Sections

Monday, October 31, 2011

Insecure Banking

.

I wrote a letter to one of my banks regarding the deplorable security of their online banking system. Then I scrapped it because I thought it was too mean and wrote another one. Here it is:


One of the concerns of the website I run is about security, be it personal or electronic, and I was wondering, is there was someone I could conduct a short email interview with for an article I'm writing about online bank security in the modern age?

As you're no doubt aware, electronic crime is on the rise, and banks everywhere are scrambling to keep ahead of the crooks, who are finding all kinds of new ways to break in and steal money, often without leaving much of a trace.


One of the earliest ways they broke in was by doing "brute force" attacks to find user accounts and passwords. It takes a single computer about a day to hack a password of only 8 characters, and only a few minutes if limited to letters and numbers. Some criminals have access to parallel networks of thousands of computers, which can crack otherwise strong 8 character passwords in about 5 minutes or less, which means a network of crackers can extract the passwords for 3000 banking customers in under 2 weeks. Despite this obvious gaping hole in security, many banks refuse to upgrade their passwords to defeat this, making them a class-action suit waiting to happen.

I've heard that the weak security is so the bank can still crack the passwords of its users if they "have to", but what valid reason there could be, I'd like to ask.

Lately, banks have started implementing "secret questions", which are about as secret as asking what color the sky is. Perhaps you remember the Paris Hilton scandal. Though it may cut down slightly on the random, massive thefts, it doesn't stop criminals from focusing on a big payday customer, finding out all the publicly available information about their target, and then answering the "secret questions", which only ever seem to ask for publicly available information. People with an ax to grind also find this very easy security to bypass and ruin the life of their enemy.

Things like "sister's middle name" or "grandmother's maiden name" or "street you grew up on" and so forth, are all easily available to anyone willing to invest $20 in any ad that shows up on the WhitePages.com site. (Which is to say, those online stalking websites which allow you to get information about anyone.)

My questions entail wanting to know what proactive steps your institution is taking to safeguard their customers' money and personal information against theft, and whether you plan on taking such steps before or after a preventable theft results in a massive class-action suit which holds your board of directors personally responsible and has them jailed and bankrupted for gross incompetence.

For instance, your institution only allows passwords of up to 8 characters, and I cannot use symbols. It would take a cracker just a few minutes to break into my account. In contrast, Microsoft's minimum password security standard recommends 14 character passwords made of upper and lower case, numbers, and symbols; doing so yields passwords which require many years of effort to crack.

Why doesn't your institution allow users to have secure passwords if they want them? Security questions are often used to bypass forgotten passwords, and so they need to be approximately as secure as passwords; when will your institution no longer require that users use publicly available information like names of family members and residence addresses for these questions? Is it true that banks regularly hack the accounts of their own users? Is it true that the personal information gained for security questions is used to target advertising? Is the database of security questions itself protected by more than a simple 8 character password? Is there some law which prevents banking customers from suing the CEO and Board of Directors personally for gross negligence regarding the security of their accounts?

Thank you very much for your assistance in directing me to the person I need to talk to about this article. I'm very interested in getting all my facts straight before publishing articles, and your institution's assistance is much appreciated.


I never sent this, since it's still a little too mean. I did, however, close that account so I wouldn't get hacked.

The worries behind it, though, are still valid. Why would a bank prevent you from having a properly secure password? I realize not all customers WANT secure passwords, since they're a hassle, but for those who DO want them, why deny them?

As mentioned above, if you have a password like "hello", that can be cracked in SECONDS. Even one like "7&tND0=q" will take a few minutes. The more characters you use, and the more characters you have to choose from, the harder it is to crack. This goes up very quickly, such that a proper 16 character password can take millenia for a cracking farm to break. Check out this tool to help you make secure passwords. And here's additional information about passwords; If you don't get something, just skip to the next section.

Check your online banking passwords and make sure they are larger than 8 characters, and that they have numbers and symbols in them. If your bank doesn't allow this minimum level of security, you might want to consider keeping your money elsewhere before someone else decides to keep your money elsewhere.

.

No comments:

Post a Comment

Have your say-
Did you know you can leave a comment without having a Google account? Just click where it asks for one and select a different option!