[darkstar999]

Same thing happened to me, my local credit union emailed me my password. They ensured me that they use "bank-level encryption". Of course I didn't get into the difference between one- and two-way encryption with the teller, or that email isn't secure.

We live in an age where this should be unacceptable. Why aren't there financial security laws yet?

[CydeWeys]

It's so infuriating because I've worked at companies doing digital commerce before, and PCI compliance and certification is quite onerous. But at the end of the day credit card numbers still aren't as sensitive as bank logins, yet there are no security standards on bank logins! It's crazy.

[scruple]

PCI compliance is pretty interesting. It's been many years since I worked in an e-commerce shop but I seem to remember that it even described physical security layers i.e., dictating the placement of door hinges to server rooms.

[rtpg]

Goes to show that when money is at stake for the stakeholders then things get done.

I don't think banks actually care about individual user login security too much. Credit Cards reallllly suffer from security breaches though

[JadeNB]

> I don't think banks actually care about individual user login security too much. Credit Cards reallllly suffer from security breaches though

But the only reason that banks care so much about credit-card security breaches is that the law forces them to do so. If the law didn't make credit card fraud the bank's responsibility, then they'd be just as lackluster about preventing it as they currently are about securing login credentials.

[Domenic_S]

I don't know if that's true. Say we lived in a world where those regulations didn't exist and the fraud risk was on par with what it is today. If one bank introduced their own fraud protection program, wouldn't they basically capture 90% of the market overnight?

[JadeNB]

This is a good argument, but I'm not sure that I buy this. There are plenty of industries (I think of the cable and cell-phone industries, but I'm sure there are others) where it's just a given that the service will be crappy, even though one company that started to respect its customers could seemingly corner the market. (I'm not sure what are the results of T-Mobile's exercises in respecting its customers. Their unfortunate net-neutrality stance with Binge On means that it's not an unalloyed win to go with them.)

[lostmypassword2]

What law are you talking about? PCI-DSS is required by the card companies and run an organization called the "Payment Card Industry Security Standards Council". It's self-governed essentially. It's not federal law

[JadeNB]

I had always assumed that it was a matter of law, rather than self governance. I stand corrected.

[tokenizerrr]

Well, there's your problem. When dealing with passwords you don't want encryption. You want hashing.

[darkstar999]

Hashing is considered one-way encryption, no?

[sarciszewski]

No, it's one-way cryptography, but it's not a form of encryption.

https://paragonie.com/blog/2015/08/you-wouldnt-base64-a-pass...

[collinmanderson]

I hear credit unions are not regulated as well as banks, so even if there are laws for banks, the credit unions don't necessarily have to comply. Credit union security will probably always lag behind banks. :(

[ArtDev]

I don't think that is true. Source?

Furthermore, credit unions can't make risky bets that could put them under. The money you deposit goes out as loans to other people.

I avoid banks like the plague. Too shady for me, never again.