Somewhere, in the background, there's a poor old unix mainframe running Cobol, unaware that the world around it has changed, and that it should put to pasture, where it can live out the rest of its days in peace.
I've heard of a bank actually trying to use that excuse when asked why their online banking passwords were so limited.
That is, of course, complete bullshit.
Sure, it is plausible that a bank has an old mainframe handling their accounts. It is also plausible that user account passwords on that old mainframe are only 6 or 8 characters and from a limited alphabet.
What does that have to do with customer online banking accounts? Nothing!
When you open a bank account they don't make a user account for you on their mainframe. What they make for you is an entry in an application database that their banking applications use. The only mainframe user accounts involved are the account that the database runs under and the account that the banking application runs under, both of which are the same for all banking customers.
Even if, for some strange reason, they do actually have to make a mainframe login account for each banking customer there is no reason for the banking customer to ever directly access that. Online banking is accessed through the web, so only the web server needs to access your banking account on the mainframe. They could make the website have its own password system, without the mainframe login restrictions. The restricted mainframe login information would only be known by the mainframe and the website back end. The banking customer should never deal with that.
Worse, it's probably an emulation of a Unix mainframe running the original Cobol code - with the emulator running in machine generated JavaScript in Nodejs on AWS...
"Unix mainframe" is something that never really existed, mainframes run special operating systems like z/OS. (You can run SuSE on a virtual partition under z, but not natively, and it is a recent concept.)
I signed up for a US BMO account for the sign up bonus... Man is that bank's website bad. The version of jQuery they are using is from 2008 (1.3xx IIRC) and they give you a pop-up if you try to right click saying "right-click has been disabled for security purposes."
To be fair though, at least they offer the guarantee that if your online banking is hacked they will reimburse 100%. Though not sure how truthful it is having never needed it.
"You may be liable for all losses from unauthorized use of your Account if you:
contributed to its unauthorized use;
used a PIN combination selected from your name, telephone number, date of birth, address, or Social Insurance Number;
did not use reasonable care to safeguard your Secret ID Code;
did not keep your Secret ID Code separate from your Card;
did not comply with your reporting obligations in Section 11 of this Agreement unless there were exceptional circumstances for your failure to do so; or
shared a mobile device that you registered with us for Electronic Banking Services.
In those cases, your liability may exceed the funds in an Account, your credit limit or any daily transaction limits. In other words, your liability will not be limited by your Account balance, your credit limit or any daily transaction limits.
You must cooperate and assist in any investigation that we initiate into the unauthorized use you reported, which is a precondition to being reimbursed for any losses. This cooperation may include filing a report with law enforcement authorities."
I think I'd rather risk some money to hacks on an otherwise more secure system than look forward to whatever hellish phone support calls and hoop-jumping I expect I'd have to go through to get charges reversed.
toomanybeersies|8 years ago
tzs|8 years ago
That is, of course, complete bullshit.
Sure, it is plausible that a bank has an old mainframe handling their accounts. It is also plausible that user account passwords on that old mainframe are only 6 or 8 characters and from a limited alphabet.
What does that have to do with customer online banking accounts? Nothing!
When you open a bank account they don't make a user account for you on their mainframe. What they make for you is an entry in an application database that their banking applications use. The only mainframe user accounts involved are the account that the database runs under and the account that the banking application runs under, both of which are the same for all banking customers.
Even if, for some strange reason, they do actually have to make a mainframe login account for each banking customer there is no reason for the banking customer to ever directly access that. Online banking is accessed through the web, so only the web server needs to access your banking account on the mainframe. They could make the website have its own password system, without the mainframe login restrictions. The restricted mainframe login information would only be known by the mainframe and the website back end. The banking customer should never deal with that.
bigiain|8 years ago
(Obligatory xkcd comic: https://xkcd.com/1926/ )
angry_octet|8 years ago
astura|8 years ago
lionelione43|8 years ago
https://i.imgur.com/O2eOwLw.jpg
Edit:
"You may be liable for all losses from unauthorized use of your Account if you:
contributed to its unauthorized use; used a PIN combination selected from your name, telephone number, date of birth, address, or Social Insurance Number; did not use reasonable care to safeguard your Secret ID Code; did not keep your Secret ID Code separate from your Card; did not comply with your reporting obligations in Section 11 of this Agreement unless there were exceptional circumstances for your failure to do so; or shared a mobile device that you registered with us for Electronic Banking Services. In those cases, your liability may exceed the funds in an Account, your credit limit or any daily transaction limits. In other words, your liability will not be limited by your Account balance, your credit limit or any daily transaction limits. You must cooperate and assist in any investigation that we initiate into the unauthorized use you reported, which is a precondition to being reimbursed for any losses. This cooperation may include filing a report with law enforcement authorities."
Overall seems fair enough protection.
AgentME|8 years ago
bowmessage|8 years ago
teddyfrozevelt|8 years ago