[ZenPro]

I am not aware of many "two-bit hackers" compromising bank security.

Bank security systems are designed and administered by people of the same calibre who design and administer many startups, including crypto-currency products.

Do you think that an elite hacker cadre exists and those working in corporate environments suddenly are less effective?

Nonsense.

[staunch]

http://articles.latimes.com/2013/jun/13/business/la-fi-mo-ba...

"Hackers allegedly targeted 15 financial institutions, including JPMorgan Chase & Co., Citigroup Inc. and E-Trade...The other compromised banks and financial services providers were Aon Hewitt, Automated Data Processing Inc., Electronic Payments Inc., Fundtech Holdings, iPayment Inc., Nordstrom Bank, PayPal, TD Ameritrade Corp., the U.S. Defense Department’s Defense Finance and Accounting Service, TIAA-CREF, USAA and Veracity Payment Solutions Inc."

They're absolute shit at security and any suggestion to the contrary is pure ignorance.

[ZenPro]

I think you need to learn to read. None of these banks were hacked as the editorial misleads. The victims were actually part of a huge phishing and identity theft campaign.

>> In a criminal complaint, authorities allege that the defendants transferred money from victims' bank accounts to pre-paid debit cards. They took the debit cards to ATMs to cash them out or used them to make purchases across the country. Much of the money that was cashed out was wired to the two leaders.

>> Some of those debit cards were secured in the names of individuals who had their identities stolen by the defendants, the complaint says That allowed the group to file fraudulent tax returns in an attempt to obtain undeserved refunds.

Can you direct me to the part of the incident whereby the financial institution had it's integrity compromised due to superior penetration techniques circumventing internal bank security measures?

The compromise came about through bank customers disclosing personal information.

This is Hacker News - not Reddit. Claiming that banking institutions, who are in direct compliance with worldwide security standards are "absolute shit at security" is just juvenile ranting.

Post genuine case studies and security insights if you have them.

[staunch]

> This is Hacker News - not Reddit.

In the past on HN (I've been here slightly longer than you) I doubt anyone would even consider challenging the idea that banks can't secure their user's data. It used to be a bunch of very technical people who have seen inside the various sausage factories.

The fact that you think banks being "...in direct compliance with worldwide security standards" means they are able to secure their customer's data is truly laughable. I mean that literally, if you said it to any credible security expert they would probably think it was sarcasm and laugh with you.

If you want to set a standard of proof we can actually debate this. What would it take to convince you that banks don't do a good job of protecting the privacy of their customer's data? I can generate like 3 links every 10 seconds on Google.

http://www.computerweekly.com/news/2240208933/More-than-half...

http://www.huffingtonpost.com/2013/09/20/barclays-bank-cyber...

http://www.nytimes.com/2011/06/14/technology/14security.html...

[ZenPro]

Well if you can find links to content on Google your hypothesis must be sound. Your comment is exactly the kind of elitist, generalised nonsense that should have no place on HN.

A few clarifications to help you out and keep you from ranting -

[1] Your current username has been slightly longer than my current username. Whether one or the other of us has been here longer is unknown.

[2] If being compliant with ISO 27001 is laughable to you then I await your superior system for the baseline of Information technology; Security techniques; Information security management systems and their Requirements, accredited by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

[3] If you have empirical data to back up your assertions post it. Huffington Post articles and LA Times articles which are technically illiterate are not empirical evidence.

[4] The majority of all technical accreditation and training programs including SANS, EC-Council, CISSP, CISA et al all utilise the ISO suite as a baseline.

[5] Your entire post reads as if you hate banks, you hate 27001 and you know of better established security practices than are currently in use by the worldwide banking industry.

A few facts for consideration -

[a] Assets of the largest 1,000 banks in 2008/2009 financial year were US$96.4 trillion. 96 Trillion.

[b] The United States alone has an estimated 82,000 banking branches spread across 7085 institutions.

[c] As of Nov 2009, China's top 4 banks have in excess of 67,000 branches (ICBC:18000+, BOC:12000+, CCB:13000+, ABC:24000+) with an additional 140 smaller banks with an undetermined number of branches.

[d] Japan had 129 banks and 12,000 branches.

[e] In 2004, Germany, France, and Italy each had more than 30,000 branches—more than double the 15,000 branches in the UK.

Is your hypothesis really that banks have laughable security? Not a specific bank or a specific department of a specific bank but banks?

An industry worth a 96 thousand billion dollars (96,000,000,000,000) does not know how to secure customer data?

Interesting viewpoint you have and ludicrous. It is right up there with the sort of people that say things like "I hate all wines from California" or "All Microsoft products suck."

IE - Juvenile comments submitted to HN with no regard for accuracy, clarity or discernment.

[staunch]

Virtually every major bank has let hackers steal their customer's data. You lose, chump, now fuck off.

[ZenPro]

You lost the minute you resorted to the word virtually.

And flagged.

[jnbiche]

>Bank security systems are designed and administered by people of the same calibre who design and administer many startups, including crypto-currency products.

Then why is it that I have frequently run across banks requiring a maximum 6- or 8-character password, and have never run across a startup -- Bitcoin or not -- with such poor security requirements?

[ZenPro]

Which banks specifically secure online data only using a 6 character password?

Most banks, if not all, have BSI ISO27001 security certification and are accredited and administered by the pinnacle companies of the security industry.

For comparison; HN has a multitude of threads listing the outrageous security practices of many crypto-currency related companies, some beyond start-up.

You seem to think banking security is simply a bunch of guys in suits simply having a crack with a copy of ZoneAlarm and Kaspersky. Classic them v us ideas with a touch of Dunning-Kruger thrown in.

[pjc50]

Yes and no; while the banks have avoided widespread compromise they often have weird password requirements or ham-fisted attempts to secure user's PCs with crapware like Trusteer Rapport: http://www.pcpro.co.uk/realworld/359617/is-hsbcs-security-so...

For a while Santander's login system redirected my wife's account to a page with an expired HTTPS certificate.

Then there's fun things like playing tetris or MITM attacks on the Chip and Pin terminals: http://www.saardrimer.com/sd410/pres/showandtell08.pdf

(Obviously mtgox is worse, but my point is that banks tend to a proceduralist cargo-culty approach to security).

[ZenPro]

That is a nice link to the chip and pin compromise although APACS did cover it

>> We believe that the risk remains very low. [This attack] is significantly difficult to industrialise to the numbers of devices that would gain criminals the return they would expect and, therefore, not economically viable to criminals.

I am not saying banks are perfect, no organisation is, but they are certainly not just old men in conference rooms wondering what the little 1's and 0's mean. Some bank security consultants are the best penetration testers in the world.

[jnbiche]

Where did I say anything about bankers sitting around with a copy of Zone Alarm? That comes entirely from your own imagination, as did your ad hominem attack.

The only thing I mentioned was the verifiable fact that some banks limit passwords to 6-8 characters, also detailed in a multitude of HN threads.

[icebraining]

Often the problem is legacy systems. Startups usually don't have big and old mainframes dealing with huge volumes of transactions, they can just build the authentication system from scratch or use a modern library.

[nhaehnle]

A 6-character password is only insecure if you have unlimited attempts to guess it. If an attacker is blocked after something like 10 attempts, a 6-character password really provides all the security you need.