My online banking tech support told me I should never use bookmarks, because they are a security risk that expose my personal and financial information to hackers. Is this right???
This is the bank that updated their web site a few years ago and made a public service announcement that all customers’ passwords had been changed to their Social Security number, so we should all go online and pick new passwords. I called them and suggested that this wasn’t a safe or secure way of doing this, and they seemed to have no idea there was any risk.
And tech support was also telling me I should clear my internet “cashay” and only use Google to access their site, not Safari (the native browser for Apple), apparently referring to the Chrome browser.
So, I don’t think they’re very good on IT.
But, just checking, is this true? Bookmarks are bad?
I wonder if they were confusing “bookmark” with “link” and actually meant we should never click on links, because somebody told them users shouldn’t click on links in unsolicited emails or txts. That would be a plausible story behind what they are telling me.
I think they’re just trying to avoid having customers bookmark some specific account page instead of going to [BankName].com. Theoretically, if someone accessed your bookmarks they could change it a phishing site.
I think what they mean is that you should always access their website through the proper URL, NameOfBank.com, not some link you got somewhere that might lead you to a phishing site impersonating the bank website. But of course, if you’ve set your bookmark to the page of the bank itself you’ll be fine. Theoretically, if you use a browser that syncs to a personal account in the cloud, I could see someone who hacks into that account to change your bookmarks to the phishing site. But I suppose someone who hacked into that account could do more damage elsewhere and won’t waste the opportunity on that kind of phishing scam.
I am not an expert in any of the fields I am going to touch, but I believe that:
links in mails are bad and you should not click on them
bookmarks on your computer avoid typos
banks are less competent with money than they would like to make you believe, and absolutely incompetent with IT (ETA: I could tell you stories… )
but it is true that you should not save your username and password for your bank on your computer and much less in the cloud.
If the latter is what the banking tech support meant, they are very bad at communicating in writing. Happens a lot.
I wonder what they think about installing their own banking app on your phone. Would that kinda sort of be like a bookmark in their eyes, or more like a desktop shortcut to a program on the hard disk of your phone?
I also wonder what they think about two factor autentification.
Presumably your bank had a security lead where the password hash table was accessed. However, just resetting passwords to some easily guessed default value is the worst way of dealing with this. Using some kind of two-factor authentication scheme should be the minimum diligence for recovering from a security breach, and any competent high security password system should be salting passwords to protect against weak user password selection and brute force attacks. This is Cybersecurity 101 that any bank IT department should understand.
My advice: get a new bank. Preferably one that supports commercial banking and has a good reputation for security, and doesn’t for fuck’s sake use your SSN for anything other than reporting tax information.
It could be that once you’ve logged in, you go to some page that has your login information encoded somehow in the URL. Bookmarks are stored in the clear, so if a nefarious actor somehow got access to your computer, such a bookmark would enable them to get into the bank account.
Of course, the real security flaw here is in putting login information in a URL. Hence, again, the advice to find a new bank.
Yeah, I think that’s possibly a thing that a piece of fairly simple malware might be able to do, as bookmarks are just in a folder on the local machine.
Add my voice to the crowd saying ‘change banks’ - seriously that business with the SSN makes them sound like a bunch of amateurs. Online banking access should really use multifactor authentication anyway these days; my bank won’t even let me log in with something as simple as a username and password; I have to use credentials, plus an expiring authentication token generated either by a secure app on my phone, or by inserting my debit card in a PINsentry machine; if I’m logging in on a new machine, I also get another authentication token via email or text message that I have to enter.
It does making logging into my online banking a little bit of a chore, but I don’t want it to be easy enough that someone else could do it.
As others, I recommend to run, run far away from this bank. Notwithstanding the fuck-up with your SSN as password, the “advice” you got from their “IT experts” is bullshit. No IT person worth their salt would talk like this. Browser bookmarks per se are totally harmless, and it shouldn’t matter which browser, OS or device you use to access their website, it’s on them to provide security.
As someone who worked in IT at a major regional bank, I would take strong exceptions to both these statements.
But the bank mentioned by the OP sounds extremely incompetent with IT. I would guess it’s not a major player in the banking industry. My advice to the OP would be to get your money to another bank ASAP.
So my mom just recently had a serious freakout – she’d bookmarked her bank’s billpay page, and when the link broke one day, she thought her bank account was entirely gone. I explained that that kind of link would probably not be stable forever, and she just needed to go to the front door - [bankname.com]. It’s conceivable to me that the OP’s bank got tired of fielding panicked phone calls about this issue, and decided to discourage use of bookmarks by scaring people even more.
This is one possibility, but it assumes a level of IT knowledge on the bank’s part that is not in evidence.
Another reason you might not want to use bookmarks if you are hyper-paranoid: it tells a hacker which bank you have an account with, which would be the first step to getting in. But if you worry about this, you also need to clear the cache and all cookies and delete your history after every session. And any hacker who knows what they’re doing could still figure it out.
Maybe the “IT Support” person confused saving bookmarks with saving form data in your browser? Saving the password in your browser is obviously a security risk.
My guess is this: The website was updated so some bookmarks stopped working, and guidance was giving to IT support to tell people not use them for that reason. They fits in with the advice about changing your browser and clearing your cache, which are standard things to try if a website isn’t working. Basically you’ve got a junior IT guy repeating talking points without understanding the context so he’s saying it all in the name of security.
Dunno - in terms of ‘malware changed something on my machine’, alteration of bookmarks would be a pretty low bar; the malware would not require any escalation of privilege to do that - it could run as the user.
Given the rest of the notes here, I suspect the bank had a security leak where the main Excel file with people’s user ids and plaintext passwords in it was accessed.
Well, that’d mean that the malware has at least also access to all user files. That’s trouble enough in my book. But like you, I also never heard of such a behavior, and it’d be a rather clumsy attack. Most attacks are sneakier and smarter.
I don’t know…Excel may be too advanced for his bank’s IT Security department. I’m guessing passwords were stored in a plaintext lookup table embedded in the login page static HTML file that was copied over from the previous GeoCities host. They hid it by overlaying a GIF with the bank’s mascot, which somewhat presciently is is a blind shepherd guiding his flock toward a pack of wolves. ‘Hackers’ discovered it when someone tried to update the page to HTML5 and displayed the page on an Android phone.
It was my experience in the IT banking world that the small banks with an online presence outsourced that aspect to a reliable and reputable company. Remember, the banking industry is highly regulated, and that includes web access and security. We, as a ‘national’ bank, were required to have our web pages ‘attacked’ regularly by those firms that specialized in finding those holes, and thus prove that our online presence was secure.
Now, it appears that the bank of the OP is probably a state-regulated bank and perhaps doesn’t have to pass all those rigorous tests. I’ll repeat what I and others have said…get your money out of there quickly.