funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Online banking insecurity

From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rmslade () shaw ca>
Date: Thu, 19 Sep 2013 09:43:56 -0700
I've had an account with the Bank of Montreal for almost 50 years.

I'm thinking that I may have to give it up.

BMO's online banking is horrendously insecure.  The password is restricted to six 
characters.  It is tied to telephone banking, which means that the password is 
actually the telephone pad numeric equivalent of your password.  You can use that 
numeric equivalent or any password you like that fits the same numeric equivalent. 
 (Case is, of course, completely irrelevant.)

My online access to the accounts has suddenly stopped working.  At various times, 
over the years, I have had problems with the access and had to go to the bank to 
find out why.  The reasons have always been weird, and the process of getting 
access again convoluted.  At present I am using, for access, the number of a bank 
debit card that I never use as a debit card.  (Or even an ATM card.)  The card 
remains in the file with the printed account statements.

Today when I called about the latest problem, I had to run through the usual series 
of inane questions.  Yes, I knew how long my password had to be.  Yes, I knew my 
password.  Yes, it was working until recently.  No, it didn't work on online 
banking.  No, it didn't work on telephone banking.

The agent (no, sorry, "service manager," these days) was careful to point out that 
he was *not* going to ask me for my password.  Then he set up a conference call 
with the online banking system, and had me key in my password over the phone.

(OK, it's unlikely that even a trained musician could catch all six digits from the 
DTMF tones on one try.  But a machine could do it easily.)

After all that, the apparent reason for the online banking not working is that the 
government has mandated that all bank cards now be chipped.  So, without 
informing me, and without sending me a new card, the bank has cancelled my 
access.  ( I suppose that is secure.  If you are not counting on availability, or 
access to audit information.)

(I also wonder, if that was the reason, why the "service manager" couldn't just 
look up the card number and determine that the access had been cancelled, rather 
than having me try to sign in.)

I'll probably go and close my account this afternoon.

======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
Any person can invent a security system so clever that she or he
can't think of how to break it.                     - Schneier's Law
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: