Ask HN: A major USA bank is storing passwords in cleartext – what to do?

442 points by plsdonthack ↗ HN
I was having trouble accessing my account, so I gave a call to customer service. The service rep proceeded to (accurately) describe my own password to me. Should I report this somewhere? I'm not really sure what to do.

327 comments

[ 3.3 ms ] story [ 268 ms ] thread
Wow. Did they repeat your password or some hint you typed in a long time ago?

FWIW I have seen two companies that store passwords properly in a one way hash with salt but store statistics on every password like number of case changes and count of numbers and total length. I personally think that practice is infinitely stupid but can explain why they can say it has 3 numbers in it. One major marketing firm I did work for did that until we showed them why it was so dangerous. They were just trying to make users life easier but that wasn’t a smart trade off.

Personally I would like to know which bank. I have accounts at a number of major US banks and if one I use is doing this I’ll move everything out of them immediately.

Edit: to answer your question I’d hand the info to a major investigative news source and let them dig more. The FTC and banking regulators I don’t think will get involved unless there was damage.

They're a three letter acronym that starts with P and ends with C.
Holy smokes. See if you can get in touch with someone in the financial press (such as the Wall Street Journal).
(comment deleted)
Wow, they should know better. That’s really mediocre if true. Call the OCC consumer hotline which is listed at the following link https://www.occ.treas.gov/topics/supervision-and-examination...

Tell them you’d like to file an “Official Complaint” regarding a serious cyber security issue at that bank, and to transfer you to whoever handles official consumer complaints regarding cyber security. Regulators are sensitive to the word “complaint” (specific wording matters) and typically require that complaints are stored, prioritized, and handled in a prescribed way.

Ask them if they can get back to you with any resolution and leave your contact information. Update HN if you’re comfortable with that. Good luck.

That's about run of the mill for them (assuming we're thinking of the same bank). I called about my mortgage and they started reading off someone else's information. They also wanted me to confirm personal information over email...
Wow, not good for such a large bank. Holy crap.
Shoot. They are pretty open about the fact that their passwords are case insensitive. I had always hoped this was some clever implementation using multiple hashes upon password creation.

Or tolower() everywhere.

If it's true that they're able to read it back though, then why would they bother?

I know a bank (I forget which, in EU) that asked me for the 3rd and 5th letter to my password when I called them. Their thinkkng was probably that way the customer support on the other end would only see 2 letters of said password.
With my bank, the telephone banking password is very different from the one you use to log in.
This also avoids replay attacks. Unless you use a word in which case it can be deduced.
Reminds me of TSB (UK bank) that asks, in addition to username and password, for three characters of a string when you sign in. Which is stupid because you can’t do it in your head easily. You actually need to see it written down somewhere when they ask for the 3rd, 11th and 15th character of that “memorable information”.
Pretty sure all UK banks use this method. For a while a tried to use a complex password for this, it became so annoying to use it is now a simple password that I can remember easily and count out. Like a downgrade attack on my brain.
For the "memorable information", I use a 32 character string that was generated with pwgen. I don't ever remember it asking me for the 25th or 30th character, it's always within the first 20 characters.
First Direct do this (but they've been that way for ever) for phone calls (better than me reading out my full password over the phone) along with a couple of secret question answers (I'm pretty sure customer support can't see the whole thing).

Online they are now forcing a one time PIN from a token generated from amount + last four digits of destination account.

My main bank does this all the time.

To be honest, while I'm aware it's not the best of practices, I don't care much. To me, the most important thing about bank security is that if there are fraudulent operations in my account, I can call and have them undone without much fuss. In this respect, my bank has behaved well in the past when random charges from an exotic country appeared in my credit card, in fact they noticed before I did, gave me a call and everything was fixed immediately.

For this reason, I think I'm OK with banks not having too strict security practices. If at some point they start being really paranoid about security, they might feel tempted to conclude that if there is fraudulent activity, it must surely be the client's fault, because their systems are unbreachable. I'd rather have the current situation in which I don't have much responsibility about security, problems happen but the bank responds.

My UK bank has a "memorable word" which is separate from the login mechanism (which uses a physical TOTP pad). Authorising online transactions requires you to give "3rd, 6th & 10th letters" eg of your memorable word.

Are you thinking of that?

Move your money to a different bank.

Now that banks aren't paying useful interest rates they are mostly only tolerable for security and convenient access to your money. If they can't do those two then... what exactly are they for? Likely nothing.

It's for an auto loan.
You may be able to refinance it.
Hopefully you did not set up ACH to withdraw money from your real account.
Be extra careful with your details associated with that account and anything it touches. eg any direct debits might "change" without notice. Enable all added security you can.

But realistically, there's no silver bullets. Refinancing can be expensive. Cost/benefit applies: Might not be worth refinancing just for this. Just be vigilent about the accounts involved.

I had a phone company that bragged about its security. So I tested them out. Yup they sent my password via text. Ok then. Contract was for six months. Not worth switching. But also not worth renewing.

You should report to proper authorities about the severity of the issue. Reach out to their security or technical higher up department of the bank.

In your case, they may or may not be storing the password in cleartext. They might be using the two way encryption instead of one-way hash. Passwords should be hashed (with salt) and it is irreversible.

For a financial institution, revealing your password by a customer service rep is a big red flag. I would reach out to concerned authorities and do a proper disclosure.

> You should report to proper authorities about the severity of the issue. Reach out to their security or technical higher up department of the bank.

Switch your bank.

Do not reach out to the bank's security/technical! There's a non-zero chance that the response from the bank would be to reach out to the FBI and claim that you are the "hacker". It will create an enormous headache for you.

If you are going to reach out to anyone, reach out to the OCC.

Thanks for clarification. Wasn't aware of OCC.
Does storing passwords using two-way encryption violate some OCC regulation?
It is about what you are optimizing for. You, a customer, notifying a bank would probably do nothing. You, a bank customer, filing a formal complaint with a banking regulator triggers procedures to handle it that a regulator has which in turn triggers handling procedures that a bank has. You do not complain that the bank stores passwords in cleartext. Instead you complain that the bank does not adequately safeguard information needed to access your account from the third parties with the example being the customer service agent being able to see not only your ID ( which they can and need to do their job ) but also your password ( which they do not need to access ). So not only the customer service agent can access your account while on-duty in the call center via a special system but also can either themselves or via another party access the bank account as if it were you.
Spoiler alert.

No one in a position to care understands why this matters.

Nothing gets done.

Major vulnerability occurs.

Customers get screwed.

Some low on the totem pole techie gets blamed and loses their job.

Executives get bonuses.

Film at 11.

Was it a password or secret question like "mother's maiden name"?
Is there actual damage? At the end of day, as a customer,all I care is my money is available (not stolen) and I can access it when I need it. Why should I care about implementation details ?
I feel the bank should be liable for stolen funds or information in the case of a security breach.
They are... there's also multiple levels of insurance to cover it.
Yes, I expect the bank to protect my money. What I'm saying is how they actually do it, clear text pwd or whatever is not really my concern. Why should I ?
This the most intelligent thing I've heard on this thread.

So long as I'm not holding the bag should my account with them go haywire, I don't care. This is why shared passwords are bad.

Sounds like they are open to social engineering attacks, if you can get a rep to describe the password to you... Meaning I could pretend to be you and get your money.
Maybe but that is their problem. Its still the bank responsibility to deal with that.
Well any risk is going to be paid by the customer in the end. If they lose 0.01% of their deposits because of a vulnerability, they're gonna be charged more by their insurance and eventually charge it on their service fees to customers.
Yes, if they cause the customer actual damage, such as increased fees then it is a concern. But if there is no actual damage then what's the issue?
You're implicitly suggesting that the bank can either pass on the costs without people noticing, or that they have no competition, so they can set fees and interest rates to whatever they like. I don't think either is true. We do regulate banks, and this is why it's vital.

You could just as well say the cost is going to be paid by the shareholders, the public (in the form of reduced taxes), or the employees.

You’re right, you’ll probably get your money back if your password gets stolen.

Eventually. Might be real disruptive if you’re in the middle of buying a house.

I’d probably choose my bank to minimize my chances of dealing with a giant bureaucracy for however long (and the non–zero possibility that I actually won’t get my money back). But if that’s not “damage” to you, feel free to keep doing business with them!

>Might be real disruptive if you’re in the middle of buying a house.

Agree, I consider this a damage but if the bank can avoid causing me any disturbance despite of using clear text password or <insert any other questionable security practice> then why should I be concerned ?

The same reason you might be concerned even if a doctor can deliver a baby safely despite not washing his hands in between a cadaver examination and touching your wife.

Do you feel lucky? Well, do ya?

Sure, If the doctor can deliver baby safely and not causing any other damage despite not washing hands then what's the issue?

That's why I asked what is the actual damage. Is the money is stolen ? Is the money can't be accessed ? If the bank doesn't do me any actual damage despite the clear text password then I don't see why I should be concerned.

I guess I can see that for some people, clear text password usage can cause them anxiety and lose some sleep.

Are you genuinely saying that when you see someone putting you at risk, that you do not see a problem with it until a problem actually occurs?

Imagine you worked in a building for a week and didn’t die in a fire. Would you have a problem with discovering that the writing was done by a amateur, there were piles of lint and fabric everywhere, and there was only one revolving-door exit?

If yes, then you understand the problem of risk and its just a question of magnitude.

If not, then you should be aware that you see the world dramatically differently than most people.

The risk are highly exaggerated, the damage may never occurs in the first place.

It may seem unlikely that the bank can keep my money save by using plain text pwd but if they can somehow do that, why do I care.

