Recently tried to login into PC Financial MasterCard online account. And got “your password is too long” error. What? Right! Password length validation on the login form!
I called CS and explained that this is impossible as I use a password manager and it worked just not long ago. They assured me that this was always the case and that I’m an idiot for forgetting my password.
They sent me to password reset procedure page.
The password procedure emails plain text temporary password, which then let’s you pick a new password.
When picking a new password, I tried to enter my old password that was too long, just for the heck of it, to see if it’d go thru.
Lo and behold, the system answered that I “cannot reuse the same password as previous 6 passwords”.
My bank has a password length limit of 8 characters.
Do they throw up an error? No, they silently truncate it.
The cherry on top is that it’s also case insensitive.
I stick with them because they’re good otherwise and they make it clear that they take responsibility for any losses due to this nonsense. But holy crap, “bank grade security” is definitely not a positive thing in my eyes.
I feel the term "bank grade security" used to mean something before we were banking online. "Bank grade security" conjures images of actually having to physically go to your bank and then having your money stored in a vault.
Is the validation done using Javascript? I have used a credit union that used to do that until they merged with another credit union and switched to a new system. Password requirements were limited to 0-9, maximum of six digits. However, if you bypassed their client-side validation logic, you could use any password you wanted.
I have the same PC MasterCard, but in the PC Bank website that was replaced by Simplii, I found that the last character of my password, a period, did not matter to get logged in. I could enter it, or not. It worked either way. Perhaps something similar is happening for you.
What is wrong with stopping people from reusing the same password? It can be done securely using the same storage mechanism as passwords, ie storing hashes only.
The point was that the system knew his too-long password and the password was correct, just being suddenly rejected on the frontend, unlike what support said.
I can confirm that Scotia Bank, another major Canadian bank, does not support 2FA. This has always bothered me and is especially concerning because Canadian bank accounts can be used to log into Canada's immigration services (CIC). That immigration account is protected only by one more layer of self-selected security questions, after which the intruder potentially has access to a swath of personal data, including passport numbers, and a very detailed personal history section.
In my opinion, Canadian banks are way overdue to switch to 2FA.
Nor does TD. They don't even do phone notifications of logins.
Ironically i signed up with one of the local credit unions in Toronto to take advantage of a high interest savings account for a future tax debt of which I am sitting on the cash for, and found they supported SMS 2FA, and texts when anyone (even me) logged into the account. I wish TD supported this, but then again, as long as their money is backed by the government i don't really care all that much.
Actually I think TD just launched a SMS based two factor, I set it up on the weekend (I got prompted when I logged into EasyWeb, and it's also in my security settings). It's SMS based, and can be configured on how aggressive it is (when you change IP/computer, or every time you log in).
I would much prefer to see a second factor like TOTP, U2F, etc as the problems with SMS based second factor are well documented, but I'll take what I can get.
Even TOTP is not a good 2fa system for a bank login, at least if that account allows you to send money somewhere: TOTP codes do not differentiate by transaction type, so if a fraudster has taken over your computer, it can wait for you to login using TOTP and then send a wire transfer in the background (using the same TOTP quickly enough if necessary or just asking you to log in again, pretending your first code was wrong).
That’s why proper banks should use 2FA mechanisms that will ask the user to confirm the transaction on a second device (e.g. photoTAN or similar).
Of course, this won’t help against attacks if both devices are compromised or you are using the second factor device to access the system, but it’s still better than TOTP.
And, of course, TOTP is still way better than SMS 2FA or no 2FA.
If someone has hijacked your computer, they could simply steal your session cookie and do whatever they want regardless of some TOTP secrets or being quick enough. In fact at that point any 2FA becomes meaningless - it's already game over.
Unless of course your bank does some proper, additional verification for large volume transfers.
Of course, that‘s the point: with photoTAN et al. it will request a one-time token for each wire transfer, and the token is based on the information (amount and recipient) of the transfer, which the user needs to confirm on its 2FA device.
It’s very easy to socially engineer a cellular ISP into redirecting arbitrary customers’ calls/texts to you, with just publically-available information.
Usually if you have a given user's username and password (from some big accounts breach), but not 2FA SMS access, you can still access enough accounts of theirs (because people still tend to use the same password for everything!) to see all the personal details required to phish the 2FA SMS redirection out of their cellular ISP.
Or, sometimes, you don't even need login access; one notable attack has been to the credit-reporting systems, where to unfreeze your credit report (and thereby apply for new credit lines) the reporting agencies require your name, birthdate, SSN, and SMS verification. But if the attacker already has name, birthdate, and SSN... well, that's all they need to get the cellular ISP to redirect the SMS verification, as well.
