My bank has announced they are upgrading their web service and in the process resetting all our passwords to be the last four digits of our Social Security numbers.
Am I just being alarmist, or is this really poorly thought through?
My User ID is just first initial plus last name. I think this was a default when I started and suppose many or most customers have a similar ID. I don’t think my SSN would be hard to find, as they get used all over the place. Doesn’t this set the stage for thieves to log in and work their mischief en masse as soon as the new system goes online?
I think it’d be pretty disruptive to business to have nearly all their consumer bank accounts looted simultaneously. So, I tried to contact them, but their contact mechanisms are phone (which they are not answering) and their web site (which is now shut down for the weekend). I found a mass email they sent me and voiced my concerns in a reply to that, but it’s a pretty weak gesture. On a personal note, I expect to have to write a check for several thousand dollars from this account early this coming week to pay my taxes.
I agree this is bad practice, for a few reasons. A four-digit password is trivial to crack. Also, now the system admins know everyone’s password, which is a no-no. Will you have the ability to change your password the next time you log in? If so, avail yourself of that opportunity as soon as you can
Not a great choice - but if they are upgrading, that implies new passwords (if they’re installing a brand new security system). They don’t (or shouldn’t) have access to your existing one. They need something that all/most of their customers can figure out without flooding their help line. Not sure what else they could have used. Probably better than a mass mailing of temporary passwords to everyone with an account.
I know that my wife’s bank tends to reset your password to the last four of SSN if you need them to reset it.
And I’m pretty sure that the first time people log in, they’ll be forced to change it.
Very bad idea. Not just because of thieving strangers, but it would also enable snooping from people you don’t want in your business. This is probably a worst case scenario, but I hope nobody ends up dead from a violent ex using this loophole to find their address.
Nevertheless, they could just port over the salted hashes of your passwords to the new system. Then the old passwords would transfer over without anyone having to know them. They fact that they didn’t do this implies that the new system doesn’t support the same hashing algorithm as the old one, and they don’t have the clout with the vendor to make them implement the old one before deployment.
I would expect that, of all businesses, banks would be the most hard-ass about this.
Hopefully customers will be forced to change their passwords the first time that they log on or at least given the opportunity to change their passwords.
My account is with Citibank and when I do online banking from a new computer, I have to enter the ATM card number, or enter a code that they text to the mobile number they already have in their database or do some other verification. So I expect the OP’s bank will require a second form of verification.
Which still won’t help if the thieves are the ones to log in first, instead of the legitimate customers. And there are some people who only use online banking extremely rarely, so it might well be months before the next time they would attempt to log in.
Yes, both of these. They instruct us to change it immediately (though they don’t say exactly when the new system will come online).
Having one customer password reset go to the SSN would be much less troublesome, because the outside world would not know when it is happening, and it is only worth so much effort to hijack an individual account. But in this case, it is broadly known when the vulnerability will appear, and it is thousands (I suppose) of accounts simultaneously.
To counter that, don’t click on any link in the email and manually go to your bank’s website. There should be a customer announcement there regarding the password change to SSN. If so, it’s almost undoubtedly genuine.
Another vote that this whole approach to system upgrade would be amateur if done in 1999. In 2016 it’s criminal negligence. Either that or it’s a phishing scam.
If it’s not phishing the OP ought to move to a new bank pronto and then tell us which bank it is so we can both laugh and point when they get massively cleaned out on cutover day, and so we can pull our money out first too.
I wondered. But the email is telling me what to do when I go to the web address I used before, it doesn’t give me one. And it doesn’t ask me for any information, it gives me information. Besides, the web site echoes what the email says - and I’m using my old bookmark for the web site.
The email as a phishing ploy doesn’t sound any smarter than the switchover does.
BTW this is a local bank, named for my county, which is a rural and lightly populated county. I think they have a total of about 6 branches. One thing that might save them is it doesn’t look like all the customers added together could have all that much money…