[triggercut]

Because of this I finally decided to complain to my (Australian) bank about their max 6 character (alphanumeric) no symbol password policy... And lack of MFA for personal accounts... And continuing to only offer OTP via SMS to authorise transactions.

Well, I tried to complain... for you see after going through multiple pages/steps in the UI, when it came time to review and submit, after you press submit you are told that they can't receive complaints online at this time.

So I wrote in the web feedback form instead. At least that went through. As will, I hope, my screenshots of the process to the ombudsman.

In nearly all these microservice components, the UI has an outdated copyright year in the footer. 2016 in the feedback app, 2017 in a preference update component. The year sits right underneath a lock symbol and some text telling you how secure they are.

This tells me a number of things. Either no one has smoke-tested that component for 6 years, or picked up that the year was off, or it has been picked up and left in backlog because of other priorities leaving me to ask what else could be in the aged backlog, but really telling me they don't have the resources to do or to take software or UX seriously.

[lategloriousgnu]

ING only requires a customer number, and a four digit PIN for online banking access. The customer number is printed on the back of the cards and at the top of letters. There is no MFA. I wish I was joking.

https://www.ing.com.au/securebanking

[rstuart4133]

> max 6 character (alphanumeric) no symbol password policy

You forgot to add case isn't significant. Still, even such small passwords can be secure if managed right. It's been that way for many years, and I don't recall seeing anything about it being broken, so I guess it must be work ok. I doubt the ombudsman would care.

On the other hand, every 10 or 20 logins, after logging in it doesn't display the internet banking home page. Instead it displays the home pages CSS stylesheet. That behaviour has also been there for years. I don't know how you even do that.

[frupert52]

The problem isn’t that the passwords are small, it’s that they aren’t being hashed. I wonder what level of data they are storing in plain text then?

Also if they aren’t able to accept other characters, I wonder what happens when you try?

I’ve worked “across” core payments(not banking) systems with the card schemes, westpac, St George etc. So I would say I’ve seen how bad things can get but your bank sounds like something next level.

[rstuart4133]

> The problem isn’t that the passwords are small, it’s that they aren’t being hashed.

How do you don't know they aren't hashed? Any what does that mean? Does it mean that are using DIGEST to avoid sending plain text over the https transport, or they aren't using key expansion for storage?

And does it matter? If someone gets into their internal systems leaked plain text passwords will be the least of their problems. Total deposits are $500 billion.

> I wonder what happens when you try?

Most people try, because they don't believe the restrictions. The answer is nothing out of the ordinary, of course. As I said, as far as I know it's never been broken. Which is kinda surprising, because their web site has more bugs than most. But it appears they've got that part right.

By the way, 6 alpha-numeric characters makes for about 1 billion combinations. The odds of guessing in it a few random goes are virtually nil, and then you are locked out and have prove your identify by via a third channel. Providing they police the max tries well, it's pretty secure.

> your bank sounds like something next level.

All the large banks hopeless. They are an absolutely nightmare to deal with on every level. This bank has been prosecuted by the Federal Government for AML violations - but again most of them have been prosecuted for grievous unethical behaviour. That doesn't make them insecure.

The OP is wrong about SMS 2 factor - they do support other methods, and insist on it once certain circumstances. The banks do protect themselves. In Australia, the history has been if they are forced to make up their customers losses. It takes years of investigations, and a lot of suffering in the mean time on the victims part. But the precedent is well established - karma is a real thing here, and the banks behave accordingly.

[YPPH]

Password length isn't necessarily cause for concern in this context. See: https://www.troyhunt.com/banks-arbitrary-password-restrictio...

As for MFA, the only Australian bank that seems to do it right is Macquarie (who let you remove SMS 2FA and replace it with a decent authenticator app). A handful will issue physical tokens on request (eg HSBC).

[Handytinge]

Bendigo also do physical tokens as well as app based 2FA.

Macquarie have unpersoned me before (cancelled all of my accounts with no explaination or notice, on a Friday afternoon). I've heard of it happening to others too. As such, I make it my mission whenever dealing with large scale finance in business to refuse to deal with them.