You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
I've discovered that my internet banking password isn't case sensitive (HSBC Australia).
It's odd because HSBC UK is case sensitive.
Is this a big concern? With just the password you can log in and transfer money between accounts and to external payees that are already set up. To add a new payee you need to use 2FA and generate a code with the mobile app.
HSBC UK needs 2FA to log in and then a further code to be generated to add a payee.
Other than accessing my details and moving money between my accounts, I'm not sure whether this is an issue?
It seems strange that security is not standardised across the world, particularly given that they are "the world's local bank"!
Is this a big concern?
No.
Not really although I've not come across a non-case-sensitive password authentication system in 15+ years so it is a bit alarming that a bank is still using one. Does it at least allow long passwords/phrases or is it some 1990's 8 character max system as well? At least they have 2FA on setting up new payees but I'd be concerned about other security issues if their initial authentication mechanism was so basic.
To be honest I'd love to help, but it's very hard to give an accurate answer to this without having all the details to hand. If you could just let us know what the password is then we'd be able to more accurately judge the inherent risk. Also date of birth, mother's maiden name, town of birth and name of first pet just so we can be sure it's really you. Can't be too careful nowadays
Sounds great for the user. Hopefully their security behind the scenes is up to snuff, and you can use a normal length password that you can remember WiTh0u7 1t BE1n6! an unmemorable load of gobbledegook.
Having just had my Chain Reaction account hacked I was thinking about the security of passwords on my more important things like bank accounts. To get into my UK account requires a longish (minimum 8 characters) case sensitive password followed by some sort of randomised selection of numbers/letters from a secret phrase. My German online banking account password is simply 5 numbers! How long would it take for a computer to work that out. Less than a second? There is no facility to make it any longer either.
case sensitive is pretty secure compared to Santader defaults!
8 digit online banking account number (that's written on your paper statements as a reminder!!!)
5 digit PIN
so how many attempts will that require? and do that have an autolockout after n attempts?
At least they do have 2FA for any new (or amended) payees, but not for anything existing.
My German one is similar, but 2FA by default to do anything. And locked to a single phone, so you can't even use the standard migrate all apps etc. to new phone... you have to totally delete app, cache, data and everything for that new app installation, reinstall afresh, get unlock code from bank. A degree in computer crypto helps. Banks staff don't tend to have such a degree so can't help.
CRC has been hacked at least twice before. Loads of us on here got a small gift as a result. I've also been hacked on a brand new CC that had been used twice... once thru one of the most popular hotel booking websites, and once via Paypal. I can't say which of those was the one with the vuln that leaked the details.
Change your password to all numbers and symbols then ?
Use a password manager so you can use decent passwords and only need to remember one difficult one.
1990’s 8 character max system as well
Years ago we acquired part of another company, and as part of this renumbered customers' accounts. We had a button to allow people to use their old account number, but sometimes people forgot to press it. We started getting reports of a few customers being able to log in to other customers' accounts. After a lot of investigation trying to find the bug in our login code, it finally came to our attention that the name of the other company was 8 characters long and they'd been using a hashing method that only looked at the first 8 characters.
Password strength is much less important than most people think. It is, however, important to use different passwords for everything that could harm you if it was discovered. The vast majority of compromised passwords come from hacks, such as the CRC one, unless you're a multi-billionaire or in a strategically important position it's generally not worth cracking your password.
My concern here is that in ignoring case the implication is that they are storing passwords in plaintext. So in the event of a data breach hackers will have everyone's login credentials.
Passwords are normally stored using one-way encryption*. When you enter your password, it applies that same encryption and compares the results. A shift in case of a single character will cause a wildly different encrypted string. If they can ignore case then a best-case scenario is that they're unencrypting the stored password for validation (which is still bad and shouldn't be possible) but I'll wager they're not even doing that.
* - Some maths is easy in one direction and hard the other. As a massively oversimplified example, if I asked you to find all the factors of 91 (the numbers it can be divided by to give a whole number result) you'd struggle, you'd probably have to try multiple guesses to try to happen across a number that worked. Yet you could work out 7*13 = 91 in your head (and be confident that these are the only two factors aside from 1 as they're both prime numbers). Now imagine this process using numbers many digits long.
Passwords are normally stored using one-way encryption*. When you enter your password, it applies that same encryption and compares the results. A shift in case of a single character will cause a wildly different encrypted string. If they can ignore case then a best-case scenario is that they’re unencrypting the stored password for validation (which is still bad and shouldn’t be possible) but I’ll wager they’re not even doing that.
Actually a best case would be they are passing the password through a case changer before hashing. e.g.
hash(password.lower())
The only reason I can see to do that though - is to reduce the support demand from people forgetting their password was case sensitive or not realising caps lock was on.
I suspect you are probably not far off - either one giant file, that is encrypted, or possibly each record, but either way I'd bet a pint on it that someone with the right credentials in HSBC can see the password. Make sure you don't use that password anywhere else. Interestingly for HSBC corporate banking they don't really use passwords at all, its all timelimited codes from an annoying little device - I've no idea about domestic customers here, because their UI is so terrible I vowed never to even consider using them where I have a personal choice!
Actually a best case would be they are passing the password through a case changer before hashing.
Very good point, I hadn't thought of that.
Interestingly for HSBC corporate banking they don’t really use passwords at all, its all timelimited codes from an annoying little device
Their personal banking used to use a thing like a tiny calculator, maybe half the size of a credit card. You type in your PIN and it spits out a 6-digit code that changes every 30 seconds. They've done away with that now, it's an over-complicated phone app instead. The app generates login codes and transaction codes and a bunch of other stuff.
A good way to make up a safe password that's also easy to remember is to follow the sequence
consonant / vowel / consonant / vowel
a few times, add in some special characters and numbers (or some caps, ordinarily), and you will end up with a word that you can say and remember but which is not in any dictionary and which will score well on strength tests.
Their personal banking used to use a thing like a tiny calculator, maybe half the size of a credit card. You type in your PIN and it spits out a 6-digit code that changes every 30 seconds. They’ve done away with that now, it’s an over-complicated phone app instead. The app generates login codes and transaction codes and a bunch of other stuff.
Ah, we still have the wee red calculator for business stuff. Just small enough to misplace, just too fragile to carry on your keyring (I discovered the hard way!). I suspect their "UI" designer is a former bank manager - everything makes sense from the inside.
I’ve no idea about domestic customers here, because their UI is so terrible I vowed never to even consider using them where I have a personal choice!
Indeed. We have our mortgage with them. The mobile app and authenticator is so poor I gave up on logging on to any of their systems ages ago.
Dunno how long ago "ages" was, but these days you have the option of logging on (to the web portal) with or without the secure key. If you log on without you can do stuff like check your balance or pay an existing payee, but creating a new payee is disallowed.
It's far from perfect (no I don't want you to remember my username, you're a bank), but it's way better than it used to be.