[xexers]

Wow! That seemed so unbelievable I had to google it:

"Tangerine, much like BMO, also has a six character limit – numbers only, no letters and no special symbols allowed."

https://www.theglobeandmail.com/technology/digital-culture/w...

[kevin_nisbet]

It's even better than that, to login to the tangerine website, you first enter you're username, and it returns back a picture and phrase you pre-select, before entering you're pin.

When showing you the picture and phrase: >Important: If you don't recognize or see your picture and phrase, don't enter your PIN. First check that you entered the correct information. If you're still unsure, call 1-888-SAFE(7233)-304.

Anyone care to guess my username, and steal my picture and phrase?

[YZF]

It's meant to be a very crude protection against entering your PIN on a site pretending to be Tangerine. Yeah, it's pretty dumb.

[dade_]

As I recall from opening my account in the 90's the photo feature was always there. It was "forward thinking" at the time, but I can't say they have kept up that pace.

[ymlaree]

This smells plain text password storage..

[clord]

A little bird told me it's because they still use cobol fixed width data and are basically scared to change it. To fix, first they have to finish their rewrite.

[skissane]

Sometimes people resist fixing serious issues with a legacy system, because rewriting the legacy system is seen as preferable to evolving it. But, the rewrite always takes a lot longer than you expect, which can result in a lengthy period in which those issues continue to bite you. Just hire a few good mainframe COBOL programmers (they still exist) and fix the serious issues in the legacy system.

Changing a legacy mainframe COBOL system shouldn't be scary. Provided you have qualified staff and the right tools (such as COBOL static analysis tools), it is not inherently more risky than changing a Java or .Net app.

[jeromegv]

What I don’t get is that tangerine was originally ING Direct. Which was a new bank that just started in Canada toward the end of 90s or early 2000s. How did they end up with a COBOL system?

[Scoundreller]

ING Direct's parent, the dutch ING, fell on hard times during the 2009 recession.

So ING sold it off to The Bank of Nova Scotia (BNS).

Canada's bank-friendly anti-consumer policy meant that ING Direct had some value, and BNS coughed up the most cash.

They were only allowed to use the orange ING branding for a few years, so they changed it to something that was borderline familiar: an orange fruit.

BNS probably had to, or chose to, switch ING clients over from the Dutch back-end to their Canadian one.

[jeromegv]

6 character limit was already there during ING Direct years. Possible they were using the old Dutch systems but i find it a tad surprising, they would have needed to set it up from scratch in Canada (as I don’t think anything was stored in Netherlands). So they purposely setup an old-ass system in the 90s. What a shit show

[graeme]

Plausible, but they had six digit codes from the beginning.

[giancarlostoro]

Ouch... It saddens me when rewrites are not taken as seriously as they should be... Instead they rather risk people's personal information and finances.

[starky]

It is because these companies are too lazy to change their systems to separate telephone banking and their online banking.

[gruez]

at 6 characters, does it even matter? even salted + hashed + memory hard kdf isn't going to save you.

[kevin_nisbet]

Agreed, napkin math say's around 3 day's on a single CPU core to test every password.