[wrath]

This is a phishing attack waiting to happen! I never worked at a bank but I'm assuming (maybe I shouldn't) that there are a few people working there that know a thing or two about security. I doubt that any person who claims to be a "security expert" would have let this go by, but I always seemed to be proven wrong. Take for example TDBank in Canada who has a 80's password policy:

Passwords must:

- be 5 to 8 characters in length

- not contain spaces or special characters (e.g. #, &, @)

Poor customers if TD ever gets their password database stolen.

[nodata]

Or the classic bank telephones you and asks to verify your identity by answering your secret questions and answers. facepalm

[ZoFreX]

My bank (NatWest, terrible) told me to never give my information to anyone who calls me and asks for it. Every time they ring they then ask me for my details for 'security purposes'.

Then again, that seems mild now that I've found out they don't keep auditing logs of the changes their employees make to customers' accounts.

There are also lots of cases of online banking being compromised by really basic attacks (such as a CSRF attack that could be used to transfer money to an account of the attacker's choosing).

Banks aren't actually that secure. They merely spend a lot of time engaging in very expensive hand-wavey security theatre to convince us that they are secure - not to mention using expensive laywers and unfair libel law (I am in the UK) to shut up security researchers that find problems. The reason that they are so frequently observed acting contrary to best security practices is because they are not actually particularly good at security.

[Silhouette]

Banks aren't actually that secure.

Financial services generally aren't in the business of security. They're in the business of risk management. Once you understand that distinction, much of what they do makes sense.

Unfortunately, some unhappy conclusions for the customers of these services do logically follow, starting with the fact that if you're not a huge customer, the financial services have little natural incentive to care about the safety of any assets/investments they handle for you. If something very bad happens, you might be an acceptable loss relative to the cost of mitigation, right up to the point of fighting you in court and then losing anyway. You personally might suffer greatly for any losses, and even if it's ultimately put right you might suffer months or years being dragged through the system, but no employee at any financial service is personally going to lose any sleep over your case.

This is why it is necessary to have regulators with teeth in financial industries. Any lapse that could cause significant harm to a customer should also potentially cause significant harm to the financial service. An ongoing pattern of such lapses should cause severe damage to the service's bottom line and eventually it should become an existential threat to the financial service itself, preferably with safeguards to ensure that the management and/or shareholders can't just escape using the technicalities of incorporation. Without this sort of counter-balance, the numbers will always be in favour of trampling on the little guy, and if there's one industry that runs on the numbers more than anything else, it's financial services.

[vishnugupta]

This! Much of what ails common people when they face up to financial institutions in general and banks in particular could be attributed to your observation. I've read substantially over last few years on what's gone wrong with financial institutions and how they should not be autonomous but nothing comes close to the clarity with which you have summarized.

[bhoomit]

I face this problem all the time, I still don't understand why those banks can't understand security risk behind this.

[gardarh]

They might be running AS/400 as their backend systems, I recently saw a terminal to one of those in a bank and to my shocking surprise the passwords were not even encrypted on that system.

I imagine that passwords are kept in the same database as transactions so I'm not sure the passwords would be the primary concern in the case of a break in.

[bencoder]

The frontend part can still use a secure password mechanism which is then hashed to a password suitable for the underlying backend system.

There's no reason to keep the bad decisions from decades ago as a part of a modern system, even if it relies on the legacy system.

[chrismcb]

Poor password rules are a red flag. If their password code is this bad, how bad is the rest of their code?

[itchitawa]

My bank requires a 4 character password with no letters or special characters! Oh wait, a PIN doesn't count?

[ansgri]

It doesn't as you're blocked after only 3 attempts.