Ask HN: A major USA bank is storing passwords in cleartext – what to do?
I was having trouble accessing my account, so I gave a call to customer service. The service rep proceeded to (accurately) describe my own password to me. Should I report this somewhere? I'm not really sure what to do.
327 comments
[ 3.3 ms ] story [ 268 ms ] threadFWIW I have seen two companies that store passwords properly in a one way hash with salt but store statistics on every password like number of case changes and count of numbers and total length. I personally think that practice is infinitely stupid but can explain why they can say it has 3 numbers in it. One major marketing firm I did work for did that until we showed them why it was so dangerous. They were just trying to make users life easier but that wasn’t a smart trade off.
Personally I would like to know which bank. I have accounts at a number of major US banks and if one I use is doing this I’ll move everything out of them immediately.
Edit: to answer your question I’d hand the info to a major investigative news source and let them dig more. The FTC and banking regulators I don’t think will get involved unless there was damage.
Tell them you’d like to file an “Official Complaint” regarding a serious cyber security issue at that bank, and to transfer you to whoever handles official consumer complaints regarding cyber security. Regulators are sensitive to the word “complaint” (specific wording matters) and typically require that complaints are stored, prioritized, and handled in a prescribed way.
Ask them if they can get back to you with any resolution and leave your contact information. Update HN if you’re comfortable with that. Good luck.
Or tolower() everywhere.
If it's true that they're able to read it back though, then why would they bother?
Online they are now forcing a one time PIN from a token generated from amount + last four digits of destination account.
To be honest, while I'm aware it's not the best of practices, I don't care much. To me, the most important thing about bank security is that if there are fraudulent operations in my account, I can call and have them undone without much fuss. In this respect, my bank has behaved well in the past when random charges from an exotic country appeared in my credit card, in fact they noticed before I did, gave me a call and everything was fixed immediately.
For this reason, I think I'm OK with banks not having too strict security practices. If at some point they start being really paranoid about security, they might feel tempted to conclude that if there is fraudulent activity, it must surely be the client's fault, because their systems are unbreachable. I'd rather have the current situation in which I don't have much responsibility about security, problems happen but the bank responds.
Are you thinking of that?
Now that banks aren't paying useful interest rates they are mostly only tolerable for security and convenient access to your money. If they can't do those two then... what exactly are they for? Likely nothing.
But realistically, there's no silver bullets. Refinancing can be expensive. Cost/benefit applies: Might not be worth refinancing just for this. Just be vigilent about the accounts involved.
I had a phone company that bragged about its security. So I tested them out. Yup they sent my password via text. Ok then. Contract was for six months. Not worth switching. But also not worth renewing.
In your case, they may or may not be storing the password in cleartext. They might be using the two way encryption instead of one-way hash. Passwords should be hashed (with salt) and it is irreversible.
For a financial institution, revealing your password by a customer service rep is a big red flag. I would reach out to concerned authorities and do a proper disclosure.
Switch your bank.
Do not reach out to the bank's security/technical! There's a non-zero chance that the response from the bank would be to reach out to the FBI and claim that you are the "hacker". It will create an enormous headache for you.
If you are going to reach out to anyone, reach out to the OCC.
No one in a position to care understands why this matters.
Nothing gets done.
Major vulnerability occurs.
Customers get screwed.
Some low on the totem pole techie gets blamed and loses their job.
Executives get bonuses.
Film at 11.
So long as I'm not holding the bag should my account with them go haywire, I don't care. This is why shared passwords are bad.
You could just as well say the cost is going to be paid by the shareholders, the public (in the form of reduced taxes), or the employees.
Eventually. Might be real disruptive if you’re in the middle of buying a house.
I’d probably choose my bank to minimize my chances of dealing with a giant bureaucracy for however long (and the non–zero possibility that I actually won’t get my money back). But if that’s not “damage” to you, feel free to keep doing business with them!
Agree, I consider this a damage but if the bank can avoid causing me any disturbance despite of using clear text password or <insert any other questionable security practice> then why should I be concerned ?
Do you feel lucky? Well, do ya?
