Bank Security

Having found by coincidence a (minor, perhaps exploitable as part of a more-complex attack) security problem with the website of a major high street bank, one would think it would be easier than it evidently is to get it reported and fixed. Several phone calls over a couple of days, and the threat of making a complaint about a representative if they didn’t escalate me to somebody who’d actually understand what I was explaining, I’ve finally managed to get the message through to somebody. How hard was that? Too hard.

If this still doesn’t work, what’s the next step? I’m thinking (1) change banks; (2) explain why to the bank; (3) explain why to the world. Seriously, I expect better from the people looking after my money.

And on that note: time for bed.

Edit: Meanwhile, we see that the PlayStation Network hack may have resulted in the theft of personal information from users’ accounts. While most of the media seems to be up in arms about the fact that this might have included credit card information, I’m most pissed-off about the fact that it might have included unencrypted passwords. Passwords should be stored using irreversible encryption: there’s no legitimate excuse not to do this, these days (the short version for the uninterested: there is a technique which can be used to store passwords encrypted in a pretty-much irreversible format, even if the hacker steals your entire computer: it’s very easy to do, protects against all kinds of collateral damage risks, and Sony evidently don’t do it). If any of Sony’s users use the same password for their email account, social network accounts, online banks, etc. (and many of them will, despite strong recommendations to the contrary), the hackers are probably already getting started with social hacking attempts against their friends, identity theft attacks, etc. Sony: you are a fail.

3 replies to Bank Security

  1. Why would you use encryption to store the passwords? There isn’t such a thing as irreversible encryption, as the point of any encryption system is to allow you to retrieve the data at a later date if you have access to the key.

    Authentication systems should be using a hashing algorithm like SHA, or MD5 (with a good salt).

  2. “Irreversible encryption” (the exact words I used) is another name for “cryptographic hashing.” There is no form of irreversible encryption which is NOT a hash, mathematically speaking.

  3. Upon revisiting these comments, I just wanted to add (for the benefit of anybody who lands here by mistake!): no, authentication systems should NOT be using a hash “like SHA, or MD5”, because these are general-purpose hashing algorithms. Passwords should be hashed using password-hashing algorithms (e.g. bcrypt), which have characteristics better-suited to mitigating brute-force attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *