10 comments

[ 2.8 ms ] story [ 25.1 ms ] thread
Yawn. Another day another breach.

Have we gotten to the point yet where simple possession or knowledge of personal data is insufficient to prove identity? Seems like we should have been there years ago.

'what you know, what you have, what you are' are used in classic authentication. 'what you know', typically are the knowledge only you should know, like password. 'what you have' are the things only you should have, like key card, MFA,. 'what you are' are some biological identities, like your finger print.

Banks servers ordinary people and most useful way to identify those people are 'what you know'. DOB are the most commonly used.

some banks and other organizations start to give up 'what you know' as most people give up too much personal information over social media and bad guys can easily acquire them. now they transfer 'what you have'. like sending you a message and you have to click the link to prove you are the person who you claimed.

What irritates me the most is that, while a lot of sites allow for hardware tokens for MFA, my banks do not. Not a single one of my financial institutions support FIDO or anything like it, opting instead for SMS if they have anything at all. Passwords are usually a maximum length of some small number, and alarmingly, quotes and some other special characters are not allowed. Are they even hashing?

It's insane that my personal blog is more secure than my bank.

IANAL, but as far as I understand, since this month (nov 2025) the DFS (dep of financial services) requires all financial companies to have MFA in force for accessing IT systems (see regulation 500.12). Not sure how that applies to your situation, but maybe we see some positive movements in this area.
Vanguard, Bank of America, and a tiny handful of others do support hardware tokens. But yea you're right that most don't.

Not that it would help in this specific case I guess.

Funnily enough, even though there are (some) regulations that impose penalties if a financial breach was due to negligence, somebody has to actually investigate and prove negligence first. Government agencies may investigate, but they can just choose not to, it depends on whether they feel like investigating or not.

Meaning that when there is a breach, if you don't personally sue them and take on the costs of investigating and proving the root cause of the breach yourself, then it's likely nothing will happen to them at all. And this is only for the institutions actually covered by a regulation.

And assuming an investigation is done, and proof found of negligence, they'll be given a fine or settle for a small amount of their yearly profit. Nobody goes to jail or is personally fined, and the company has a minor dip in earnings. Problem solved!

For those looking to quickly understand scope of impact:

> According to Bloomberg and CNN, citing sources, SitusAMC sent data breach notifications to several financial giants, including JPMorgan Chase, Citigroup, and Morgan Stanley. SitusAMC also counts pension funds and state governments as customers, according to its website.

(comment deleted)
Is the consensus that banks are generally poor at IT security or that banks are generally more often targeted for hacks?