That's why I asked what is the actual damage. Is the money is stolen ? Is the money can't be accessed ? If the bank doesn't do me any actual damage despite the clear text password then I don't see why I should be concerned.
I guess I can see that for some people, clear text password usage can cause them anxiety and lose some sleep.
Imagine you worked in a building for a week and didn’t die in a fire. Would you have a problem with discovering that the writing was done by a amateur, there were piles of lint and fabric everywhere, and there was only one revolving-door exit?
If yes, then you understand the problem of risk and its just a question of magnitude.
If not, then you should be aware that you see the world dramatically differently than most people.
It may seem unlikely that the bank can keep my money save by using plain text pwd but if they can somehow do that, why do I care.
Even in the unlikely event that the money is stolen but if the bank can handle that without causing me disruption then whats the issue.
Likewise, they may use top of the line, super secure lock but if they can't protect my money, I wouldn't use them.
That is like saying I don't care about having a bucket of water thrown on me as long as I don't get wet.
I totally agree with this part. The problem is that the security of the implementation is the security of the implementation. So your sentence reads:
This is implemented extremely insecurely, but I don't care how it is implemented as long as it is secure. I also don't care about water, as long as it is dry.
The following is meaningless:
> I don't care that it is insecure, as long as it is secure.
But the following would be fine:
> I don't care what they change it to, as the new solution is secure.
The point being that "stored in plain text, as long as it is secure" is impossible just like "water, as long as it is dry".
Ok let me clarify, I don't care if they use plain text pwd as long as it secure.
>The point being that "stored in plain text, as long as it is secure" is impossible just like "water, as long as it is dry
No, it is possible that they do some thing else to secure the money, not just password.
Using analogy can eventually break downs but its fine I'll go along.
Let say I need my car to be cleaned, I have only two requirements :
- the car is clean
- the car never get wet
So someone did that satisfied all my requirements. The car is clean and never get wet. Later on they told me that they use water all along.
Will I get mad ? No, why should I. They fulfill my requirements as I expected.
How they do that is implementation details, which is not my concern, its not part of my requirements.
Unless "not use water" is specifically part of my requirements, I wouldn't be mad at them.
It certainly isn't going to be news to the bank itself, so there aren't responsible disclosure concerns here.
And since the top advice here is to leave the bank, wouldn't the best thing you can do be to alert the public, so others can protect themselves as well?
Finance is between 20 and 50 years behind the curve in terms of fundamental/top-down security common sense, notwithstanding the handful of specific exceptions strictly necessary to ensure accounts are not actually made off with on a regular basis.
There are likely a good handful of hair-raising security issues (known and unknown) impacting your account(s) right now, that would cause you to scream and run were to learn of any single one of them (let alone the full list).
In this light, cargo-culting specifically [only] avoiding environments that store passwords in plain text feels like premature optimization.
With the above being said, I do agree with the sentiment raised elsewhere of contacting annoying persistent organizations that will follow up - apparently in this case that's investigative journalists and the OCC.
Just don't forget the bigger picture.
There is nothing in UK law that says banks have to store your passwords "securely".
Issues like this have been raised in the past, and authorities like the ICO have said no law is being broken. GDPR, for example, does not specify technical mechanisms required to store any form of data.
The gist is still "do what you think is appropriate".
The ICO talks about balancing risks and convenience, and the banks will argue that their systems are secure overall, and don't make the consumer liable anyway.
Under the ICO's guidance, an organisation could argue that plain text (or reversibly encrypted) passwords allow them to do things like password reminders.
You or I might think that's terrible, but they can argue that it's a better user experience.
The ICO has a reputation for being toothless.
off the top of my head, something like storing your full password salted + hashed along side each char salted + hashed.
Please report this via the US-CERT at https://www.us-cert.gov/report
This will allow you to report it, eventually from an anonymous email address, without exposing you directly to the bank which might react bad to you. CERT can handle the coordination with the bank, this is what they do.
I apologize for the nitpick, but I hope there will be some guidance on what an "anonymous" email is.
(Ex: Guerilla at a public wifi like a library, an email created at a library, but not your usual email from a place other than your home)
I worry sometimes that we assume people reporting security vulnerabilities will be security experts.