Even in the unlikely event that the money is stolen but if the bank can handle that without causing me disruption then whats the issue.

Oblivious, while also utterly disregarding your own self interests. Reminds me of real life, have an upvote!
(comment deleted)
Would you trust a bank that protects their vault with the same kind of lock as your front door?
Yes I don't care how they do it as long as they can protect my money.

Likewise, they may use top of the line, super secure lock but if they can't protect my money, I wouldn't use them.

> Yes I don't care how they do it as long as they can protect my money.

That is like saying I don't care about having a bucket of water thrown on me as long as I don't get wet.

Heres another analogy, I've been using a black box sorting function from third party library, its super fast and satisfied all my requirements. Then they told me they implemented it using <insert super scetchy/controversial method>. From my perspective, as long is doing a good job and works as I expected, I don't care how its implemented.
..., but I don't care how it is implemented as long as it is secure.

I totally agree with this part. The problem is that the security of the implementation is the security of the implementation. So your sentence reads:

This is implemented extremely insecurely, but I don't care how it is implemented as long as it is secure. I also don't care about water, as long as it is dry.

Yes, at the end of the day, as long as the money is there when i need it, I don't really care how you store it.
You stopped reading after the first sentence?
I did read your whole post. Can you elaborate?
You only replied to the first part I wrote. The second part says that your stance is contradicting itself.

The following is meaningless:

> I don't care that it is insecure, as long as it is secure.

But the following would be fine:

> I don't care what they change it to, as the new solution is secure.

The point being that "stored in plain text, as long as it is secure" is impossible just like "water, as long as it is dry".

> I don't care that it is insecure, as long as it is secure

Ok let me clarify, I don't care if they use plain text pwd as long as it secure.

>The point being that "stored in plain text, as long as it is secure" is impossible just like "water, as long as it is dry

No, it is possible that they do some thing else to secure the money, not just password.

Using analogy can eventually break downs but its fine I'll go along.

Let say I need my car to be cleaned, I have only two requirements :

- the car is clean

- the car never get wet

So someone did that satisfied all my requirements. The car is clean and never get wet. Later on they told me that they use water all along.

Will I get mad ? No, why should I. They fulfill my requirements as I expected.

How they do that is implementation details, which is not my concern, its not part of my requirements.

Unless "not use water" is specifically part of my requirements, I wouldn't be mad at them.

Genuinely curious, why not name the bank here?

It certainly isn't going to be news to the bank itself, so there aren't responsible disclosure concerns here.

And since the top advice here is to leave the bank, wouldn't the best thing you can do be to alert the public, so others can protect themselves as well?

Looks like it’s PNC. Everyone here, move your money now.
Or don't make financial decisions based on vague anonymous internet comments until you've investigated for yourself.
Do you want this person to mount a full blast investigation on their own? Most banks are mostly interchangeable nowadays unless you live in a small town and there’s only one bank you must use because you’re transacting with cash. They pay nearly zero interest, and they treat their customers like trash with monthly fees galore.
Thank you, yes I will certainly change all my financial set up based on no further information these two alarming comments. Who needs to look further into things - they are all the same after all.
But to where? Do any banks exist that have reasonable security procedures?
One weak argument:

Finance is between 20 and 50 years behind the curve in terms of fundamental/top-down security common sense, notwithstanding the handful of specific exceptions strictly necessary to ensure accounts are not actually made off with on a regular basis.

There are likely a good handful of hair-raising security issues (known and unknown) impacting your account(s) right now, that would cause you to scream and run were to learn of any single one of them (let alone the full list).

In this light, cargo-culting specifically [only] avoiding environments that store passwords in plain text feels like premature optimization.

With the above being said, I do agree with the sentiment raised elsewhere of contacting annoying persistent organizations that will follow up - apparently in this case that's investigative journalists and the OCC.

Just don't forget the bigger picture.

Something similar happened to me once. An e-commerce platform gave my wife my plaintext password. It was my "low security" password, the same one I used in dozens of sites. That's when I started using a password manager so now every site gets a different random password.
Santander in the UK does this too. You can tell because they only ask for 3 characters out of your password whenever you log in. What's ironic is that whoever did that propably thought they were being super clever.
Other banks in UK do that as well, shouldn't they all be reported for this?
To whom, and on what basis?

There is nothing in UK law that says banks have to store your passwords "securely".

Issues like this have been raised in the past, and authorities like the ICO have said no law is being broken. GDPR, for example, does not specify technical mechanisms required to store any form of data.

Unfortunately, they are still non-committal on what is required. They advise that passwords should be hashed, but there is nothing that makes that a binding requirement.

The gist is still "do what you think is appropriate".

The ICO talks about balancing risks and convenience, and the banks will argue that their systems are secure overall, and don't make the consumer liable anyway.

Under the ICO's guidance, an organisation could argue that plain text (or reversibly encrypted) passwords allow them to do things like password reminders.

