I have a loan from Nationstar Mortgage. My wife decided to setup an account on their website, so we could pay our bill online. It turns out that Nationstar doesn’t really care that much about account security.
What you see below is what people in the business call the opposite of a best practice. This stupid bank sent my password to me in e-mail in plain text. Big no-no. Passwords in plain text are an indication of relatively lax password security and encryption.
The double-stupid thing about the whole thing is that if I go change my password their system will send me another e-mail, so there is no way to make my account secure.
I’m sharing this publicly, so that perhaps they’ll be embarrassed and fix the problem. Though, maybe I should line up some hackers and rob them of a few bennys first.
UPDATE: Christopher Burgess sent a document from the Federal Financial Institutions Examination Council that provides guidance for “Authentication in an Internet Banking Environment“.