Simple.com is pretty solid from a security standpoint from my limited observations as a consumer, although they only offer two factor via SMS (not TOTP likely google, etc)
It's a financially motivated decision. Banks have a high percentage of people who are tech illiterate. Many of these people don't use the password reset when they forget their password, they call tech support, which costs banks a lot of money. Banks realized they could reduce this call volume by making their passwords case insensitive and simply refund people if their accounts get breached.
Most banks also have a mandatory security question, which makes it marginally more difficult to get brute forced.
Source: Used to work at a bank. Would not recommend.
Case insensitive isn't necessarily insecure. It just means you'll want a password roughly twice as long for equal security. Now, if they do that and also limit passwords to, say, 8 chars.... argh!
When I moved back to the UK after having had US and Canada bank accounts for several years it made me realize how much bad service British people are willing to put up with in comparison. Logging into a UK bank account online (the worst imo is HSBC) is a total nightmare. You need to know 4 passwords/pins, and have either a security code generator device or phone app that will generate one for you. For my North American banks, including one Canadian account I still have, it's simply the number on your debit card and a password, about as hard as logging into email.
In the UK the challenger banks like Monzo, Starling, etc are pretty good. Monzo just emails you a "magic link" to login, Starling uses a proper password you can use your password manager to remember.
11 comments
[ 541 ms ] story [ 1033 ms ] threadHow do they keep any sort of regulatory compliance?
Most banks also have a mandatory security question, which makes it marginally more difficult to get brute forced.
Source: Used to work at a bank. Would not recommend.