Swedbank in Sweden have a feature where you can access an accounts entire balance by generating random CC#'s for online shopping and this service is protected by your social security number, a 6 character password, a-z, 0-9 and no special characters allowed.
They've had this for at least 6 years now, maybe longer. Early on when I e-mailed them about it they simply stated that it's not their service, in other words; out-sourced.
Swedbank also requires two-factor authentication. You can bypasss this by calling them - they only ask for 1 thing to authenticate you. Two-factor authentication is rather useless if you can just bypass it like that.
>You can bypasss this by calling them - they only ask for 1 thing to authenticate you.
The domain for my personal site is shared with my family. My father registered the domain and all of the details in the account use his information. I had just created an AWS account and wanted to move the site's DNS to Route53.
I was able to call into the domain registrar and get exactly zero of the details correct, but they pointed the domain to Route53. It was hilarious how bad it was. I used my social, my name, my address, etc., none of which matched the info on file.
Even if I had used my father's info, it (except the social) would have been wrong because we lived overseas on a military base. When your system says Japan and someone from the US is calling, that should set off all sorts of alarm bells.
Yes, and I had no idea they were that easy to bypass on a social level.
Also this CC# generator falls outside of the 2FA scope, also something I asked them about several years ago and received the same reply "it's not our service".
Swedish social security numbers are public information btw, just to clarify the insanity - I can call in to the government register and ask for anyone's number, there isn't even any obfuscation or semi-privacy about it like US SSNs.
there isn't even any obfuscation or semi-privacy about it like US SSNs.
GOOD. The US "private" SSN system is completely messed up. You can't commit identity theft by just knowing a personnummer. Very, very much unlike the US...
One of my neighbors when I was growing up worked in the FBI's cybercrime division. His wife always complained about how he never let her do any of their banking or serious financial transactions online. When I hear stuff like this, I get why.
Which makes you think - Schwab is keeping probably billions of dollars safe. I've never heard of a theft from them, including via online account compromise. Meanwhile, many other sites doing better jobs of following security best practices can't keep even email addresses secure.
Maybe we're the ones doing it wrong, and it's us that should be learning from them?
If you also can choose your account name, use it as sort-of additional password space.
I have accounts with several instances where I could give you my password without running much risk of you logging in; even if their phone support would give out my account name, chances are they or you would misspell the line noise that it looks like.
My bank (German "Sparkasse") only allows passwords with exactly 5 letters or numbers for their online banking. I asked why they're doing this, but didn't get a good response.
When I asked, I got the answer that I could chose an arbitrary 16 character long user name, that the password may contain special characters, that the number of allowed failures for logging in is limited and that any actual money transfers are protected by a TAN. So it may not be that bad, given that the PIN for my EC card has only four numbers.
Still, I agree that this scheme is somewhat odd and no limitation on the password length would be preferable.
Swedbank in Sweden have a feature where you can access an accounts entire balance by generating random CC#'s for online shopping and this service is protected by your social security number, a 6 character password, a-z, 0-9 and no special characters allowed.
They've had this for at least 6 years now, maybe longer. Early on when I e-mailed them about it they simply stated that it's not their service, in other words; out-sourced.
Swedbank also requires two-factor authentication. You can bypasss this by calling them - they only ask for 1 thing to authenticate you. Two-factor authentication is rather useless if you can just bypass it like that.
>You can bypasss this by calling them - they only ask for 1 thing to authenticate you.
The domain for my personal site is shared with my family. My father registered the domain and all of the details in the account use his information. I had just created an AWS account and wanted to move the site's DNS to Route53.
I was able to call into the domain registrar and get exactly zero of the details correct, but they pointed the domain to Route53. It was hilarious how bad it was. I used my social, my name, my address, etc., none of which matched the info on file.
Even if I had used my father's info, it (except the social) would have been wrong because we lived overseas on a military base. When your system says Japan and someone from the US is calling, that should set off all sorts of alarm bells.
Yes, and I had no idea they were that easy to bypass on a social level.
Also this CC# generator falls outside of the 2FA scope, also something I asked them about several years ago and received the same reply "it's not our service".
It's scary.
Swedish social security numbers are public information btw, just to clarify the insanity - I can call in to the government register and ask for anyone's number, there isn't even any obfuscation or semi-privacy about it like US SSNs.
there isn't even any obfuscation or semi-privacy about it like US SSNs.
GOOD. The US "private" SSN system is completely messed up. You can't commit identity theft by just knowing a personnummer. Very, very much unlike the US...
1 reply →
The Swedish personal numbers are not a secret, so that is not a protection in any kind. You can get the number for anyone by asking the tax agency.
reminds me of this story http://www.windytan.com/2015/04/trackers-and-bank-accounts.h...
One of my neighbors when I was growing up worked in the FBI's cybercrime division. His wife always complained about how he never let her do any of their banking or serious financial transactions online. When I hear stuff like this, I get why.
8 characters max
Ha. Even better, they're also CASE INSENSITIVE!!!
We discussed this here a year ago: https://news.ycombinator.com/item?id=8783790
Which makes you think - Schwab is keeping probably billions of dollars safe. I've never heard of a theft from them, including via online account compromise. Meanwhile, many other sites doing better jobs of following security best practices can't keep even email addresses secure.
Maybe we're the ones doing it wrong, and it's us that should be learning from them?
If you also can choose your account name, use it as sort-of additional password space.
I have accounts with several instances where I could give you my password without running much risk of you logging in; even if their phone support would give out my account name, chances are they or you would misspell the line noise that it looks like.
Yes, Schwab does let you choose your account name. I'm not sure how many chars it can have.
My bank (German "Sparkasse") only allows passwords with exactly 5 letters or numbers for their online banking. I asked why they're doing this, but didn't get a good response.
When I asked, I got the answer that I could chose an arbitrary 16 character long user name, that the password may contain special characters, that the number of allowed failures for logging in is limited and that any actual money transfers are protected by a TAN. So it may not be that bad, given that the PIN for my EC card has only four numbers.
Still, I agree that this scheme is somewhat odd and no limitation on the password length would be preferable.
That used to be true, but Schwab has since removed their character limit. I just updated my password to one having more than sixty characters.
They fixed that recently. Change your password
*Handled
They now support 200+ character passwords.