Why don't bank websites enforce strong passwords?Strong passwords: At least 7 to 8 characters, at least one character, at least one number, a least one upper-case, at least one lower-case and at least one special character (e.g. !@#$%^&*). If banks want to even begin to crack down on hacking it seems like enforcing, or at least giving the choice, of passwords... |
This would be because of trojan like Zeus or Zbot. The main reason why people get stung with that is because of not patching their programs such as flash, adobe reader, java and so on up to date. So even if the banks tell customers to put up strong passwords, they still might have their online banking compromised because they don't patch...
'The malware redirects a Web surfer to an exploit kit, either the Eleonore Exploit Toolkit or the Phoenix Exploit Toolkit, that then exploits a vulnerability on the surfer's computer and drops the Trojan on the machine. The Eleonore Exploit Toolkit includes exploits for vulnerabilities in Adobe Reader, Java, and Internet Explorer, among others.'
http://news.cnet.com/8301-27080_3-200132...
EDIT: I have an HSBC online banking and there is no password or username. What I have to do is put my ID and then a secret question and then I have a random key generator like calculator which I use to input to access and new set of keys changes everytime I access and the website would be in Safe Run which is a form of sandbox. Using that I have KIS 2012 virtual keyboard to input my personal data so no keystrokes are recorded. Of course I always keep my programs fully patched until a newer version is available.
EDIT: Pappy, that PDF is basing its data and report from primarily 2005 and it shows the years 2005 - 2009. Have you got the latest? Have you got one for UK or is that only for USA? A lot of things can change in 2 years you know...
It's because bankers deal with money and how to 'make' it; not Internet security and all the emerging problems and exploits that plague computer users/members.
Often what should be a clear-cut, no compromises, no short-cut methods (protocols) are displaced by user convenience and cost cutting, with the conveyed illusion that "all's well, no problems here".
I'm auditing a banks 'Net security right now, and believe it or not, they had a "Loan Application" form (with DoB, SSAN, name, bank account number, and everything else normally associated with a loan) sent over unsecured servers, and returned via the same. Astonishing.
Last week a FFIEC guideline was published which reflects the concern about the technical end of security, but does little to address the need to educate users about the extreme risks being taken when using 'Net services, and why it happens.
As I've said many times, if you use computers on the 'Net, you MUST become a security expert...plain and simple.
As a result of these FFIEC guidelines, expect your local banks to beef up security protocols very soon, but you as an end user must be beyond that even...you can't afford to leave security to someone else.
See: http://www.ffiec.gov/pdf/Auth-ITS-Final%...
NOTE:
The link as I have it is for the "Final" report, and I believe it's only for US banks.
See also "Krebs on Security" http://krebsonsecurity.com/2011/06/regul...
2 days is a long time when dealing with the 'Net, never mind 2 years...which is why I scan my fav security sites at the beginning and close of each day.
Our merchant bank has requirements like this, and also demands that you change the password at least once every 45 days. (And no, you can't go back and forth between two different ones. I tried that.)
Why? It's not THEIR money. Why should they care if your account is hacked? They already have billions of dollars.
