Is Your Bank Account Easy to Hack? Mine is.

with 3 comments

Fantastic!

I have a loan from Nationstar Mortgage.  My wife decided to setup an account on their website, so we could pay our bill online.  It turns out that Nationstar doesn’t really care that much about account security.

What you see below is what people in the business call the opposite of a best practice.  This stupid bank sent my password to me in e-mail in plain text.  Big no-no.  Passwords in plain text are an indication of relatively lax password security and encryption.

The double-stupid thing about the whole thing is that if I go change my password their system will send me another e-mail, so there is no way to make my account secure.

I’m sharing this publicly, so that perhaps they’ll be embarrassed and fix the problem.  Though, maybe I should line up some hackers and rob them of a few bennys first.

UPDATE: Christopher Burgess sent a document from the Federal Financial Institutions Examination Council that provides guidance for “Authentication in an Internet Banking Environment“.

For your reading pleasure, completely random and unrelated posts:

Written by scottporad

March 21st, 2012 at 2:53 pm

Posted in Miscellaneous

«
»

3 Responses to 'Is Your Bank Account Easy to Hack? Mine is.'

Subscribe to comments with RSS or TrackBack to 'Is Your Bank Account Easy to Hack? Mine is.'.

  1. Triple-stupid: This means that they are storing the actual passwords rather then a hash. One hacker (or upset employee) could compromise all the accounts at once!

    Gabriel Nagmay

    21 Mar 12 at 4:18 pm

  2. Heya just wanted to give you a brief heads up and let you know a few of the pictures aren’t loading properly. I’m not sure why but I think its a linking issue. I’ve tried it in two different internet browsers and both show the same outcome.

    Marquis Harvie

    7 Jun 12 at 9:36 am

  3. I don’t know about hackable, but my bank is just plain complacent. We recently noticed that £745 had been removed from our bank account. We called the bank and they said it was a direct debit transaction from our account. They gave us the details of who had placed the DD request and gave the impression that the blame lay with them.

    We called the company concerned, a property agent, and they apologized, saying that they had just filed the DD from a tenant of theirs and that maybe it was a number mis-quoted. The money was refunded. I asked for a copy of the DD form and when I saw it I nearly flipped. The form had indeed got our bank account on it, but the names and addresses were not ours. So, the bank had simply passed the DD on the bank account number !

    If you think your account is protected by the greatest systems in the world, think again ! Don’t forget the human factor.

    Cheers

    Colin ;-)

    Colin Hall

    8 Jun 12 at 5:46 am

Leave a Reply


seven × = 42