I often meet people who are intelligent and technical, but either do not understand security, or understand it in terms of confidentiality, integrity, and availability (CIA triad) and flounder when thinking about anonymity.
Can you suggest any resources for a technical user who would like to learn more about this distinction?
https://www.freehaven.net/anonbib/
https://www.freehaven.net/anonbib/cache/chaum-mix.pdf
It's one of the earliest and very well cited.
- VPN service where you pay with cash (Mullvad) - Temporary email (Protonmail?) - One time use computer (cybercafe, pay with cash?)
There's layers you can apply like a TOR browser usage but it'll take more effort/learning.
https://www.itwire.com/security/infosec-researchers-slam-ex-...
As a result, I no longer visit his site or recommend his work. Publishing someone else’s personal data without consent is a terrible thing, and is one of the reasons so many of us work to secure systems. His behavior undermines that.
When British security researcher Marcus Hutchins asked whether doxxing a person for this was going a bit too far, his response was: "Dox people? Hardly. I think it helps to add context. The guy is a convicted cybercrook who's in jail. Of course he hates me."
Ouch. This is sad. I used to have a lot of respect for the guy.
but.. something doesn't look right here..
OP is a throwaway account created today, which I can understand for this type of thing.. but...
they withheld the bank name in the title/desc.. okay again a responsible thing to do.. but...
when asked what the bank name was in the comments they were not shy at naming it..
Something just doesn't feel right. Why the sudden change of heart?
For everyone's sake I hope I'm right, that this is just FUD.. to the OP if you really are serious I'm sorry, and please do report this ASAP.
Couldn't they do that validation before they hash the password, but still store a hash?
I'm not saying they don't store plaintext, but restricted character's are absolutely not incompatible with hashed passwords.
My bank calls me to talk to me and insists I give them my date of birth and address to ‘verify’ myself.
Meaning anyone can call me, pretend to be my bank, I am supposed to give them this info, and then they have what they need to verify themself as me.
Banks are dumb.
It seems like banks should adopt that credit-file-based challenge protocol with the multiple choice questions containing ~50% or so spurious data that answers (None of these). I had to do it to reset a hospital's patient login for myself the other day.
DOB, SSN, address, phone number aren't secret-enough "things you know" or "things you can do." For signatures, I always sign a smiley face because they're completely worthless.
Perhaps even better would be to:
0. have the bank have a relationship with the customer
1. issue 2FA device or soft-2FA
2. use per-customer colors, pictures and words on the password screen to deter impersonation and phishing attacks
3. It seems like hardware is so cheap these days, the bank could issue customers a hardened tablet with a pin, biometrics & face recognition that VPN'ed back to them and functioned only for their banking apps. It's much easier to support and harden one controlled device than zillions of likely malware-infected Chrome on Windows 10 or macOS Catalina's Safari on unsecured public WiFi.
I've seen this on multiple sites, and I always thought it was snakeoil. All you need to do to bypass it would be to make your phishing server contact tho bank to request the per-customer color/picture/word.
Fallacy much?
Which is totally bullshit because I have RFP enabled in firefox, and I get asked for my security question on every log in, even though my password is randomly generated and reasonably secure.
If the authentication still requires using some kind of good 2FA then it's less serious to have the password in plaintext. Still bad of course.
If this is for some other service that doesn't let you do any transactions then it's not as serious either (still bad and embarrassing, but not that serious)
Even with properly hashed passwords etc I'd be worried if my bank allowed login with only a username/password and no further security. I didn't think even that was a thing in 2020.
Try @briankrebs on Twitter.
https://krebsonsecurity.com/2019/12/ciso-magazine-honors-kre...
https://twitter.com/troyhunt
He runs the @haveibeenpwned service
https://www.troyhunt.com/banks-arbitrary-password-restrictio...
His viewpoint seems to be that poor security practices around passwords in banks are not a big deal, due to the overall processes that banks use to prevent fraud.
Wait, that alone doesn't necessarily indicate that they're storing clear text passwords. I notice you didn't say that they just repeated your password to you-- why do you think they store the whole thing in clear text?
