Most banks outsource their online banking platform – in fact their entire banking platform to one of the big players like Fidelity or Jack Henry. In fact, unless you are a Chase or a Wells, a handful of players own that whole market – see below.
Apparently, at least one of these providers, possibly Fidelity, upgraded their banking platform and when they did, they required banking customers to reset their passwords.
Unfortunately, the upgrade did not move the passwords from the old platform to new platform; it gave each customer a new, static, temporary password – the first four characters of their last name plus the last four of their social.
Worse yet, the bank emailed many of the customers the instructions with the temporary password until they realized that was pretty stupid. They sent the rest of the customers this password in a U.S. Mail letter. Only marginally better.
In case you are thinking that this is some small local bank, according to Brian Krebs, the bank in question is Associated Bank, a $30 billion bank holding company.
After Brian did some research, he found other banks doing very similar things but replacing the last 4 of the social with the first 6.
All of these banks were doing this on the same day, which lends credence to an outside provider like Fidelity or one of the other biggies making this change.
If this wasn’t a problem before the Equifax breach, it certainly is after the breach.
Anyone, including a bank, who thinks that some static bits of “secret” information are secret is insane. Sorry. That is just the way it is.
Associated even thought that if they texted a 4 digit PIN to a phone number provided during the re-enrollment process it improved security. Like the hacker couldn’t use his own burner phone for that.
The small banks don’t understand tech or security and would prefer not to. That’s why they outsource. Somehow, they think if there is a breach it is not their problem. Good luck with that explanation on social media or with the courts. The regulators aren’t a whole lot better. The FFIEC, who examines bank security, is finally updating their examination guidelines for the first time since 2006.
The big banks don’t want to deal with the user calls related to complicated passwords – the call centers are too expensive and the customers are upset. So they just eat the losses. In the billions. And you know who pays those billions? No, not the banks. You and me.
Curiously, when Krebs was contemplating whether to out these banks before or after the upgrade, he tweeted his followers for advice. The advice, apparently, was to wait, but it also attracted the attention of the regulators who then talked to him. I am not counting on them beating up these banks, but maybe they can talk some sense into the providers – like if you do this again, we will make examples of all of your customers. I guess I could hope.
For those users who did not sign up for this new account – those users are still risk since their temporary passwords are likely still active.
What might have been interesting is if the customers, when they first got these emails, complained to the banking regulators for their bank, possibly something might have changed. Maybe not, but maybe. Or the local media. I can’t think of anything that a bank likes better than being taken to task by the local news’ investigative reporting team.
But as long as customers put up with crappy security, they will get crappy security.
Remember, the customers are not DIRECTLY at risk. If their account is emptied, under the law the bank will give them back their money and spread the losses out over all of their customers. It will still be a pain the tush for those customers, but they will get their money back. Most of the time.
For business customers the rules are different. Businesses are supposed to be sophisticated, so they get to eat their own losses as we have seen time and again when businesses fall for wire fraud attacks,
However, in the battle between security and convenience, convenience almost always wins. Which is why the banks do this. Which works OK until your bank account is the one that gets emptied.
Information for this post came from Brian Krebs.