65
Condor
6y

I wonder why banks are always so terribly insecure, given how much money there's for grabs in there for hackers.

Just a while ago I got a new prepaid credit card from bpost, our local postal service that for some reason also does banking. The reason for that being that - thank you 'Murica! - a lot of websites out there don't accept anything but credit cards and PayPal. Because who in their right mind wouldn't use credit cards, right?! As it turns out, it's pretty much every European I've spoken to so far.

That aside, I got that card, all fine and dandy, it's part of the Mastercard network so at least I can get my purchases from those shitty American sites that don't accept anything else now. Looked into the manual of it because bpost's FAQ isn't very clear about what my login data for their online customer area now actually is. Not that their instruction manual was either.

I noticed in that manual that apparently the PIN code can't be changed (for "security reasons", totally not the alternative that probably they didn't want to implement it), and that requesting a forgotten PIN code can be done with as little as calling them up, and they'll then send the password - not a reset form, the password itself! IN THE FUCKING MAIL.

Because that's apparently how financial institutions manage their passwords. The fact that they know your password means that they're storing it in plain text, probably in a database with all the card numbers and CVC's next to it. Wouldn't that be a treasure trove for cybercriminals, I wonder? But YOU the customer can't change your password, because obviously YOU wouldn't be able to maintain a secure password, yet THEY are obviously the ones with all the security and should be the ones to take out of YOUR hands the responsibility to maintain YOUR OWN password.

Banking logic. I fucking love it.

As for their database.. I reckon that that's probably written in COBOL too. Because why wouldn't you.

Comments
  • 3
    oh RLY? and what country is this again?
    *googles bpost*
    and thank you :)
  • 4
    @rant1ng Belgium, it's on my profile here as well :)
  • 3
    @Franboo If only all banks would commit themselves to not supporting ancient shit from a previous era, but rebuilding the whole thing from scratch and do it properly, in accordance with today's standards. Especially bpost as its prepaid credit cards are still a fairly new thing. They've had Bank of the Post before that (which chances are they built upon) but still... There's way too much money involved to do a dirty patchwork of legacy code on top of more legacy code like many banks do.
  • 2
    @Frederick WAT
    Fucking Excel files of all things. WHAT THE FUCK
  • 6
    Should we start a new bank? Made by serious programmers, fully up to standard security policies and then some.
    Passwords stored securely, gpg signing for emails and documents to prove authenticity (done conveniently in the background in a user-friendly website/program/app), enforcing secure passwords, and a strong focus on redundancy and performance (no stupid JS bloat on websites, pages load in a few ms at the most, sane data handling and stuff).
    If we get a few investors onboard, we could set a new golden standard...
  • 1
    @Franboo the issue is that they should be rewriting everything from scratch, but of course ain't nobody got time fo' that, so they keep trying to patch a sinking ship with bandaids.
    It's the kind of investment that pays off 100x in the long term, but since everyone only cares about the short term, they don't want to pay the significant upfront costs.
    This is the kind of bullshit that prevents progress
  • 3
    @endor thats what we have in the netherlands already, its called bunq
  • 1
    @endor That'd be an excellent idea actually. Not sure if that or cryptocurrency would be the Next Big Thing™. But I'm all for making a secure banking platform, perhaps open source as well so that it's easier to adopt and make standard, while also allowing for the main benefit of open source security-wise - many eyes can look at it and scrutinize it.
  • 1
    Simple, they have insurance. That's why they let the police to deal with credit card frauds and don't pay much attention to it, at the end the stolen money is not even meaningful for them.
  • 1
    @Codex404 oooh, cool!

    @Frederick 🤣

    @Condor that's why I'm trying to push for Monero as much as I can: most of that stuff is already done (and it's *truly* private, unlike Bitcoin), it just needs a convenient user interface and user adoption.
    Unfortunately, the onboarding process (going fron fiat to crypto) is still a bit sluggish, which is one of the main barriers to entry for the common user :/
  • 2
    You don't need computer security when you have insurance and lawyers.

    They simply don't have any incentive to have better security. While that would be considered willful negligence in almost any other field, they just pay up or sue, and recover damage that way.

    Those banks are too big to fail. They are abusing their dominant position to shut up hackers and security researchers alike.
  • 3
    Don't worry they've probably securely encryped it, using advanced methodes like base64 encoding ;)
  • 2
    I once received a log from a local bank which had actual pins logged for credit/debit cards :).
    But i don't why i just told the bank I WONDER why i am so honest :( and made them change system and all users had to change their pin after that.
  • 0
    @Franboo there is a really simple solution about that piece by piece upgrade not the whole system
  • 1
    I feel your pain condor - I didn’t want a card from bpost after I found this out. My sister has a card and forgot her password and it came through the mail and I was shook.

    This isn’t a Belgian thing either - my German bank of choice has online banking and the password can only be 5 characters long. Another really fishy thing is that if you give a longer password it doesn’t error out. A colleague did a longer password for years and tried just the first five chars - it worked. I don’t know if they hash those passwords somehow, but oh boy it feels insecure. I am very glad that I don’t have any form of 2FA set up with my phone. If I have to do a bank transfer I have to go to the bank and do it there. It’s annoying but is secure.
  • 1
    @Wack Base64, leetiest way of encrypting even the most sensitive information :3
    Reminds me of my "sakurite" teacher at my previous school actually, who thought that hash functions are also encryption XD
  • 1
    Bunq I mentioned before is an internetbank with an open api and worldwide support in 5 languages.
  • 0
    @Codex404 Yeah I've checked it earlier today. Pretty interesting actually! I wonder if I'd be able to use that bank as well.
  • 1
  • 0
    @Codex404 I dunno, maybe it was limited to NL citizens or something like that. Looks like they're using an app though (so no ATM support issues I guess) and it's available to register online..? Not sure if my "bewindvoerder" (no idea how that's translated in English) would also agree to it though. I guess that I'm hot water by not asking him for approval for getting that Bpaid card already... I fucking love my mother, she appointed that guy for "preventive measures" despite me not having any debts with anyone.. and arguably, since I started living on my own, better financial management habits than either of them. And then there's the thing of me probably being able to replace his work with 50 lines of code of course. But anyway.. the thing of me having to ask confirmation to that guy for every little shit I take is the main issue really. It's also the reason why buying a new phone since my N6P died took so long actually.
  • 2
    Publish their crimes on http://plaintextoffenders.com
  • 1
    @Condor it makes it easier to do finances because of the api
  • 1
    @endor how do you propose to interface with the ancient COBOL mainframes running these banks?
Add Comment