HN readers are apt to demand hardcore passphrases, salting, 2FA, etc. But the reality is that banks have to deal with all kinds of people and situations. Your security as a bank customer hinges on more than just one password, it's also about monitoring patterns of behavior, being aware of what's coming and going from your account, and protection mechanisms like the bank's insurance.
That said, one would think that large institutions have learned their lesson about clear text passwords, perhaps this one hasn't? Is there a law against clear text passwords? How does anyone actually know if a financial institution has sound IT practices, by happenstance incidents like this? Really?
Some banks do this better than others from past experience. For example, I definitely have Bank of America notify me when I do something out of the ordinary. I had gone to a gas station and then my next purchase was pricey and online based. They put that on hold till I confirmed it was by me. They also have done so when I get gas from outside of town.
Other banks just cough up the money without a second thought. I'm sure they might have other "triggers" but it feels like mainly really the big players have proper security setup.
This is why I mostly use my credit card and pay for it before the statement is due. You have better protection on a credit card than you do on a debit card. I wouldn't use my debit card outside of an ATM.
-And such routines are incredibly efficient; while commissioning one of our deliveries (heavy engineering equipment) in Namibia a few years ago, I found that the local power electronics distributor hadn't heard of my employer, and were (reasonably so) reluctant to hand over parts for $13,000 or so and send an invoice to Norway.
VISA to the rescue, and as we hauled the parts into the car to bring them down to the dock, my phone rings - VISA on the line, asking if I had happened to use my credit card in Namibia a few minutes ago, definitely expecting a 'No!!!!'.
-'Sure, we're loading the supplies into the car now, how come?'
Deep sigh and a chuckle at the other end. -'I guess it had to happen some day. You have a nice day, then.'
We have all these stories of how our feudal lords have been nice and helpful
But why not get the notifications yourself on your own devices?
You can set up your own policies for approving transactions or whatever. I understand that the chargebacks can be done up to 60 days, which means “seller beware” in the current financial system as opposed to “buyer beware” in the crypto one. But in the crypto one, you are in charge of your keys. And the arguments made in favor of banks could have just as easily been made for printing presses or telephone switchboard operators!
Changes are immediate.
However, I have the impression that the VISA/MC/AMEX fraud detection override my preference.
That is what N26, https://n26.com/ do. You order a beer and when you have you first sip you get a message that there was a €3 payment to the bar.
You can also set spending limits from the app or website. And lock/unlock your credit card from the app.
Story time:
I was in London, on a multi-week vacation when my CapitalOne card got declined while trying to pay for dinner on the 3rd night using Apple Pay (for the contactless feature).
It wasn't an expensive meal.
There was no warning, no text-message, no phone call. I opened the CapitalOne app and it said my account is now restricted. I proceeded to call CapitalOne, and sit on hold, then get transfered a couple of times until there was a person who could flip the switch.
I paid for dinner, and my wife and I started back to our hotel. Half-way there, we stopped off at a Boots Chemist, and picked up some allergy medicine. Card declined again. I knew it was going to take 30+ minutes to deal with it, so I paid cash and we left.
When we got to the hotel, I had to call back, deal with the same multiple transfers to the person who could flip the switch. Then we would get 1 transaction through before it would get declined again. I eventually got a direct line to the guy who could flip the switch, and after the 5th time of me calling him, we spent a few hours investigating.
I have used this card in the UK for years on vacation. But increasingly merchants dislike the lack of pin, and needing a signature, so to be a good tourist, I decided to use it with Apple Pay, and that was apparently the combination that was killing my account.
The Apple Pay + UK card reader combination was apparently blanking out the CVV code for whatever reason, and while Capital One would allow a single transaction to fail that check, they would then suspend the account until a person verified the transaction was legit. My biggest gripe about this though was they did not even inform me each time it happened. So for the remainder of the trip I had to either dip the chip, and sign a receipt or pay a FX fee.
EDIT: Now that I'm thinking on it more, I think the reason the CVV was blank was because a CVV doesn't get used when your card is present. So I'm back to thinking this was a CaptialOne issue. They were seeing the transaction as a card-not-present transaction, instead of as a contactless transaction, at the time, I don't think they had contactless cards, so that might have not been a scenario they had accounted for.
