Somewhere, in the background, there's a poor old unix mainframe running Cobol, unaware that the world around it has changed, and that it should put to pasture, where it can live out the rest of its days in peace.
I've heard of a bank actually trying to use that excuse when asked why their online banking passwords were so limited.
That is, of course, complete bullshit.
Sure, it is plausible that a bank has an old mainframe handling their accounts. It is also plausible that user account passwords on that old mainframe are only 6 or 8 characters and from a limited alphabet.
What does that have to do with customer online banking accounts? Nothing!
When you open a bank account they don't make a user account for you on their mainframe. What they make for you is an entry in an application database that their banking applications use. The only mainframe user accounts involved are the account that the database runs under and the account that the banking application runs under, both of which are the same for all banking customers.
Even if, for some strange reason, they do actually have to make a mainframe login account for each banking customer there is no reason for the banking customer to ever directly access that. Online banking is accessed through the web, so only the web server needs to access your banking account on the mainframe. They could make the website have its own password system, without the mainframe login restrictions. The restricted mainframe login information would only be known by the mainframe and the website back end. The banking customer should never deal with that.
Worse, it's probably an emulation of a Unix mainframe running the original Cobol code - with the emulator running in machine generated JavaScript in Nodejs on AWS...
"Unix mainframe" is something that never really existed, mainframes run special operating systems like z/OS. (You can run SuSE on a virtual partition under z, but not natively, and it is a recent concept.)
I signed up for a US BMO account for the sign up bonus... Man is that bank's website bad. The version of jQuery they are using is from 2008 (1.3xx IIRC) and they give you a pop-up if you try to right click saying "right-click has been disabled for security purposes."
To be fair though, at least they offer the guarantee that if your online banking is hacked they will reimburse 100%. Though not sure how truthful it is having never needed it.
"You may be liable for all losses from unauthorized use of your Account if you:
contributed to its unauthorized use;
used a PIN combination selected from your name, telephone number, date of birth, address, or Social Insurance Number;
did not use reasonable care to safeguard your Secret ID Code;
did not keep your Secret ID Code separate from your Card;
did not comply with your reporting obligations in Section 11 of this Agreement unless there were exceptional circumstances for your failure to do so; or
shared a mobile device that you registered with us for Electronic Banking Services.
In those cases, your liability may exceed the funds in an Account, your credit limit or any daily transaction limits. In other words, your liability will not be limited by your Account balance, your credit limit or any daily transaction limits.
You must cooperate and assist in any investigation that we initiate into the unauthorized use you reported, which is a precondition to being reimbursed for any losses. This cooperation may include filing a report with law enforcement authorities."
I think I'd rather risk some money to hacks on an otherwise more secure system than look forward to whatever hellish phone support calls and hoop-jumping I expect I'd have to go through to get charges reversed.
How do insurance companies stop people from emptying their house and then burning it down? How do brick and mortars prevent people from paying with photocopied money? It is fraud, and it is generally illegal. Huge amounts of money is spent on detecting and deferring fraud attempts.
It's entirely possible to claim your card was skimmed and have your bank refund the money. However, if they then find out that the ATM used to withdraw your entire balance is the same ATM you've used for years, and your face is on the ATMs security camera at the time of withdraw, then you're in for a world of hurt.
You basically need to file a police report about the theft, and the bank will probably know where the money was sent/spent, and the police ideally would investigate and subpoena the records of wherever the money went and presumably discover if it goes back to you somehow. The first liability thing says you cannot have "contributed to its unauthorized use". I mean realistically someone could possibly do it and get away with it, but I mean people could realistically do many types of fraud. Most could realistically probably get away with it. It's more a guarantee to people that if they get hacked somehow other then giving naughty little Johnny/vindictive ex Jane the bank card and pin, they can get their money back.
