[akatechis]

> These banks' IT systems are storing things that many of us would argue are much more valuable than your passwords. A bank's core system also represents the actual monetary value of every customer's account. We are talking about password security in a system domain where there are arguably far more valuable assets to secure.

The password is what secures the more valuable things inside the account (the money). In fact, in nearly every case a password is used, no one really cares much about the password itself, but what's inside. That's why services require password in the first place.

EDIT: Also, don't be so sure that passwords are not useful. If you can compromise a password in one service, there is a significant chance that the user in question is re-using the same password on other (or all?) services. If your password is "joe123" on somewebsite.com, if I can crack that, I can try to use that information to guess your login on somebank.com, somedoctor.com and somegovernmentservice.gov. The more things become "cloud"-based, the higher the value of cracking a password.

I think the bigger consideration is actually how to exfiltrate money from an account that you compromise: If you initiate a wire transfer to some account you control, that leaves a paper trail, and typically has a lag time, during which the institution/customer have a chance to react. This is also why scam centers in India ask you to send them cash equivalents: gift card codes they can redeem/resell.

[sangnoir]

> The password is what secures the more valuable things inside the account (the money)

> I think the bigger consideration is actually how to exfiltrate money from an account that you compromise: If you initiate a wire transfer to some account you control, that leaves a paper trail, and typically has a lag time, during which the institution/customer have a chance to react.

It sounds like your third paragraph contradicts your first - it's not just your password that protects the money, but the institution whose business it is to maintain and reconcile paper trails.

Banks were using signatures(!) to protect depositors' money long before passwords existed - and they have had processes to mitigate fraud since then. While not ideal, plain text passwords are huge upgrade over signatures

[snowwrestler]

> The password is what secures the more valuable things inside the account (the money).

I think the broader point of the parent is that in banks, there is actually a lot more than just the password securing the money in the bank. There is careful surveillance of the activity of accounts at the bank--separate from the website login system, and backed by regulatory accountability and ultimately the police.

Unlike a modern service like Facebook or Google, your bank's website is not the same thing as the entire bank. When you log into your bank's website or app, you're logging into a public-facing system that in turn interacts with the "real" systems that the bank uses to manage money. Those "real" systems are secured in various ways too, and not just based on the web password.

I once attended a talk by Bruce Schneier talking about the resilience of the financial system. Beyond the prevention of bad actions (for example by authentication), he emphasized that the financial system is highly engineered to make it possible to recover from bad actions. That includes some technical means, but also methods of accounting, and insurance.

[imtringued]

>The password is what secures the more valuable things inside the account (the money). In fact, in nearly every case a password is used, no one really cares much about the password itself, but what's inside. That's why services require password in the first place.

Only access to the account is protected by the password. Sending money isn't protected by a password. It is protected with a second factor on top of requiring access to the account.