You or I might think that's terrible, but they can argue that it's a better user experience.

The screen they are looking at isn't showing them all the numbers. Though it isn't fantastic as a security measure i admit.
Is it not possible to verify positional characters without storing in plain text ?

off the top of my head, something like storing your full password salted + hashed along side each char salted + hashed.

If you store an individual character hashed then it is trivial to brute force it. I don't think there is a bcrypt work factor that you could use that would prevent brute forcing but would allow the individual character to be used for authentication.
And if you know the first character of a two character password, it's trivial to brute force the second, and so on...
i would definitely expect it to be less secure, but not exactly plain text?
It seems you're not getting serious answers here, so here's my take.

Please report this via the US-CERT at https://www.us-cert.gov/report

This will allow you to report it, eventually from an anonymous email address, without exposing you directly to the bank which might react bad to you. CERT can handle the coordination with the bank, this is what they do.

This very looks cool, thank you for sharing parent.

I apologize for the nitpick, but I hope there will be some guidance on what an "anonymous" email is.

(Ex: Guerilla at a public wifi like a library, an email created at a library, but not your usual email from a place other than your home)

I worry sometimes that we assume people reporting security vulnerabilities will be security experts.

I often meet people who are intelligent and technical, but either do not understand security, or understand it in terms of confidentiality, integrity, and availability (CIA triad) and flounder when thinking about anonymity.

> I often meet people who are intelligent and technical, but either do not understand security, or understand it in terms of confidentiality, integrity, and availability (CIA triad) and flounder when thinking about anonymity.

Can you suggest any resources for a technical user who would like to learn more about this distinction?

An easier way may be to anonymously message a tech savvy media company or security firm, maybe via snail mail even. You can do it anonymously yourself but it'll take some work and a mashup of:

- VPN service where you pay with cash (Mullvad) - Temporary email (Protonmail?) - One time use computer (cybercafe, pay with cash?)

There's layers you can apply like a TOR browser usage but it'll take more effort/learning.

The difficulty there is cybercafe PCs that are locked down and won't run .EXEs.
I've probably been watching too many true crime shows but I suspect it'd be difficult to send a letter w/o leaving fingerprints or dna
Out of curiosity, what's the point of the anonymous email? Why not just use my regular email?
"Person X reported a vulnerability, they must be a hacker! Get our lawyers" - Some non-technical bank person. Most companies don't like having their mistakes publicly exposed.
Really good suggestion. And in case they still need encouragement, some negative press coverage might get them going. Right person for this -> https://krebsonsecurity.com/
I do not think that recommending Brian Krebs is a good idea for someone who might wish to avoid retaliation. Recently, he doxxed some people on Twitter for reporting bugs.

https://www.itwire.com/security/infosec-researchers-slam-ex-...

As a result, I no longer visit his site or recommend his work. Publishing someone else’s personal data without consent is a terrible thing, and is one of the reasons so many of us work to secure systems. His behavior undermines that.

"Krebs appears to have form in outing people who do not agree with him. Back in 2014, he posted the CV of an individual who had written what he characterised as a bad review of a book he authored."

When British security researcher Marcus Hutchins asked whether doxxing a person for this was going a bit too far, his response was: "Dox people? Hardly. I think it helps to add context. The guy is a convicted cybercrook who's in jail. Of course he hates me."

Ouch. This is sad. I used to have a lot of respect for the guy.

(comment deleted)
I don’t think this is the type of thing US-CERT handles.
(comment deleted)
Same surprise for me when I got back my password from AMEX over phone.
When I went to TSB (UK) open an account for my partner and she was asked to type her password on their computer she asked when she can change the password, are they any limitations, like wait 3 days before changing password. The assistant responded "why would you ever want to change your password? you can type any password you want now, just please type your password". This was so weird we didnt use the account for a few days, changed the password, waited a few days again and after that deposited money.
But you were talking to a clueless bank clerk, not their Chief Infosec Officer, so not really that significant.
If this is really happening this is a serious issue that needs to be fixed ASAP and everyone alerted..

but.. something doesn't look right here..

OP is a throwaway account created today, which I can understand for this type of thing.. but...

they withheld the bank name in the title/desc.. okay again a responsible thing to do.. but...

when asked what the bank name was in the comments they were not shy at naming it..

Something just doesn't feel right. Why the sudden change of heart?

For everyone's sake I hope I'm right, that this is just FUD.. to the OP if you really are serious I'm sorry, and please do report this ASAP.

