Banking Security

[george~]

After my bank account was hacked I did some research to see if a better more secure password could be used, thanks to my computers character map I came up with a super secure password, an example, B6‰Ã8*j9<Z½¾K^. you'll notice many of the characters don't appear on your keyboard, when I posted this on one of those password strength checking sites it came up with an outrageous score and was the best they had ever seen, I thought great I'll keep the password on a USB and copy/paste it at my banks online website and possibly even foil the hackers key stroke detection, unfortunately this most awesome password is completely useless at my bank, my attempts to speak with any banking security staff resulted in being passed on from managers to supervisors who were all completely clueless, I was told that only numbers and upper and lower case letters can be used. $1.44 billion in profits and that's the best they can do

[Bsuds]

I thought great I'll keep the password on a USB and copy/paste it at my banks online website and possibly even foil the hackers key stroke detection

Try not to lose that USB. You might be better off just to use a password protection program like lastpass and change your banking password on a regular basis.

[Quixote]

Entropy is good, but banks don't require hugely complex passwords as most will lock you out after a certain number of failed attempts, after which you'll have to talk to someone at the bank to get it reset.

Using the same password at different sites, no matter how complex, is a problem though. If one of the less secure sites were to be hacked, your password could quickly be compromised and used everywhere the hackers figure out you have an account.

Bsuds is correct - the best way to handle security is with a password manager like LastPass or Keepass, then use those tools to generate a unique password for each site.

[GordonH]

Beside having tough password if your bank also has rotation of questions (that you make up yourself) that only you know answer. If answer is wrong it locks that person out for "X" number of hours. Turn that option on, it's an extra line of protection.

[Woodenhead]

[...]I came up with a super secure password, an example, B6‰Ã8*j9<Z½¾K^. you'll notice many of the characters don't appear on your keyboard, when I posted this on one of those password strength checking sites it came up with an outrageous score and was the best they had ever seen

Dude, just don't use ambiguous/special characters, it's not smart or particularly helpful. Stick to the ones printed on your keyboard. (although there's a few exceptions there, too) And/or use Lastpass / Keepass and forget your password worries. It's all about entropy, which has little to do with random special characters and such tropes.



BTW, many companies - especially large and/or older ones - are restriced to short passwords because they're still based on something like Base32 encoding. (normally because it's a legacy system thing / they're cheap & lazy) But it doesn't matter much, as the bigger security threat comes from completely different avenues.

PS: My password is better than yours.

[george~]

Thanks for all the replies, I was looking into Lastpass and discovered that site was hacked a few times.

[george~]

Woodenhead try running your password through a site called The Password Meter and see how it does, mine came up with this.

[TylerM4]

So I'll let you in on a secret.

Passwords are almost never cracked via brute strength (trying random combinations of characters). As long as your password is 5+ characters and isn't something you can look up in a dictionary, you're safe from that type of hack. Brute strength attacks ended in the 90's with event logging. Any service with a reasonable security protection will lock you out after a series of incorrect attempts in a row which has been extremely effective at stopping this type of attack.

Your practice of storing your complex password and copy/pasting it into login screens is actually more of a risk than using a simpler password you can memorize and easily enter.

Here's how you'll get "hacked":
- Malware or other apps installed on your PC that capture your information.
- Social engineering of some sort (sending you to a fake website to login, calling the company and pretending to be you, use your "secret question in case I forget my password". etc.)
- Using the same password. They hack a site like castanet, get your email address and password and then try that same password to access your banking sites.

Here's how you can protect yourself:
- Follow safe browsing habits, don't visit shady websites or do anything that could infect your computer with malicious software.
- Don't be dumb. Your bank isn't going to email you asking for your password. Don't follow links in emails to sites wanting you to login, etc. Know and understand the common ways people use social engineering to trick people into reveling their information.
- Don't use the same password everywhere. Keeping track of passwords is a PITA, but at a minimum use a few different passwords. For example: I have a "general" password I use to access stuff I'm not too worried about. My castanet login, etc. I have an email password that's only used to access email. And I have a "Secure" password I use for stuff that it would be disastrous if a hacker was able to access (banking sites, etc.) This is a good compromise.
- Don't use a stupid easy password, and don't use "security questions" that other people could answer. For example: Using your pet or kids name is HORRIBLE, or your birthday, etc. Anyone who trolls your facebook page could likely figure it out.

