - free, without having to be asked, and presumably all their internet-enabled account holders have one - a little gizmo into which I put a number and it gives me back another number to be entered on the website.

    That said, I'd rather have a username instead of "IB[10 digits]", and I'd rather just be asked for a password instead of "the name of the street you grew up on." The latter, certainly, would seem at first glance to less secure than asking for a generic password.

    --
    systemd is Roko's Basilisk.
  12. They do things differently in the UK by shilly · · Score: 4, Informative

    From a British perspective, this all seems.... odd. Barclays and First Direct both use one-time time-limited two-factor authentication with the codes sent to special devices, and have done for quite a while, and the other components of their security are thoughtfully designed as well. They feel pretty secure to me -- not foolproof, but definitely good enough.

  13. I despise password rules by billstclair · · Score: 3, Interesting

    Picking a secure password is the user's responsibility, not the web site's. I use Diceware to generate my passwords. A five-word Diceware password has 77 bits of entropy. That's equivalent to a 15-character password chosen randomly from upper and lower-case letters, numbers, and 13 special symbols. Most can memorize the Diceware password in a few minutes. Few of us can ever remember the random password. Yet many web sites refuse to allow spaces between diceware words, and demand that I use an upper case letter and a number or special symbol. I curse every time.

  14. Well I sure hope so... by Anonymous Coward · · Score: 2, Insightful

    Google needs be thousands of times more secure than my bank. My bank will return my money when their security lapses. The Feds even get into the act. If Google loses my information, it's gone. There is no undo. So while it may seem like a big problem for banks to be less secure, it makes perfect sense to me. Besides, I've lost countless web accounts (Yahoo, etc.) due to breaches not my own. I've never lost a penny from a bank, even when they are robbed and lose the actual bills I gave them. Money is fungible. Information isn't. So it's not even a valid comparison to make. Apples, and honeydew.