Unfortunately I'm not awake at all hours of the day to respond to internet comments. But if you want further evidence that their passwords are indeed stored in plaintext, consider that their password rule prohibits the special characters !, /, \, <, >, etc. You can verify that yourself.
This is weak evidence as these rules could be implemented at the point of new password entry, prior to encryption/storage.
I once used a small DNS hosting provider where I used a password ending in '!!'. I was in the process of attempting to transfer the domain to another host but it was taking them days, and they communicated several times they were having odd issues specifically with my account. In that same time I was learning how to use Linux and MySQL, and ran into issues using the same password for the MySQL admin during a command line install. That's when I learned !! is short for "run last command". Took me a few more days to think maybe that's what was causing issues at the host provider, so I changed it, told them what I did, and asked to please try the transfer again, and it worked. I never got confirmation the password had anything to do with it, but I let support know my suspicions.
How is that evidence of plaintext storage?

Couldn't they do that validation before they hash the password, but still store a hash?

I'm not saying they don't store plaintext, but restricted character's are absolutely not incompatible with hashed passwords.

I got locked out of my account (forgot my password) with said bank and they had no way of telling me my password. Had to wait for them to send me a OTP mailer so that I could login and create a new password.
Banking security is a joke.

My bank calls me to talk to me and insists I give them my date of birth and address to ‘verify’ myself.

Meaning anyone can call me, pretend to be my bank, I am supposed to give them this info, and then they have what they need to verify themself as me.

Banks are dumb.

I did some tech consulting with some ex-banking Wall St. consultants. It's not a monolith. That industry is very conservative.. and some companies get so frozen in time that they become complacent and go full Equifax. They're always playing catch-up because every criminal and most people would like to rob a bank without a gun, so their threats are numerous and perpetual. (And then there's Wells Fargo.)

It seems like banks should adopt that credit-file-based challenge protocol with the multiple choice questions containing ~50% or so spurious data that answers (None of these). I had to do it to reset a hospital's patient login for myself the other day.

DOB, SSN, address, phone number aren't secret-enough "things you know" or "things you can do." For signatures, I always sign a smiley face because they're completely worthless.

Perhaps even better would be to:

0. have the bank have a relationship with the customer

1. issue 2FA device or soft-2FA

2. use per-customer colors, pictures and words on the password screen to deter impersonation and phishing attacks

3. It seems like hardware is so cheap these days, the bank could issue customers a hardened tablet with a pin, biometrics & face recognition that VPN'ed back to them and functioned only for their banking apps. It's much easier to support and harden one controlled device than zillions of likely malware-infected Chrome on Windows 10 or macOS Catalina's Safari on unsecured public WiFi.

>2. use per-customer colors, pictures and words on the password screen to deter impersonation and phishing attacks

I've seen this on multiple sites, and I always thought it was snakeoil. All you need to do to bypass it would be to make your phishing server contact tho bank to request the per-customer color/picture/word.

What is particularly wrong with Catalina on unsecured public WiFi? Are you just making a pint about public WiFi or is there something wrong with Catalina?
Do you really think the only thing the bank does to log people on is to check the username and password? Banks are way more sophisticated than this and it goes well beyond merely string-matching credentials; there's all sorts of other environment, behavioral and heuristic patterns used to establish legitimacy. Even if you rose this issue with the bank, they'll hardly change their modes of operation, and you certainly won't ever see a bank telling you how they do it, but those "hidden security features" make a significant contribution to the bank's security posture; ie: https://twitter.com/mbna/status/1016270694299127809?s=20
In addition to this, you might be interested enough to take note of a number of your banks arbitrary password rules, that one could follow to make similarly negative assumptions. ie; "hey [bank], because my password is limited to 16 characters, does that mean you've got a varchar(16) column somewhere storing plaintext?"
>but those "hidden security features" make a significant contribution to the bank's security posture

Which is totally bullshit because I have RFP enabled in firefox, and I get asked for my security question on every log in, even though my password is randomly generated and reasonably secure.

What does the password give access to? Full online banking (e.g. being able to do transactions?). Does login not require any further authentication beyond the password?

If the authentication still requires using some kind of good 2FA then it's less serious to have the password in plaintext. Still bad of course.

If this is for some other service that doesn't let you do any transactions then it's not as serious either (still bad and embarrassing, but not that serious)

Even with properly hashed passwords etc I'd be worried if my bank allowed login with only a username/password and no further security. I didn't think even that was a thing in 2020.

Why not reach out to someone like Brian Krebs? He has a pretty large reach and can potentially make people take notice.

Try @briankrebs on Twitter.

This is the best way to go about it if people at the bank aren’t responding. Nobody likes a PR nightmare, and Brian Krebs can handle this better with the right people if the OP provides enough evidence.
Alternatively I feel like Troy Hunt may also be able to help

https://twitter.com/troyhunt

He runs the @haveibeenpwned service

Troy has actually covered a similar topic to this in the past:

https://www.troyhunt.com/banks-arbitrary-password-restrictio...

His viewpoint seems to be that poor security practices around passwords in banks are not a big deal, due to the overall processes that banks use to prevent fraud.

