[Magicstatic]

Anecdote: Out of every bank and financial institution I have ever tried hacking (ethically, as part of bug bounty programs) Goldman Sachs is hands down, without a doubt, the most secure externally. By a long shot. They have what basically amounts to a central authentication service that 95% of their public facing IP’s resolve to. Their sub domains are locked down, they have a reasonably good patch schedule, they swiftly denylist your IP after running light scanners - it’s not a joke. I challenge you to find a vulnerability - when you do - get some money for it: https://hackerone.com/goldmansachs

[tootie]

I consulted at GS for a public web project and their security team were not only smart, but very well integrated into the dev process. They had a dedicated security team who would do routine code reviews, pen tests and the like. If they had specific requirements like adding captcha or barring IPs, they would put them in our backlog fully groomed and prioritized. They were very thorough but not iron-fisted gatekeepers.

[thraxil]

One of my friends got an internship doing dev there in like 1999/2000. They were already using 2FA (with a chunky but functional hardware dongle that had a small 8-segment display that updated every minute or two) to secure SSH access. Even with that, there were very tight limitations on what could be accessed at all over the network. I'm slightly impressed if I see an org that has a 2FA setup half that good now twenty years later (there are soooo many that don't).

[bombcar]

I remember those dongles - and they weren't cheap. We had one for a sensitive part of the business (which probably was counter-productive because it got passed around like a potato).