[bakugo]

Not only does my bank's website not allow me to paste my "password", it doesn't allow me to type it at all. It's insane. Said "password" is just a 6 digit number (we're not allowed to set our own passwords, because 6 digits is definitely way more secure than the 16 character random strings my password manager generates) and it forces me to enter it using buttons on the page itself with randomized positions. No idea how any of this is supposed to help with security, if my device is already compromised to the point that all my keypresses and clicks are being logged, the attacker can probably also just read the password from the browser's memory...

[porridgeraisin]

I agree with your overarching point.

But, how exactly does being able to install a keylogger on someone's computer mean you can also break memory integrity and steal data from the browser's memory?

From what I know, windows keylogger "services" were very popular some 10 years ago and hence the banks rushing to "fix" it.

[xp84]

Also, keyloggers don’t have to be in software (for a desktop, I suppose). You can buy one that simply plugs in between keyboard and computer. In this way, I can sympathize with the onscreen idea, however it’s criminal to not at least include a password field that is detectable by all password managers so that it “just works” for them.

(And also criminal to have a password max, short of like 1MB — even then the only reason for the limit is to slightly reduce the harm of some kind of weird DDOS against your login endpoint - whenever I see a password max I always assume this site is so dumbly implemented that they aren’t hashing my password but storing it in plaintext or reversible encrypting it.)

[bakugo]

> But, how exactly does being able to install a keylogger on someone's computer mean you can also break memory integrity and steal data from the browser's memory?

On Windows at least, any process can read any other process' memory as long as it's running under the same user.

[russelg]

Is this ING? Sounds very similar to how ING does it.

[undebuggable]

Polish ING modifies IBAN on pasting it during bank transfer and forces to enter manually first two digits "for your security". They also disable IBAN selection in transfer summary view, so one cannot copy it and double check before confirming the transfer. ING seems to deploy the most arbitrary "security" measures found on most random blog posts and sprouted during the most brain-dead brainstorming meetings.

[Timon3]

Forcing you to manually type the first two digits makes sense to me. If a hacker is able to modify clipboard text, you manually inputting the first two digits should trip up the IBAN checksum.

[undebuggable]

Whatever are the motivations and reasoning, bank is doing exactly what the bad actors are doing. They modify the text during the copy and paste workflow.

[Timon3]

It's only the same thing if you look from a very shallow angle. Stripping part of the user input to ensure it's entered by the person themselves is otherwise completely different from replacing user input with different data. One defends against a specific kind of attack, the other is a malicious attack.

[undebuggable]

**m **ad ** **rks **r **u **d **esn't **furiate **u. **r **curity, **ease **ll **e **ssing **aracters ** **ur **nvenience.

[earthling8118]

It's time to find a real bank.

[geraldwhen]

If this is your line, you should pull your cash out of traditional financial institutions immediately. It’s a nightmare on the inside.

[duderific]

That's maniacal.