I would tend to agree, for now, except that banks are doing their best to shunt responsibility for fraud onto merchants and customers. There are obvious financial incentives that will encourage them to continue trying to do so.
Troy is usually reeeaaally busy and he may not have time to jump on this one case.
There is not much you can do, I’ve tried to inform banks of security issues in the past and all that happens is you get a form letter saying thanks for writing we are doing that on purpose for reasons we can’t explain to you and we’re not interested in outside help. Synchrony and Citibank, I’m looking at you.
> The service rep proceeded to (accurately) describe my own password to me.

Wait, that alone doesn't necessarily indicate that they're storing clear text passwords. I notice you didn't say that they just repeated your password to you-- why do you think they store the whole thing in clear text?

HN readers are apt to demand hardcore passphrases, salting, 2FA, etc. But the reality is that banks have to deal with all kinds of people and situations. Your security as a bank customer hinges on more than just one password, it's also about monitoring patterns of behavior, being aware of what's coming and going from your account, and protection mechanisms like the bank's insurance.

That said, one would think that large institutions have learned their lesson about clear text passwords, perhaps this one hasn't? Is there a law against clear text passwords? How does anyone actually know if a financial institution has sound IT practices, by happenstance incidents like this? Really?

> Your security as a bank customer hinges on more than just one password, it's also about monitoring patterns of behavior, being aware of what's coming and going from your account, and protection mechanisms like the bank's insurance.

Some banks do this better than others from past experience. For example, I definitely have Bank of America notify me when I do something out of the ordinary. I had gone to a gas station and then my next purchase was pricey and online based. They put that on hold till I confirmed it was by me. They also have done so when I get gas from outside of town.

Other banks just cough up the money without a second thought. I'm sure they might have other "triggers" but it feels like mainly really the big players have proper security setup.

This is why I mostly use my credit card and pay for it before the statement is due. You have better protection on a credit card than you do on a debit card. I wouldn't use my debit card outside of an ATM.

> I definitely have Bank of America notify me when I do something out of the ordinary.

-And such routines are incredibly efficient; while commissioning one of our deliveries (heavy engineering equipment) in Namibia a few years ago, I found that the local power electronics distributor hadn't heard of my employer, and were (reasonably so) reluctant to hand over parts for $13,000 or so and send an invoice to Norway.

VISA to the rescue, and as we hauled the parts into the car to bring them down to the dock, my phone rings - VISA on the line, asking if I had happened to use my credit card in Namibia a few minutes ago, definitely expecting a 'No!!!!'.

-'Sure, we're loading the supplies into the car now, how come?'

Deep sigh and a chuckle at the other end. -'I guess it had to happen some day. You have a nice day, then.'

I have one question

We have all these stories of how our feudal lords have been nice and helpful

But why not get the notifications yourself on your own devices?

You can set up your own policies for approving transactions or whatever. I understand that the chargebacks can be done up to 60 days, which means “seller beware” in the current financial system as opposed to “buyer beware” in the crypto one. But in the crypto one, you are in charge of your keys. And the arguments made in favor of banks could have just as easily been made for printing presses or telephone switchboard operators!

-I can, to some extent, do this in my phone banking app; I can update region/type of transaction/maximum amount; my bank even lets me have whitelists ('No card-not-present transactions outside EU, except renewal of magazine subscription such-and-such from the US', for instance).

Changes are immediate.

However, I have the impression that the VISA/MC/AMEX fraud detection override my preference.

>But why not get the notifications yourself on your own devices?

That is what N26, https://n26.com/ do. You order a beer and when you have you first sip you get a message that there was a €3 payment to the bar.

You can also set spending limits from the app or website. And lock/unlock your credit card from the app.

Lucky you. You got a phone call before just declining it! /sarcasm

Story time:

I was in London, on a multi-week vacation when my CapitalOne card got declined while trying to pay for dinner on the 3rd night using Apple Pay (for the contactless feature).

It wasn't an expensive meal.

There was no warning, no text-message, no phone call. I opened the CapitalOne app and it said my account is now restricted. I proceeded to call CapitalOne, and sit on hold, then get transfered a couple of times until there was a person who could flip the switch.

I paid for dinner, and my wife and I started back to our hotel. Half-way there, we stopped off at a Boots Chemist, and picked up some allergy medicine. Card declined again. I knew it was going to take 30+ minutes to deal with it, so I paid cash and we left.

When we got to the hotel, I had to call back, deal with the same multiple transfers to the person who could flip the switch. Then we would get 1 transaction through before it would get declined again. I eventually got a direct line to the guy who could flip the switch, and after the 5th time of me calling him, we spent a few hours investigating.

I have used this card in the UK for years on vacation. But increasingly merchants dislike the lack of pin, and needing a signature, so to be a good tourist, I decided to use it with Apple Pay, and that was apparently the combination that was killing my account.

The Apple Pay + UK card reader combination was apparently blanking out the CVV code for whatever reason, and while Capital One would allow a single transaction to fail that check, they would then suspend the account until a person verified the transaction was legit. My biggest gripe about this though was they did not even inform me each time it happened. So for the remainder of the trip I had to either dip the chip, and sign a receipt or pay a FX fee.

