funsec mailing list archives
Online banking insecurity
From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rmslade () shaw ca>
Date: Thu, 19 Sep 2013 09:43:56 -0700
I've had an account with the Bank of Montreal for almost 50 years. I'm thinking that I may have to give it up. BMO's online banking is horrendously insecure. The password is restricted to six characters. It is tied to telephone banking, which means that the password is actually the telephone pad numeric equivalent of your password. You can use that numeric equivalent or any password you like that fits the same numeric equivalent. (Case is, of course, completely irrelevant.) My online access to the accounts has suddenly stopped working. At various times, over the years, I have had problems with the access and had to go to the bank to find out why. The reasons have always been weird, and the process of getting access again convoluted. At present I am using, for access, the number of a bank debit card that I never use as a debit card. (Or even an ATM card.) The card remains in the file with the printed account statements. Today when I called about the latest problem, I had to run through the usual series of inane questions. Yes, I knew how long my password had to be. Yes, I knew my password. Yes, it was working until recently. No, it didn't work on online banking. No, it didn't work on telephone banking. The agent (no, sorry, "service manager," these days) was careful to point out that he was *not* going to ask me for my password. Then he set up a conference call with the online banking system, and had me key in my password over the phone. (OK, it's unlikely that even a trained musician could catch all six digits from the DTMF tones on one try. But a machine could do it easily.) After all that, the apparent reason for the online banking not working is that the government has mandated that all bank cards now be chipped. So, without informing me, and without sending me a new card, the bank has cancelled my access. ( I suppose that is secure. If you are not counting on availability, or access to audit information.) (I also wonder, if that was the reason, why the "service manager" couldn't just look up the card number and determine that the access had been cancelled, rather than having me try to sign in.) I'll probably go and close my account this afternoon. ====================== (quote inserted randomly by Pegasus Mailer) rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org Any person can invent a security system so clever that she or he can't think of how to break it. - Schneier's Law victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/rslade _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Online banking insecurity Rob, grandpa of Ryan, Trevor, Devon & Hannah (Sep 19)
- Re: Online banking insecurity Jeffrey Walton (Sep 19)