Maybe, that depends on the implementation. I don't believe they allow password resets from Easyweb via SMS, so i believe in this case it's at worst "as good as it was before", and only when they've managed to hijack my phone number.
TD is actually terrible. If you forget your password and you can answer one of the questions about the person (Ie: what was your high school mascot?) they actually just let you change the password at that point.
Hah, I remember when TD actually started supporting proper password lengths and published a bunch of fluff pieces about good password practices, as if none of their users remember their old short password restrictions.
I signed up for both Meridian and EQ bank. Both supported various 2FA options. I only used them as a higher interest savings account (One was 1.5% the other was 2%, so yeah, low but not terrible - I've since moved that tax liability to Wealthsimple's high interest account), cannot really vouch for their service outside of saying they gave me the interest and the initial capital back without any drama.
Nope, it's worse. Websites will use it as an authentication method in password-reset workflows, which means hacking your account reduces to intercepting or redirecting text messages (easily accomplished). Rampant cryptocurrency theft over the past year has conclusively demonstrated that SMS-based 2FA is worse than no 2FA at all. The worst offender? Gmail. It uses your phone number for password recovery and is in turn used for password recovery by every other website.
1) Many people have had their Gmail account for a long time, starting before SMS-based 2FA was widely known as a security disaster (this is in fact still not widely-known)
2) Google still actively encourages users to add a recovery phone number
3) Users could have added a phone number years ago then forgotten (this was the case with myself)
4) Users often have many websites using their Gmail account for password-reset workflows (this is definitely the case with myself)
You are correct this is a significant usability issue. Personally I use Authy, which performs automatic encrypted backups in case I lose my phone. I then have to remember my Authy recovery password (not stored in my password manager, which is itself secured with a TOTP - hello circular dependency danger!) I also keep a yubikey authorized with all my accounts as second backup.
All these things are beyond what the average person wants to worry about, as you say, but HN readers will find it simple. Personally I'm hoping U2F (Yubikeys) are the future, since your average person certainly understands the concept of a key.
Grrr. Google Authenticator and such are free. It would be mostly user support costs to deploy. Heck, could even SMS or robodial (Twilio etc) a TOTP code for people without smartphones.
What really bothers me about these banks is that they attempt to keep their platforms secure by things like disabling the back button.
Just so that hypothetically, if somehow a person has access to your physical machine, they can't just press back and view a cached copy of your account.
Yet they fail on actual security practices.
No 2FA - check
Maximum password length of 6 characters - check
Storing / Sending passwords in pain text - check
The list goes on.
It boggles my mind that institutions with such financial power, fail to employ these practices.
I just wanted to say that Scotia's corporate accounts do have 2FA with a physical token generator, so they do have the technology they just don't enforce it for consumer accounts.
I find CBC has a bad habit of writing corporate fluff pieces. They quote an "expert" from SAS making some vague assurance that their security is good. SAS is a vendor to CIBC[1], but the article fails to mention that conflict of interest.
This is why CBC needs to go the BBC's road an go full ad free. The moment you need ads to survive, everything start to work around making advertisers happy.
If the Canadian Government is their only source of funding, it raises the risk of don't bite the hand that feeds you, and the CBC already has a habit of not asking terribly uncomfortable questions of our government.
But then, all of our media outlets are like that so maybe it's just a Canadian thing. Take this as an example:
You can get a passport by simply skipping a line and heading straight to a known to be compromised employee, no simple secondary checks in place. An obvious gaping hole, and not a single newspaper has the competence (or bravery) to notice.
This is all good, but as a Canadian I don't want to be forced to buy a TV license to cover the CBC's budget.
The UK essentially taxes households with a TV in order to prop up the BBC. When I was growing up in the UK in the early 2000s we didn't watch broadcast TV but we had a TV. A couple of times a govt license officer came over and demanded to be let in the house to inspect our TVs. I loved how my dad stood up to him and told him to basically fuck off.
They’re not Government, they’re employed by a private company contracted by the BBC - they have no special enforcement powers. They have as much right to be in your house as anyone else who turns up at your door i.e. none.
The whole TV licensing thing is basically based on the assumption that most people want to follow the law most of the time, which it turns out is a true assumption.
I absolutely understand this, the problem at the time the officers were notorious for presenting themselves as if they had a right to enter your house. They would be particularly pushy and work on the assumption that you were going to let them in. Myself, my father, and a friend all experienced this; guy turns up, says he needs to come in to inspect the TV, when you refuse to let him in says he will come back with some kind of legal paperwork to allow him to enter, returns another day hoping someone else opens the door.