EDIT: Now that I'm thinking on it more, I think the reason the CVV was blank was because a CVV doesn't get used when your card is present. So I'm back to thinking this was a CaptialOne issue. They were seeing the transaction as a card-not-present transaction, instead of as a contactless transaction, at the time, I don't think they had contactless cards, so that might have not been a scenario they had accounted for.

USAA will just decline first and ask questions later. (I'm not saying this is a good thing; it sucks as a customer.)

I tried to order from a German e-retailer with my USAA card. First time, rejected; I got a text asking if it was me. I replied "YES". Second time, rejected again, got another text... I had to use another (Chase?) card eventually. Still got a text, but this one was prompt and I was able to respond before the transaction was rejected.

These are all automated; no CS rep is sending these texts (or rejections) by hand.

> Is there a law against clear text passwords

In Europe GDPR covers that, many big websites started hashing after it

Edit: could somebody explain the downvotes? The comments seem to agree with me

Obviously GDPR is not a law about plain text passwords, but as the comments say it forces "the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication." etc.

Really?

Edit: Kind of. The UK org in charge of GDPR says:

> Although the GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures.

> Passwords are a commonly-used means of protecting access to systems that process personal data. Therefore, any password setup that you implement must be appropriate to the particular circumstances of this processing.

> There are a number of additional considerations you will need to take account of when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication.

https://ico.org.uk/for-organisations/guide-to-data-protectio...

GDPR does not have any wording that refers to any technical specifics (e.g. password storage) whatsoever.

The most relevant passage is "the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk" from article 32; and it could be argued that having passwords in plaintext most likely does not constitute "appropriate technical measures" and doing so opens you up to fines based on GDPR if an incident occurs, but it's not really "a law against clear text passwords" but rather a law that simply says that you are responsible for how you [mis]implement your security and the consequences of that.

Yes of course GDPR is not a law about plain text passwords, but (as the sibling comment points out), pretty much everybody considers the use of appropriate hashing as a requirement to to ensure a level of security appropriate to the risk.

https://www.gamingtechlaw.com/2019/04/first-gdpr-fine-italy.... this fine specifically mentions password storage (among many other things)

Also see previous thread on HN: https://news.ycombinator.com/item?id=18531588

On top of that GDPR requires companies to notify customers of data breaches, which risks reputation damage. Another liability of shoddy security.
GDPR doesn't state explicitly "passwords must be hashed", but Knuddels.de was fined for unhashed passwords. The fine was specifically for the lack of hashing and not the breach that uncovered it.
A popular bot protection system provided by a third party used by a number of US banks would accidentally disclose plaintext usernames and passwords to the bot protection software.

I'm not sure how the bot protection software was deployed but looking at marketing materials I suspect the data was sent to the third party as part of a SAAS service.

We believe this was accidental because a later version of the software stopped doing it. I'm not sure if there was a notification by the third party to users about this flaw.

One bank that has astoundingly bad password requirements is Westpac Australia. Usernames are an 8 digit customer ID, and passwords have to be exactly 6 characters long(!) consisting only of numbers and uppercase letters. Try it for yourself, note that the login form only allows you to enter 8 characters for the username and 6 characters for the password:

https://banking.westpac.com.au/

I complained to them about this years ago, they replied explaining they knew what they were doing and it was a balance between security and simplicity...

Mainframe it is then.
could be (old) cobol, not necessarily on a mainframe
Even worse, a major French bank removed their perfectly fine password requirements and replaced it with a 6 digit PIN that you have to enter via an on-screen numpad. They explicitly block password managers from autofilling too! And I had just managed to get my parents to start using one.
Well Westpac had an onscreen keyboard for the password entry too until about 18 months ago. When they finally replaced it with a (thankfully password-safe friendly) text box they had this to say:

"At Westpac, we are continually striving to provide the highest quality service and security to help support our Online Banking customers.

From the end of May 2018, we will be removing the keypad from the online sign-in screen and replacing it with an open text box, which allows you to type in your Customer ID and password.

...

Security Guarantee. We assure you that using the open text box to enter your sign-in details carries the same high level of security ..."

Passwords remained fixed at 6 characters however.

