This could happen, but do we have any evidence that it has? I'm being serious...I constantly hear about widespread leaks of passwords, but the most I hear about it is people having their email hacked by a botnet to...send spam. Have their been any large scale attacks to gain access to bank accounts to then clean them out somehow?
On top of that, how does getting access to someone's bank account even help you? You have to transfer the money to another account, which leaves a trail...
Yes. One of our clients had their ETrade account compromised after a Yahoo password leak. (We had helped them change passwords on all their other services and recover the data deleted from their Yahoo account, but they forgot they had an ETrade account.)
In that case, E*Trade detected the activity as fraudulent, so the damage was minimal.
> This could happen, but do we have any evidence that it has? I'm being serious...I constantly hear about widespread leaks of passwords, but the most I hear about it is people having their email hacked by a botnet to...send spam.
The more password databases are hacked, the better password cracking becomes, and the more sites black hats get access to. It's a vicious cycle. Yes, people sometimes do get large amounts withdrawn from bank accounts.
The simplified version: Every time a password is cracked it is added to a database of hashes used to hack other databases. Essentially crowdsourced cracking.
If I was to try to break salted passwords, my first inclination would be to find the largest set of known passwords and try those before resolving to a pure brute-force approach. Thus if you password "ILikePuppies" is ever exposed as a password, then I would consider it insecure.
I'm sorry please be clear: is your response to "this is a well-known security problem with easy-to-implement best practices to lower chances of incident" really "I've never heard of an attack using this"?
Robbing a convenience store at gunpoint or illegally downloading torrents usually also "leave a trail." That doesn't mean nobody is willing to do it, and I definitely wouldn't feel safe if random people had access to my bank account just because if they did anything law enforcement might be able to catch them.
On top of that, how does getting access to someone's bank account even help you? You have to transfer the money to another account, which leaves a trail...