Hacker News new | ask | show | jobs
by ZenPro 4416 days ago
Which banks specifically secure online data only using a 6 character password?

Most banks, if not all, have BSI ISO27001 security certification and are accredited and administered by the pinnacle companies of the security industry.

For comparison; HN has a multitude of threads listing the outrageous security practices of many crypto-currency related companies, some beyond start-up.

You seem to think banking security is simply a bunch of guys in suits simply having a crack with a copy of ZoneAlarm and Kaspersky. Classic them v us ideas with a touch of Dunning-Kruger thrown in.
2 comments
pjc50 4416 days ago
Yes and no; while the banks have avoided widespread compromise they often have weird password requirements or ham-fisted attempts to secure user's PCs with crapware like Trusteer Rapport: http://www.pcpro.co.uk/realworld/359617/is-hsbcs-security-so...

For a while Santander's login system redirected my wife's account to a page with an expired HTTPS certificate.

Then there's fun things like playing tetris or MITM attacks on the Chip and Pin terminals: http://www.saardrimer.com/sd410/pres/showandtell08.pdf

(Obviously mtgox is worse, but my point is that banks tend to a proceduralist cargo-culty approach to security).

link
ZenPro 4415 days ago
That is a nice link to the chip and pin compromise although APACS did cover it

>> We believe that the risk remains very low. [This attack] is significantly difficult to industrialise to the numbers of devices that would gain criminals the return they would expect and, therefore, not economically viable to criminals.

I am not saying banks are perfect, no organisation is, but they are certainly not just old men in conference rooms wondering what the little 1's and 0's mean. Some bank security consultants are the best penetration testers in the world.

link
jnbiche 4413 days ago
Where did I say anything about bankers sitting around with a copy of Zone Alarm? That comes entirely from your own imagination, as did your ad hominem attack.

The only thing I mentioned was the verifiable fact that some banks limit passwords to 6-8 characters, also detailed in a multitude of HN threads.

link