What Does It Mean When Your Credit Union Goes Into Conservatorship?
Are You Ready for a Cashless Society?
Fed Holds Rates Steady - Will Deposit Rate Increases Continue?
Best Bank Account Interest Rates - Summary for August 22, 2017Billion Web Passwords Stolen by Russian Gang - Safety of Online Banking?
For those who have been worried about the safety of online banking, today’s news will only reinforce those worries. Yet another new massive data breach has been uncovered. According to this New York Times article:
A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.
Another New York Times article provides steps for people to take to stay safe. There’s currently no information on which websites have been affected. Thus, the article recommends that people change their passwords on all websites that contain your financial or other sensitive information. The new passwords should be strong passwords that are unique to each website.
The article recommends the use of a password manager program which generates a unique password for each of your websites and stores them in a database protected by a master password that you create. Of course the danger of this is if that master password is compromised, all of your passwords will become compromised. The risk of your master password being compromised may be higher than you think. Just recently, the password management company LastPass had a potential security breach which may have affected many of its users.
So if we can’t trust software tools to simplify password management, how can we maintain strong and unique passwords for all of our bank accounts? One method of creating a strong password that continues to be recommended is described by the security expert Bruce Schneier at his website:
Combine a personally memorable sentence with some personally memorable tricks to modify that sentence into a password to create a lengthy password.
This is one example he provides (Note, never use public examples for your passwords).
WIw7,mstmsritt = When I was seven, my sister threw my stuffed rabbit in the toilet.
The problem I have is when websites force us to change passwords after a certain period of time. Some banks force changes every 90 days or less. It’s not easy to think of new memorable sentences. It’s interesting to note that Schneier disagrees with the usefulness of regularly changing passwords:
Don't bother updating your password regularly. Sites that require 90-day—or whatever—password upgrades do more harm than good. Unless you think your password might be compromised, don't change it.
Unfortunately, we don’t have a choice in this matter for several banks. They require you to change your password after a certain period of time in order to get access to your account. Many also require that the new password be substantially different than the last few passwords.
Finally, Schneier recommends using any two-factor authentication that your websites offer. Most banks now offer this. An example is a login process that requires that you receive a text or email with a code. That code must then be entered during login in addition to your user name and password. You can typically configure this type of two-factor authentication to only request the additional code when you’re logging in from a different computer.
If you are one of those who still worry about online banking, you should not let today’s news scare you. Online banking has many benefits for consumers. By taking some reasonable precautions, you can keep banking online with very little risk of losing any of your money due to fraud.
Thanks to DA member Pearlbrown for first reporting on this news and NYT articles in the forum.
Two-step login is much better than changing passwords.
It's all about staying one step ahead of the hackers....that is very challenging.
Our password is intercepted when it leaves the password server to match the entered password at the bank site. That is the weakest point for passwords, not the passwords by themselves.
Unless that is addressed, this hacking will continue for long time.
The passwords and user names are stored at secure sites, but eventually they have to be matched with our online entry, that is the weakest point for now.
Prepare for more hackings in future. I will not change my passwords, it will not help at all because they are being intercepted on a minute by minute bases or every time you log on with a new password or not.
1. Some of the major U.S. brokerages are now making available so-called security tokens for their customers to use as part of the log-on process. It's a little, battery powered keychain device that generates a unique 6-digit code every time you press its button. In order to log-in, you have to enter your regular ID, password and then add the 6 digit code onto the end of your regular password. Thus, even if someone hacked your ID and password, they'd never be able to access your account because they'd never be able to know the 6-digit security code, which is different every time you press its button.
2. Some of the non U.S. banks I deal with have taken to requiring the use of mobile phone delivered One Time Passwords (OTP) in order to confirm any online transactions. So you still log in with a regular ID and password as usual. But in order to do any transactions like transferring money or paying a bill, etc, the bank's system sends a code to you mobile phone via SMS, and you have to enter the correct SMS code in order for the transaction to proceed. And of course, the codes are random and also change every time.
Both approaches are a hassle to some extent. You have to have the keychain token with you in order to access your accounts, and likewise have to have a mobile phone available to receive SMSs. But at least with those two systems, I don't have to worry too much when I read articles like the one above.