Why Gmail Has Better Security Than Your Bank

Gizmodo gives some insight to a strange situation that many of us have -- at least in the U.S. -- when it comes to online security: Gmail, while free, offers two-factor authentication, while many banks don't use security tools that would make online financial transactions safer, contenting themselves with single-factor, weak password systems, or lackluster secondary screens. It's certainly true at one bank I use, which even now allows short, all-alphabetical, all lower-case passwords. U.S. banks could certainly use multi-factor authentication, and some do, but it's nothing like universal.

bank I use ... allows (weak passwords)

[Nutria]

Simple solution: name names and vote with your feet.

Re:bank I use ... allows (weak passwords)

[Russ1642]

Google will send you a text to your phone every time you login from a different computer. The settings are quite adjustable from being a minor annoyance to requiring it every time you login. You can also print emergency codes for when you don't have access to your phone.

Re:bank I use ... allows (weak passwords)

[jacks+smirking+reven]

You can enable it once you have created an account: https://www.google.com/landing/2step/

I've been using it for years now with the Android app and it's been terrific. You can also just use it via SMS. Other software vendors can even leverage Google's app for their own products (One example I know is Guild Wars 2 can use Google's app for 2 factor on your game account)

Re:bank I use ... allows (weak passwords)

[Rhaban]

Yeah? And what if the reason you lost both your phone and computer is because they were in your house which burned down, as did your printed out pre-generated codes?

How do you log back in after that?

I keep a copy of the codes in google docs.

One difference

[hcs_$reboot]

Google is an IT company at the cutting edge of technology. Banks have an aging IT team working mainly on administrative tasks.

Re:One difference

[jriding]

If Google is hacked, Google takes the hit and looks bad.
If your bank gets hacked, you take the hit, the merchant takes the hit, the bank walks away clean.

It is not identity theft (this makes the individual responsible to resolve.) it is fraud (causing the banks and fed to be responsible to clean it up).
Someone needs to sue the bank because they allowed the fraud to happen then called it identity theft so they could wash their hands of it.

Re:One difference

[lgw]

If Google is hacked, Google takes the hit and looks bad.
If your bank gets hacked, you take the hit, the merchant takes the hit, the bank walks away clean.

In what scenario? Maybe if 3rd-party debit card readers get hacked?

If your banks ATM gets hacked, that's on the bank. If your account gets hacked via online access, or plain-old in-person fraud, most banks these days will take the hit, or most of it.

I don't much care if access to my account gets hacked - sure there's privacy issues, so I care a little. I care if money gets stolen as a result. Money laundering prevention is a much easier job for security, and last I heard it was the choke point in online theft. The bad guys already have more compromised accounts that they can find any use for, because actually getting money out of that is pretty limited. Crackdowns on "money muleing" and other techniques works much better than password security and doesn't annoy the customers.

I order to transfer money out of my primary bank to another account, the account must be in my name (easy enough for an attacker), and my email gets spammed for 3 days with warnings before any money movement is allowed. Nothing is bulletproof, but that's pretty good, and once it's set up there's no inconvenience at all.

Security geeks never seem to get this - if password strength matters you're doing it wrong.

Re:One difference

[JohnFen]

If your bank gets hacked, you take the hit, the merchant takes the hit, the bank walks away clean.

Not usually. I spent a number of years doing software development for banks, and amongst the interesting things that I learned was that banks get hacked a lot more often than you think. You usually don't hear about it because the banks typically just replace the money that was taken from their customer's account and shut up about the whole thing. The odds aren't terrible that at least once, you've had money stolen from your account and never noticed that it happened.

Gmail *should* have better security

[swillden]

The same goes for every e-mail provider. Email account access is the crown jewel of online identity, because if I have access to your e-mail I can reset the passwords of all of your other online accounts, including your bank account.

If you're using a short, weak password and not using two-factor on your e-mail because "it's only e-mail"... please think about what other accounts use that e-mail address as their password reset mechanism.

Re:Gmail *should* have better security

[bloodhawk]

because if I have access to your e-mail I can reset the passwords of all of your other online accounts, including your bank account.

If your bank accounts is using your email as a primary source of online identity then it is time you found a new bank.

Re:First Run On Sentence

Someone who knew grammar, evidently.

While Timothy's first sentence is, by some standards, long, and, moreover, interspersed with many appositives and subordinate clauses, which collectively may, depending on the reader's tastes and background, render it unwieldy, and even disgusting to those who like their thoughts in twitter-length bites, it nevertheless has this virtue: when analyzed by diagram, it does in fact appear to be properly constructed, at least within the limits of grammatical freedom that even the most rigid critics of English have come to respect, those limits having been established in indulgence of the liberties taken by the finest authors ever to have set pen to paper, among whom we may number, as an example particularly apt to such a case, Samuel Johnson.

Re:Schwab - max 8 chars!

[njnnja]

The worst thing about this isn't that it means you have to choose a weak password, but rather that it is very likely that they are storing passwords in cleartext and somebody could get access to huge numbers of accounts with a single breach. If they were just using javascript to ensure password length, then they could change the code for the form validation immediately. So the fact that it hasn't been fixed yet means that the password length restriction has to do with something on their back end that will require real work to fix. But a proper back end system should salt and hash the passwords and the site would have no idea how long your password is. Since they know and care how long the password is, they probably aren't hashing

They do things differently in the UK

[shilly]

From a British perspective, this all seems.... odd. Barclays and First Direct both use one-time time-limited two-factor authentication with the codes sent to special devices, and have done for quite a while, and the other components of their security are thoughtfully designed as well. They feel pretty secure to me -- not foolproof, but definitely good enough.