So a friend of mine got a mail from his bank They annouced that there was now online banking and that the acount name was the first so many letters of his last name, and then his first initial and then his middle initial, and then 00. Nothing terribly extraordinary there. True it is terribly easy to guess someone’s account ID, but then the message went on to say that his password was the same as his ID! He emailed the bank, and called the bank, and so far they don’t think it is a big deal. All the accounts are set so. The 00 is a serial number so that if there are two johnsojq they might be distinguished. I am horrified that a bank would choose a system so insecure. He is shopping for a new bank. Has anyone else seen a bank do something so insecure? Does anyone think changing banks is an overreaction?
Has he logged in for the first time yet?
If I got that letter I would assume that when you log in for the first time you would have to provide a bunch of other info (at leat SSN and account number and maybe some other things) and then be forced to change your password. I can’t imagine the info in the letter will grant him access to his account right away. Has he tried it yet?
I agree that sounds insecure but the probability of fraud still seems low. The only things I can do with my generic online bank setup is to move money from one of my accounts to another. I suppose I might be able to sign up for online payment or something that lets me send money out but that would take time and the bank would be liable for the amount.
Can’t they just change the password? It might seem Ok to be a martyr but what would that do if your friend likes the bank otherwise?
Yes, he has changed his password.
No, there were not a lot of security questions. It gave him access to his check images, and accounts, so anyone who logs in gets his home address and phone number, his checking account and savings account number, knows what his signature is like, and where he shops and what he spends, what he is paid, etc.
You said not alot of security questions, so does that imply that there were some questions? If so what are they. If it’s SSN and something else (account number, DL number, mothers maiden name) That’s about as secure as it’s gonna get most likely.
I am a bank information security administrator.
That’s a little skeevy. When our customers set up online banking, they do it entirely online by entering their account number, ATM card PIN and SSN on a secure page and choosing a login ID of their own creation. There’s no pre-assigned ID or password for anyone to possibly intercept out of the mail or even take a good guess at. I suppose you could call this a variant form of three-factor authentication - something they’ve been given (the account number) plus something fairly private (the SSN) and something that they alone should know (the PIN)
They may be a perfectly fine bank, but they’ve got some learning to do on the security side.
No, it is not. All of the information they required to get in was readily available. As gotpasswords outlines, it does get better than that. The situation at best is an open invitation for identity theft and privacy violations. He has discussed it with other patrons and they confirmed they had exactly the same set up all with the 00 serial number at the end.
Does the online banking account allow him to transfer money out or pay bills with it? If there’s any way to get at the money, that’s a monumentally stupid thing for the bank to do. They shouldn’t even be sending the password through the mail.
To get access to online banking at my credit union, I had to go into the branch and have them activate the account, and they gave the password to me in person and told me to change it as soon as I got home.
Not at a bank, but during my senior year at college the school rolled out a web portal to things like registration, transcripts, and other school business. They made a big show of giving us all secret sealed envelopes containing our usernames and passwords.
Our usernames were [firstname][lastname], and our passwords were [first three letters of last name][graduation year]. :rolleyes:
A few hours later, after it had been pointed out how stupid that was, they sent an email out to the student body informing them that they should change their passwords as soon as possible.
A few days later, they sent out an email that something had gotten corrupted in the system, and all passwords had been reset to their default values. :smack:
He found about this by going to check his balance. His bank posted a message that all personal account passwords had been reset to the user ID.
The bank says this is not an issue because “Only a current customer of internet banking or a person our customer shared their ID would know the formula, therefore the risk of who would have the ability to enter the system is negligible.” The bank also says that mailing the new passwords would be too insecure and that having people come in to get the account information to login would be too inconvenient.
Apparently there were no security questions what so ever.
Excuse me while I go pick my jaw up from the floor.
**These people are idiots. **
It can’t be too hard for anyone around Niles to know what bank recently started online banking, and now they know how their password formula works.
Time for someone to launch a dictionary attack on them - johnsoaa00, nope. johnsoab00, nope, johnsoac00, DING! Guess what? Amy C. Johnson’s account just got compromised. Didn’t take long, did it?
At the very least, your friend needs to log in and change the password before someone else does. Ideally, they’d find a new bank.
No, this is not in Niles. My friend lives in a small town about 3 hours away from here and banks at a local bank there.