I tried to order from a German e-retailer with my USAA card. First time, rejected; I got a text asking if it was me. I replied "YES". Second time, rejected again, got another text... I had to use another (Chase?) card eventually. Still got a text, but this one was prompt and I was able to respond before the transaction was rejected.
These are all automated; no CS rep is sending these texts (or rejections) by hand.
In Europe GDPR covers that, many big websites started hashing after it
Edit: could somebody explain the downvotes? The comments seem to agree with me
Obviously GDPR is not a law about plain text passwords, but as the comments say it forces "the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication." etc.
Edit: Kind of. The UK org in charge of GDPR says:
> Although the GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures.
> Passwords are a commonly-used means of protecting access to systems that process personal data. Therefore, any password setup that you implement must be appropriate to the particular circumstances of this processing.
> There are a number of additional considerations you will need to take account of when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication.
https://ico.org.uk/for-organisations/guide-to-data-protectio...
The most relevant passage is "the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk" from article 32; and it could be argued that having passwords in plaintext most likely does not constitute "appropriate technical measures" and doing so opens you up to fines based on GDPR if an incident occurs, but it's not really "a law against clear text passwords" but rather a law that simply says that you are responsible for how you [mis]implement your security and the consequences of that.
https://www.gamingtechlaw.com/2019/04/first-gdpr-fine-italy.... this fine specifically mentions password storage (among many other things)
Also see previous thread on HN: https://news.ycombinator.com/item?id=18531588
I'm not sure how the bot protection software was deployed but looking at marketing materials I suspect the data was sent to the third party as part of a SAAS service.
We believe this was accidental because a later version of the software stopped doing it. I'm not sure if there was a notification by the third party to users about this flaw.
https://banking.westpac.com.au/
I complained to them about this years ago, they replied explaining they knew what they were doing and it was a balance between security and simplicity...
"At Westpac, we are continually striving to provide the highest quality service and security to help support our Online Banking customers.
From the end of May 2018, we will be removing the keypad from the online sign-in screen and replacing it with an open text box, which allows you to type in your Customer ID and password.
...
Security Guarantee. We assure you that using the open text box to enter your sign-in details carries the same high level of security ..."
Passwords remained fixed at 6 characters however.
St. George isn’t as terrible, but they have a quirk of requiring a 4 digit security number along with your password. That’s not how MFA works...
Better security practices and open APIs are the two things I wish banks would get sorted.
Still awful, but not as awful.
I was thinking maybe Capital One?
I’ve been using USAA for over ten years now, it's magical. Contrary to popular belief, you don't have to be a service member for it.
If I couldn't have USAA I'd look into local credit unions.
I figured they would have the most secure systems out there with the army of SWEs they recruit in this area
All that is needed to steal your money is the bank account number, which you probably have mailed out or otherwise provided to numerous random third parties, who process them with other third parties. There's almost no information in there that isn't already available to anyone who cares to look.
A more reasonable approach that actually impacts your security would be:
- Opt-out of electronic communication and get paper statements and account notifications. (This ensures that you receive notice, in the mail, about changes of address and other changes)
- Opt-in to notifications about large transfers or low balances.
- Disable Bill Pay features at the bank.
- Disable external ACH transfers.
- Request wire transfer privileges, which with some banks allows you to get a physical token to secure access to your account.
- Use a dedicated PC/iPad/Chromebook/etc for your banking to reduce the risk of malware capturing your banking details.
If you're going to switch banks over this, look for a credit union small enough that they use an off the shelf banking solution, and figure out what the default configuration of the solution is.
I already use 2FA, a unique password only with PNC and alerts on all account activity, including logins.
I will look into some of the things you listed!
Make sure if you have a Virtual Wallet account with PNC to manually downgrade it to the lowest tier, and keep $500 in it until you're ready to close the account. It'll charge you $7/month otherwise, more if you're at a higher interest tier currently.
I've had good experiences with Dollar Bank if you're in Pittsburgh.