top | item 44592972

(no title)

0x5FC3 | 7 months ago

User facing tech and marketing practices at banks are the worst. Every Indian bank login form I've ever had to use is

- hostile to password managers.

- You cannot copy paste passwords.

- Client side password hashing

- Stupid requirements like the password cannot have more than 15 characters and even have a whitelist of character sets! (Looking at you HDFC)

- And of course, run of the mill spam

They are all stuck in the early 2000s.

discuss

vladvasiliu|7 months ago

> cannot have more than 15 characters

That's something! My bank insists on exactly 6 numbers. Not characters, numbers.

They're also hostile to password managers and don't allow copy/paste. You have to click on the numbers with your mouse.

"My security" is very important to them, so they've moved 2nd factor from a physical fob, to an app tied to my phone, and now they've improved it further by switching to sms!

Now, this isn't some neighborhood mom 'n'pop bank, but the biggest or second-biggest bank in France.

SoftTalker|7 months ago

> My bank insists on exactly 6 numbers. Not characters, numbers.

When I see this kind of thing I suspect that it's a web app that's simply a proxy for some mainframe screens that were written in the 1990s (or earlier).

GuB-42|7 months ago

As I understand it, the thing with "click the number" codes is that it is a protection against keyloggers. The numbers are usually scrambled and when you click on it, you don't send the code but the position of the numbers you clicked. So for someone to get your code, you need both a screen capture and the position of mouse clicks.

So 6 digits is low entropy, but it is compensated by a few layers of security. I don't know in practice how effective it is against passwords. I have seen it done in several banks, insurance companies, etc... including online banks. So I guess that it is not that bad. Most discourage SMS/email second factor in favor of their apps though. The physical fob is probably a hassle for them so they will try to push you to other solutions, usually an app.

jszymborski|7 months ago

Royal Bank of Canada (at least until recently, haven't been a customer for a while) just silently truncates your password. Discovered this when I thought I saw the number of masked characters go down, and then entered my password with one less character and logged in. (This was on mobile)

thmsths|7 months ago

I wonder if it's because they look at security more globally. Their actions probably keep lowering security for people who understand the risks and are willing to take the extra steps to protect themselves but on the other hand they probably drive up adoption of some extra security for most other folks. Or if you want to be less charitable: they were tired with dealing with support calls from a lot of tech illiterate people and decided to just sacrifice security.

dbetteridge|7 months ago

Worstpac?

ThePowerOfFuet|7 months ago

SG?

sometimes_all|7 months ago

There was some brouhaha a few weeks ago when someone posted a screenshot on reddit about an Indian public sector bank's app refusing to run because a user had installed Firefox, and according to that bank, was a "malicious app that could steal user data".

Indian banks and many of the government websites are some of the most user-hostile things out there. Once upon a time, I used to think this was primarily to deter malicious actors from preying on tech-illiterate users, but given that the banks don't want to use all the tools/frameworks out there which help websites be both secure and user-friendly, I've changed my opinion.

ryandrake|7 months ago

It's insane that any rando app on your device can have access to the list of other apps installed on your device.

eldaisfish|7 months ago

Indian banks and their websites are likely among the worst in the world. The fact that many situations require printing forms, dealing with SMS-based 2FA, multiple passwords, sometimes with different requirements… I’m not surprised that many Indians still prefer the hassle of visiting a branch.

sometimes_all|7 months ago

The branches are worse. Staff rotates _constantly_. Most of the new ones don't know anything, including most straightforward things people go to branches for. Almost everyone from the tellers to the branch manager is mandated to upsell/cross-sell something or the other, and in the most non-transparent way possible (so that the right people get the commission). Need a bank locker? Jack up your savings account balance. Need a credit card? Get a unit-linked insurance plan, else don't waste our time. A couple of tellers will start calling random people to sell things (in direct violation of central bank rules).

0x5FC3|7 months ago

I assure you, dealing with the staff at the bank is different ball game altogether.

I had to write 3 different "letters" (paper pen) to have a phone number typo (on their part) corrected.

never_inline|7 months ago

Indian government's websites (eg: IRCTC train booking, exam registration portals) are worse IME.

never_inline|7 months ago

There's a certain Indian public sector banking app which won't run at all unless you give it camera, full filesystem and some other crucial permissions.

I have not received any spam similar to the OP from my bank. But it seems (at least the popular belief) the lower level employees regularly leak your account details to scam callers.

yonatan8070|7 months ago

Yeah my bank requires me to reset my password every 180 days, only accepts passwords from 6 to 11 characters, and has a whitelist of valid characters. All this leads to a situation where I want to sign in, I'm then prompted to reset my password, but the autogenerated passwords from Firefox don't actually work because they are too good, so I switch to a terminal to make up a custom password to their rediculus requirements.

ddejohn|7 months ago

> Client side password hashing

Forgive my ignorance, but what's wrong with this one?

mnw21cam|7 months ago

If the hashing is done on the client and then sent to the server, then the server is effectively just processing as a plaintext password. If an attacker gets hold of the server password database, then they can just connect to the server and pretend to be the client and hand it the hashed password that they read from the database breach.

If you hash the password on the server instead, then if the password database is breached, then an attacker needs to actually reverse the hash[0] and find the original password in order to log in, because that's all that the server will accept.

[0] Note, this should be difficult[1] [1] In crypto, "difficult" should mean "impossible before the end of the universe"