5

A bank that I use stores my password in cleartext or perhaps using reverisible encryption, which is just as bad.

I know this because when you click "Forgot your password?" (or similar) link, it sends you an email with your password in cleartext. (Gave me quite a shock.)

Are there regulations against this? Any other feedback or advise would also be appreciated.

EDIT: I'm located in Michigan, USA.

user606723
  • 822
  • 5
  • 10
  • Related: [Is my bank storing my password in plain text?](http://security.stackexchange.com/questions/10938/is-my-bank-storing-my-password-in-plain-text) [How secure is asking for specific characters of passwords instead of the entire thing?](http://security.stackexchange.com/questions/7467/how-secure-is-asking-for-specific-characters-of-passwords-instead-of-the-entire) – Gilles 'SO- stop being evil' Aug 01 '12 at 17:56
  • 2
    I'll put it this way, the banks wrote the regulations... – ewanm89 Aug 01 '12 at 18:40

3 Answers3

6

This practice is horribly insecure, and unfortunately way too frequent. As acoolguy said, you can write direct complaints to the bank and your financial ombudsman, but you'll usually end up howling into the wind.

If the bank has dealing with payment processing companies such as Visa or Mastercard, you could try contacting them. Often, they have strict rules (e.g. PCI-DSS) about what banks are allowed to do. Whilst it's unlikely that you'll be able to directly get them to fix the problem, informing the payment processors usually starts and official investigation that could end up being extremely embarassing for the bank.

Sadly, the only sure-fire way to get them to fix it is to go as public as possible. Make it a PR nightmare for them. Shame them on Plaintext Offenders. Get on Twitter, get on Facebook, and let people know what they're doing, and why it's bad. If you can get enough people to complain, you can actually make a difference. That's what Troy Hunt and I have been doing with Tesco recently, and it's proven to be reasonably successful.

I wish you the best of luck.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 1
    PCI-DSS strictly says (8.4): "Render all passwords unreadable during transmission and storage on all system components using strong cryptography." – Andrei Botalov Aug 01 '12 at 19:29
  • 1
    @AndreyBotalov Yes, but PCI-DSS is a contract between two organisations. It's not the law. Violating it violates the terms of the contract, but it doesn't leave the consumer with any means of directly penalising the offending party. The worst you can do is inform associated companies that the bank is violating PCI-DSS. – Polynomial Aug 01 '12 at 19:35
  • @AndreyBotalov " "Render all passwords unreadable during transmission and storage on all system components using strong cryptography." " This allows password to be stored encrypted and decrypted only in memory. – curiousguy Aug 01 '12 at 19:45
  • @curiousguy If I remember correctly, there is a rule in PCI-DSSv2 that says that long-term passwords that protect access to financial information must be rendered irreversibly unreadable. – Polynomial Aug 01 '12 at 19:46
  • @Polynomial I don't see such rule here - https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf – Andrei Botalov Aug 01 '12 at 19:49
  • 2
    @AndreyBotalov Hmm, neither do I... I think my sleep deprived state is making me hallucinate new security policies! – Polynomial Aug 01 '12 at 19:51
3

It is certainly a very bad practice on the bank's part. You can write an email to banking ombudsman in your country asking for clarification on this issue. On your email copy the customer service department of the said bank. These laws differ in every country so it is hard to answer your question.

Just make sure that before making it public i.e. posting on facebook or writing to news papers you withdraw all your money from that bank....I guess you don't want to invite attacks on the bank's network where you save your money :P

acoolguy
  • 133
  • 1
  • 7
0

Let me point you to the answer, I've got on @programmers, that answers my own, very similar question.

In this question, I was asking, if the fact that my bank is using the same password (as I use for login) for password-protecting PDFs generated at each end of month, means that they're storing this password plain-text in database.

In general, I was advised, that this doesn't have to mean that. In my opinion, this is a good supplemental lecture to all the answers, you've got. Maybe the same thing happens in your situation? Maybe, the fact that you got your password clearly printed in your e-mail, doesn't actually means, that it is stored plain-text in database.

Please, threat this answer as addition. I'm not security specialist, I'm only following answers, that someone else has wrote for me.

Community
  • 1
trejder
  • 3,329
  • 5
  • 23
  • 33
  • 3
    "_Maybe, the fact that you got your password clearly printed in your e-mail, doesn't actually means, that it is stored plain-text in database._" the OP did not say the bank has the password in plaintext somewhere on mass storage. The disk can be encrypted. The database column can be encrypted. But **the bank stores the password in plaintext equivalent form: the bank is capable of finding the password using the data is has, without waiting for the user to login**. This is the definition of "plaintext equivalent". – curiousguy Aug 05 '12 at 19:12
  • @curiousguy Yeap, that makes sense to me now! :] Thank you... – trejder Nov 07 '13 at 13:17