[GordonH]

^^^ to many people share far to much about themselves on social media sites, then wonder how or why bank account or credit card gets hacked or ID stolen.
Hey idoits don't share that stuff in first place, wake up.

[Jlabute]

Banks usually have an option to ask security questions as well, after entering an account and password. It is unlikely you were compromised directly thru the bank, but, you personally? Perhaps a key logger was installed on your PC or some means of taking information from you. ??

[Woodenhead]

Woodenhead try running your password through a site called The Password Meter and see how it does, mine came up with this.

Oh, hey I was just joking around. There's a bunch of similar sites online. Kind of gimmicky. The more important thing is how long it would take to guess a password, and the biggest factor there is simple password length.

Check this site out, and read the bit partway down which starts with:

Which of the following two passwords is stronger, more secure, and more difficult to crack?

D0g.....................

PrXyc.N(n4k77#L!eVdAfp9

It's an informative & useful site - check the links under "Services" for some more interesting stuff. Legit.

I was looking into Lastpass and discovered that site was hacked a few times.

Sorta. In 2015 it was, but no passwords were taken because their security held up well in that regard. This year, two white hatters "hacked" LP using exploits they discovered (one involved phishing, so not really a "hack") but that's just it - they were white hats. As in, they do this ethically in order to help strengthen security; the flaws were immediately reported to LP and patched. That's how it's done. Remember, this is the Internet and 100% security is a myth. Literally everything is "hackable" and that will always be the case no matter what. (keepass has been "hacked" too, so have banks, so have government servers, so have...)

Anyway, Tyler knows what's up. Cheers, george!

[Jonrox]

Even if your bank information is hacked, which is highly unlikely, you're protected. It's an inconvenience but the money will all go back into your account or credit card charges will be refunded once you report the problem to your bank. In all likelihood they'll notice before you do any way. There's really not a lot to worry about.

[youjustcomplain]

To build on what Tyler said.

I have seen three forms of ID theft attempts against me.
Creative phishing seems to be the most dangerous.
Someone created an email that borrowed all of the standard letterhead from Royal Bank of Canada. The email looked very legit and they didn't ask for my password. Instead, they kindly provided a link to their login page. In Outlook, when you hover your mouse over a link, it shows the address in the bottom left corner.
Some don't know this, but in an email, I can type in an address, then set the address to link to somewhere else. IE, I could write:
www.castanet.net. I could make that a link then make it link out to some other website.
this is what the Royal Bank scam was trying to do. I could see from outlook that the link was going to direct me to something that didn't look right at all.

Sadly, I reported the issue to royal bank and they downplayed it. In actuality, I don't bank with Royal Bank, so it was another good tip that this was a scam attempt. How it would work is that I'd click the link to login to my banking and the site I'd be looking at would look exactly like the Royal Bank site, so it would look like I was logging in to a legit site.

[youjustcomplain]

Even if your bank information is hacked, which is highly unlikely, you're protected. It's an inconvenience but the money will all go back into your account or credit card charges will be refunded once you report the problem to your bank. In all likelihood they'll notice before you do any way. There's really not a lot to worry about.

I didn't know that about bank accounts.

I have had my credit card stolen before, (physical card removed from my wallet). That same day, I got home from work, and found a voicemail from CIBC VISA that they have deactivated my card. I called them as they requested and they started quizzing me on my last purchases. Once we figured out which purchase was the last one I made, they cancelled all purchases made on the card after that, removed all of the charges and I had a new card in the mail 5 days later. This was VISA, and they knew long before I did that my card had been lifted. Apparently using the card for an online purchase, or to get gas at a pump are good and safe ways for thieves to figure out if the card is active or not.

[GordonH]

^^^ I don't respond to phone calls or emails from my bank, if they need to get in touch I get messages within my online account. Then I do a face to face at my branch, or send secure message back also within online banking account.
I request this directly with bank I use. As well all usual mail has been made paperless (ie cellphone bill..... cable bill etc... etc) so using mail delivered for ID theft is out.