> The whole TV licensing thing is basically based on the assumption that most people want to follow the law most of the time
This is BS, they had infamous adverts on TV saying they would 'catch you out', suspecting the public were stealing the airwaves.
^ Three decades of threatening the public. You tell me that those ads don't make it look as if the officers are gov't employees and have a legal right to inspect your home. In fact, from those ads it makes it look as if they can tell from outside your home that you have broken the law, I am pretty skeptical that any of that would stand up in court as conclusive evidence.
Fact is you can legitimately own a TV and not want to watch the BBC, but the BBC insists that owning a TV is essentially the same as wanting to watch BBCTV.
It's even better than that, to login to the tangerine website, you first enter you're username, and it returns back a picture and phrase you pre-select, before entering you're pin.
When showing you the picture and phrase:
>Important: If you don't recognize or see your picture and phrase, don't enter your PIN. First check that you entered the correct information. If you're still unsure, call 1-888-SAFE(7233)-304.
Anyone care to guess my username, and steal my picture and phrase?
As I recall from opening my account in the 90's the photo feature was always there. It was "forward thinking" at the time, but I can't say they have kept up that pace.
A little bird told me it's because they still use cobol fixed width data and are basically scared to change it. To fix, first they have to finish their rewrite.
Sometimes people resist fixing serious issues with a legacy system, because rewriting the legacy system is seen as preferable to evolving it. But, the rewrite always takes a lot longer than you expect, which can result in a lengthy period in which those issues continue to bite you. Just hire a few good mainframe COBOL programmers (they still exist) and fix the serious issues in the legacy system.
Changing a legacy mainframe COBOL system shouldn't be scary. Provided you have qualified staff and the right tools (such as COBOL static analysis tools), it is not inherently more risky than changing a Java or .Net app.
What I don’t get is that tangerine was originally ING Direct. Which was a new bank that just started in Canada toward the end of 90s or early 2000s. How did they end up with a COBOL system?
6 character limit was already there during ING Direct years. Possible they were using the old Dutch systems but i find it a tad surprising, they would have needed to set it up from scratch in Canada (as I don’t think anything was stored in Netherlands). So they purposely setup an old-ass system in the 90s. What a shit show
Ouch... It saddens me when rewrites are not taken as seriously as they should be... Instead they rather risk people's personal information and finances.
Dollar to a donut there is a machine with IBM on it backing this up. At a prior life the ultimate reason why "you can type as many characters as you want but only the first 8 matter" came down to passing the login auth to a mainframe which only took 8 characters. Yes in EBCDIC, glad I never had to actually interface with them much, except for having to deploy ftps (ftp with ssl encryption, its an abomination, all due to no sftp on the mainframe at the time).
Not a 'good idea', but it's partly because the same password is used for telephone banking. And people seem to have trouble with typing long passwords on numerical keypads.
I understand that, but I'm looking for something more specific... Hashes aren't length-limited by design; I suppose storage size or database limitations could be an issue, but a 6-character password in ASCII with 1 million users is 6 megabytes.
If you are RACF-defined, you must enter the password defined in the RACF® data set as the value for password. The new password specifies the password that is to replace the current password. new_password must be separated from password by a slash(/) and, optionally, one or more standard delimiters (tab, blank, or comma). new_password is 1 to 8 alphanumeric characters long. This operand is ignored for non-RACF defined users. (Printing is suppressed for some types of terminals when you respond to a prompt for a password.)
With z/OS® V1R7 or later, the password and new_password can be in mixed case, if your installation has enabled RACF mixed case password support.
Some of these systems originate from the era when a 5mb hard drive was an incredible amount of space, even at enterprise level. They pre-date personal computing.
Do the other banks still have the same limitations at their root, but just take a numeric hash of whatever you enter, compare against a 6 digit integer and pray you don't find a collision?
It's actually worse than that. It's fixed 4-digit or 6-digit. Most customers probably use the same 4-digit password for online/telephone banking as they use for their debit card's PIN. I don't care what legacy software the backend is built with; a 4-digit or 6-digit numerical password should frankly be an illegal way for a bank to do business.
HSBC Canada requires 2FA with a token or their mobile bank app. It also isn't possible to change account contact info, setup new Payees, transfer money to another country, without generating a security code with a token PIN.
The contact centre agents are unable to access your account unless you can correctly answer the security questions. This does mean an agent can lock out your account though.
It is a pain, but compared with the goofy BMO 6 character passwords, or worse using CIBC at all, it was a welcome change.
