IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [banks]

Use for questions about security practices used by banks and other financial institutions.

220 questions
13
votes
2 answers

not allowing pasting of bank account number

One of my credit card's bill paying site has an incredibly annoying limitation... it does not allow the user to paste in the bank routing and account number. Therefor, every month I am forced to manually type these numbers in (twice!). I have…
SplashHit
  • 253
  • 2
  • 7
13
votes
2 answers

What does banking etc. server room protection look like? What happens if it fails?

Given that information security is derived from physical security, as evidenced by this theft, I'm curious as to what protection surrounds my bank account? There are two main avenues I'm interested in. Physical security, e.g. locked doors, fences,…
Ian Newson
  • 257
  • 1
  • 8
11
votes
1 answer

Best Practices for Security Questions

When a website asks me to enter security questions in addition to a password what is best practice on my part? This often happens with banks and other institutions but I see it less with other websites. Should I choose the most obscure questions…
Fernando
  • 705
  • 5
  • 17
11
votes
4 answers

Why should we prevent users from saving their passwords in their password manager?

I understand there are a few other controls, like 2FA, for making transactions in many bank account websites, while only users required for username and password to access the account. I noticed that I can save my password in my LastPass password…
Filipon
  • 1,204
  • 10
  • 22
11
votes
3 answers

How to calculate our application security debt?

Application security debt has some similarities to technical debt but there are few differences that we need to think about when deciding if our security debt load has gotten too high and needs to be paid off. I would like to know how to calculate…
Filipon
  • 1,204
  • 10
  • 22
10
votes
2 answers

Is SWIFT (banking) Software Architecture Secure?

With all the news about hacking banks and stealing money from banks over SWIFT, while the vulnerabilities weren't directly related to SWIFT, some questions arise: Are software components of the SWIFT network certified by any external…
Silverfox
  • 3,369
  • 2
  • 19
  • 39
9
votes
6 answers

What methods can be used to prevent mistyped usernames?

I wanted to log on to my account on my bank's website. The account is protected by a number of security checks. The first one is what really amounts to a username, a confidential one. It's an 8-digit numeric passcode (given to me by the bank), after…
ymar
  • 205
  • 1
  • 6
9
votes
7 answers

Why do banking websites always log you out after inactivity?

It seems that every single banking & financial website that I have used logs me out after a certain period of time. Are there a legal requirements or technical reasons for financial sites to do this? Or is this just their form of "security" to…
mkopala
  • 217
  • 1
  • 2
  • 5
9
votes
4 answers

Offline brute-forcing of a bank card PIN

I may be neglecting a crucial fact here, but putting the following together leads me to believe it is dead-easy to determine a bank card's PIN using the most basic hardware available to everyone (I speak for my country in what follows): Each bank…
rubenvb
  • 213
  • 2
  • 7
9
votes
3 answers

Bank forces me to use six character alphanumeric password

My bank (it's Westpac, one of the big ones in Australia) has some strange restrictions on passwords. They're maximum 6 characters in length and it must contain only characters A-Z and digits 0-9, and there's no case sensitivity. I'm used to using…
wim
  • 623
  • 1
  • 5
  • 18
9
votes
2 answers

Is Plaid safe if I change the password after deposit?

Many services, like Coinbase or Robinhood, use Plaid to deposit money from Bank. I understand that Plaid stores my login and password, somewhere... somehow... who really knows. A lot of people complain about that. So I have an idea, but it's so…
Ish Thomas
  • 191
  • 1
  • 1
  • 2
9
votes
1 answer

PSD2 compliant two factor authentication

According to PSD2 the elements of the multi-factor authentication must be independent so the compromise of one element does not compromise the other. Here is the article from the directive: *Article 9 Independence of the elements, Payment service…
Richard Leonard Kirner
  • 195
  • 2
  • 5
9
votes
2 answers

Does the use of a smartphone's Secure Element really offer security benefits to a banking app?

My bank's Android application allows users to perform financial transactions without the use of the physical token generator (which requires an ATM card to be inserted and a valid PIN to be provided) one would normally require when using the bank's…
AardvarkSoup
  • 577
  • 2
  • 10
8
votes
7 answers

How safe/secure are banking applications on Android phones?

I have a mobile banking application installed on my phone which allows me to pay for things, transfer money using my phone from my account to another etc. How safe or unsafe is this application? For example, what are the chances that I could get…
oshirowanen
  • 705
  • 3
  • 10
  • 21
8
votes
4 answers

How can my bank debit card reader know that my pin is valid?

Why do ATMs accept any PIN? states that the ATM does not know my pin and the pin is not on the card as well. My bank has this system: It works in 5 stages: I enter my debit card number on the website; The website gives me an 8 digit code to enter…
Nzall
  • 7,313
  • 6
  • 29
  • 45
1 2
3
14 15