The US treasury does/did this on-screen keyboard thing as well (at least up until I stopped needing to login to that website within the last year or two). The "best" method I had around it was to copy the password out of my manager, use developer tools to find the '<input type="password">' element, and add 'value="[paste]"' manually.
I used to bank with WestPac and from memory it wasn’t possible to do this as they had some additional javascript running that would cipher every letter.
I got firefox to remember passwords for a couple sites that were blocking autofill. It involved opening up the xml file where passwords are stored, copying the latest entry, changing the url and ID number, then opening up the password manager in firefox and updating the actual password there since the XML file only stores an encrypted version. It wouldn't autofill instantly, had to click on the username box to get it to work but it saved me a lot of time from entering a massive password that system required.
This is common in Brazil as well. Allegedly they are trying to avoid keyloggers. Obviously people just improved keyloggers to take screenshots at precise times.
"We know what we're doing" and "There's no way we can upgrade the infrastructure" might be holding hands in that moment
A company that my retirement plan used to be with was worse than that. The password could only be numbers and letters, and they would silently truncate your password to 8 characters. The worst part though, is the password was stored in a way that it could be entered on a touch tone phone. So case was silently ignored for letters, and the characters "2abcABC" were all stored as the number 2, and so on for the rest of the buttons on the phone. They also didn't support two-factor authentication. They've since updated the password requirement to something more sane, but it was baffling that they would ever do that.
All major telecos in Spain do the same. One of the largest asks you to set up only a 6-digit PIN to access the customer portal and no 2FA. They send you your PIN by SMS as a confirmation. All your invoices (with the details of the numbers you called) as well as other personal details, are "protected" by a 6-digit PIN. I want to think they have other protection mechanisms in place, but I seriously doubt it.
Oh, I see you've had a Fidelity account too.
Looks like they are using Fiserv (lots of Fiserv references in the code). Fiserv is a huge provider of banking services. If Fiserv is requiring these ridiculous id/pw requirements that would be even more scary.
Expect this to keep happening until we put the full and entire cost of identify theft onto the companies who are defrauded by the thief.
It's not identity theft, it's just fraud. Calling it identity theft is an attempt to put the cost and responsibility for ordinary fraud on the victims.
ING Australia is even worse for this, as it’s an 8 digit acc number with a 4 digit PIN to login.

St. George isn’t as terrible, but they have a quirk of requiring a 4 digit security number along with your password. That’s not how MFA works...

Better security practices and open APIs are the two things I wish banks would get sorted.

TIL my Westpac password is case insensitive. Today wasn't a good day.
If you want to stay with this bank, you should should create a password from a strong one way military grade hash. This way, you can still more or less recreate the password, but if it's lost it tells nearly nothing about the original password you came up with, especially if you applied a salt (and/or pepper) to it.
Some people have noted that they might store part of your password, but they could also be using some sort of master key to encrypt their passwords. Meaning they can also decrypt them and provide a UI for their help desk.

Still awful, but not as awful.

Hypothetically, if that were the case, it creates a single point of failure for the whole system and is effectively "security by obscurity," imo. A malicious actor with the time, resources, and/or internal connections could obtain said master key and have access to the entire bank's database.
Since it seems this is PNC, I am one of those who now needs to find a new bank. Any recommendations? I used PNC for my checking/credit but already use an american express high yield savings.

I was thinking maybe Capital One?

no no no that’s just switching from Coke to Pepsi

I’ve been using USAA for over ten years now, it's magical. Contrary to popular belief, you don't have to be a service member for it.

If I couldn't have USAA I'd look into local credit unions.

If you see my other comment, I don't think I am going to switch right now but it is good to check out alternatives. I am from the DMV area and capital one is huge here and pushes the narrative that they are an elite tech company VERY hard around here with recruiting.

I figured they would have the most secure systems out there with the army of SWEs they recruit in this area

Why? The compliance requirements don't require hashing (iirc, "commercially reasonable" protection is/was the standard), so you should assume that any other bank is doing the same thing, as they probably are.

All that is needed to steal your money is the bank account number, which you probably have mailed out or otherwise provided to numerous random third parties, who process them with other third parties. There's almost no information in there that isn't already available to anyone who cares to look.

A more reasonable approach that actually impacts your security would be:

- Opt-out of electronic communication and get paper statements and account notifications. (This ensures that you receive notice, in the mail, about changes of address and other changes)

- Opt-in to notifications about large transfers or low balances.

- Disable Bill Pay features at the bank.

- Disable external ACH transfers.

- Request wire transfer privileges, which with some banks allows you to get a physical token to secure access to your account.

- Use a dedicated PC/iPad/Chromebook/etc for your banking to reduce the risk of malware capturing your banking details.

If you're going to switch banks over this, look for a credit union small enough that they use an off the shelf banking solution, and figure out what the default configuration of the solution is.

Thanks for recommendations. I will admit I overreacted when I saw the headline and found out it was PNC. Just not the thing I expected to start my day hearing.

I already use 2FA, a unique password only with PNC and alerts on all account activity, including logins.

I will look into some of the things you listed!

I moved from PNC to SoFi a few months ago and I'm very happy with them. ATM fees everywhere are automatically reimbursed and their customer service is fantastic.

Make sure if you have a Virtual Wallet account with PNC to manually downgrade it to the lowest tier, and keep $500 in it until you're ready to close the account. It'll charge you $7/month otherwise, more if you're at a higher interest tier currently.

Where are you located?

I've had good experiences with Dollar Bank if you're in Pittsburgh.