Legacy systems galore:
Scotiabank gave me a debit card once in a branch because I got angry with them and also use mail extensively (though they have a much bigger problem right now), TD Canada Trust and US TD Bank are integrated with mail and fax, and RBC has 3 different domains (not AD) (East, Central and West) and they are completely isolated which can be a nightmare when moving across the country.
HSBC is the only bank I've seen do this properly with a dedicated device. In the US at least you can log on a do a few basic things without the device.
Over in the UK NationWide started sending out the little pin/auth machines 10-ish years ago (from memory). They're pretty smart about requiring it for anything "unusual" but allowing standard stuff (moving money between my own accounts, paying my usual credit card bill) is fine based purely on password login.
When HSBC decided to close their free Canadian small business accounts, they decided to mail out the notices and $$$ closing bank draft to the registered address, and not the mailing address they sent everything else to before...
Lovely. One can only hope that other would-be hackers don't start poking the rest of the Canadian Bank's archaic systems or we'll soon see the rest of our not-so-fantastic banks on the front page of HN.
For anyone not from Canada, our banks are at least a decade behind the rest of the world in terms of IT - mostly due to strong government protectionism. I was a mortgage broker before changing into IT, and up until the summer of 2015, to submit a mortgage application to Scotiabank, one of big 4, you had to fax it. My buddy who works for Scotia said it wasn't until Q1 2016 before they were able to submit a mortgage application without a fax internally.
>>For anyone not from Canada, our banks are at least a decade behind the rest of the world in terms of IT
I would not agree with your assertion. I work at the bank with the "Green Sofa " and I can assure you we are very competitive with the US banks as far as technology goes.
Chase is awful too, their passwords aren't case sensitive! If you have an account you can try it right now, type in your password and change the case of a letter and it doesn't make a difference.
That 32 character password (on RBC) is case insensitive, unfortunately. I noticed when I logged in with caps lock on (so my cases were inverted) and it worked. =\
I have an account in BMO that I'm in the process of closing.
Besides kicking myself for opening an account in a 6-digit password site, what should I keep in mind regarding my compromised data?
I have to say... I'm not at all surprised about Simplii financial's hacking...
I had a PC Financial bank account... and then PC Financial decided to merge their points program with Shopper Drug Mart for some reason... and then I started getting calls from Simplii financial asking me to verify my identity and let's setup my new online bank account...
"What?" is all I could think...
I had never heard of Simplii financial before... nor was I aware that PC was dissolving/selling their banking arm...
I logged into the account once, transferred all of my money out of that account, and logged out forever...
The reason I say that I am not surprised that Simplii financial was hacked is because it is hardly even a Bank imho... it was an afterthought.
The security of these Canadian banks is very weak IMO. CIBC/Simplii, for example, does not support 2FA, has no sign in or transfer email/SMS alerts and their maximum password length, I believe, is 12 characters.
> Then later Monday morning, Bank of Montreal revealed that it, too, had received a tip that "fraudsters" had stolen data on up to 50,000 of the bank's customers, "and a threat was made to make it public," BMO spokesperson Paul Gammal said.
> In BMO's case, at least, the tipsters were the hackers themselves.
> "We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off," BMO said.
Which "incident"? The theft or the data or being informed they were selling their own ass back to them?
The only fraudsters here are the banks, claiming they are secure.
Will CIBC and BMO be paying higher interest rates for the elevated risk of banking with them?
I was visiting friends in Canada and I asked “is it true that Canadians don’t lock their doors?” And they responded “oh no, Steve right? Yeah we know a guy, he locks his door”. Always polite, trying to make me feel OK for being from a place where everyone locks their door.
I live in Montreal and I only make sure the doors are locked at night. In some Montreal neighborhoods, it's common for people just leave their front door open to let the air in, even at street level.
Well, I don't know. Not locking the door when you are away is a bit odd, and the insurance just won't pay if you are burglarized.. My understanding of the 'Canadian are not locking the door' thing was always about when you are at home. no?
I did not realize people locked their door when they're at home during the day.
I'm Canadian. I don't lock my door when I'm at home. I always assumed this question implied "when not at home", and I always answered that Canadians do lock their doors.
I called CS and explained that this is impossible as I use a password manager and it worked just not long ago. They assured me that this was always the case and that I’m an idiot for forgetting my password.
They sent me to password reset procedure page.
The password procedure emails plain text temporary password, which then let’s you pick a new password.
When picking a new password, I tried to enter my old password that was too long, just for the heck of it, to see if it’d go thru.
Lo and behold, the system answered that I “cannot reuse the same password as previous 6 passwords”.
That’s banking-grade security right there.