What about your passwords to your real-life bank accounts?
Your bank has ways to make that more secure. If someone logs into your account from a strange IP (e.g. different country from the bank and customer), if someone tries to transfer money online, you might need to enter another password (which they might not have), or it might be based on a fob that generates a code. If you do manage to transfer money to your account, they can now follow the money to find out where you are and arrest you.
BitCoin stealing doesn't have any of these drawbacks, so is probably a much more tempting target.
Bank accounts usually limit online transfer destinations and amounts. So password secrecy is not the sole defense, and even total ownership of an accountholder's computer is not quite 'game over' for their balances, as it is with a bitcoin wallet.
There was actually a high-profile incident not too long ago with one of the big banks' online banking system. Users could view other people's account information just by incrementing an integer in the URL as I recall. It's not necessarily so much that banks are secure, but hacking them is much riskier than hacking Bitcoin sites, especially for white-hats.
It seems to me that if you hack a bank and get it to put money into an account that is not rightly yours, or get access to an account that is not rightly yours, you need to do something with the funds before the error is caught that can neither be reversed nor traced. And there are lots of limits on activity that looks like you are doing this. With Bitcoin you just transfer it to a new wallet and you buy yourself all the time in the world to do this.
Bank accounts require identification and bank transactions have paper trails. Additionally international transactions have a lot of delays built in. Robbing a bank is probably safer then hacking one.
The following scenario is unlikely with my regular banking account:
A ransomware victim accidentally transfers 10 million dollars in Bitcoin to my account and the next day the ransomware actors show up armed and dangerous to my house demanding that I transfer it to their bank account
Online banking is largely a read-only proposition. It's mostly for reading account activity. Some of the more forward-looking banks will even let you initiate ACH transfers, but generally sending money to a new recipient triggers a 2FA prompt (debit card number prompt, phone call, text) and several secondary notifications, with several days to say "that wasn't me" before the money is gone.
I wouldn't voluntarily post my bank account credentials on the internet, but at the end of the day, the security of an online banking account just doesn't matter very much.
The security of the transaction mechanisms do, sure, but that's got little to do with online banking passwords.
And if they get hacked and my password is abused to steal money from my account, will my bank cover the liability? I doubt it - I gave my password away. I assume it's like a stolen ATM PIN, I eat the loss. No thanks.
>2FA is extraordinarily relevant when it comes to theft with regard to online banking
If theft through online banking even exists, it's at such a low volume as to be irrelevant. Most online banking interfaces are a read-only view of recent transactions. Some provide the ability to transfer funds between your own linked accounts at the same bank. Fewer still provide bill pay for a specific set of partner institutions, and a tiny proportion of the most technologically sophisticated banks provide the ability to transfer money to any arbitrary person. When they do, adding a new payee is loud (sends a bunch of notifications) and requires SMS verification and/or digits off your debit card. The transfer is loud and takes several days to actually happen (so you can cancel it), and is limited to a couple thousand dollars at most. This is a fringe thing that a handful of people use occasionally. Most peer-to-peer transfers are going to happen through Venmo, which piggy-backs off a debit card, or through paper checks. Most online bill pay is going to happen by giving the biller your account and routing number.
The largest vector by far for stealing from a bank account is capturing a debit card number in some legitimate transaction, and reusing it to make fraudulent transactions. The strength of the communication channel between payer's bank and payer is irrelevant, because you don't get to weigh in on debit card transactions (or checks) against your account. They just happen, and then you can dispute them later.
If a bank allowed people to log in to their bank account and make transfers based on only email+password and someone stole money from a bunch of accounts, would the bank face any criminal liability?
I don't know the answer, but I would say your DNA sequence should be secured similarly to your bank account.
> If you accessed your bank account on a public computer, and then left without logging out, would it be okay for someone to then transfer money to their account and keep it? No hacking was involved. No security was breached.
That's not hacking, but it is theft. How about this: If you accessed your bank account on a public computer, and then left without logging out, would it be okay for someone to glance at the screen, see your account balances, and log you out?
Why? The compliance requirements don't require hashing (iirc, "commercially reasonable" protection is/was the standard), so you should assume that any other bank is doing the same thing, as they probably are.
All that is needed to steal your money is the bank account number, which you probably have mailed out or otherwise provided to numerous random third parties, who process them with other third parties. There's almost no information in there that isn't already available to anyone who cares to look.
A more reasonable approach that actually impacts your security would be:
- Opt-out of electronic communication and get paper statements and account notifications. (This ensures that you receive notice, in the mail, about changes of address and other changes)
- Opt-in to notifications about large transfers or low balances.
- Disable Bill Pay features at the bank.
- Disable external ACH transfers.
- Request wire transfer privileges, which with some banks allows you to get a physical token to secure access to your account.
- Use a dedicated PC/iPad/Chromebook/etc for your banking to reduce the risk of malware capturing your banking details.
If you're going to switch banks over this, look for a credit union small enough that they use an off the shelf banking solution, and figure out what the default configuration of the solution is.
If the passwords are stored somewhere that's easier to access than your real target at the bank, then cracking the passwords might be helpful... I totally agree with your recommendations, but bank password storage/complexity definitely could be important.
If an attacker got hold of a large number of bank account user logins, I'm not sure what they'd do. My bank doesn't provide a feature to quickly transfer cash from the website... Several hundred large billpay changes would show up and be easy to cancel... Perhaps they'd just gather personal info useful to a social engineering attack...
Quick question: What would an attacker gain from getting into your bank account?
From mine (french big bank), they could be annoying (asking the bank to close accounts, ordering new checkbooks, getting all kind of information on past transactions, wire money between my accounts), but I can't see how one would effectively leverage that.
I mean, an attacker goal would be to draw money in some way; all money wirings to external bank accounts are protected by a code (SMS or in-app verification), with a 24h delay between the time one enters a destination account and the actual wiring.
Is that any different with other banks? Is an attacker able to effectively draw money as soon as they get access to the account?
For anyone in the US, if I have your bank account number, I can steal your money. I strongly advise you not to share your account number with me or anyone else. I have to commit fraud in order to steal your money, making it a crime, but stealing's a crime in the first place, so that's not going to deter thieves.
I don't know your bank, but in my case (Barclays) as mentioned above, I'd think their tellers or credit card authorization would both be a weaker spot for attacks than their online banking.
They don't allow you only log in with two characters from your password like that, you also need a passcode or a one time pad generated with a chip and pin reader, and for transfers to accounts you haven't previously transferred money to and indicated you want to save for future use, you also need to enter your pin, amount and target account into the reader to get a code to enter into online banking to do the transfer.
Many US bank websites have so few features I'm not even sure what hacking mine could get someone. They can transfer from my checking to my savings account?
To me this feels like concern without regard for the full differences. With bank accounts you usually have the restriction of "as many accounts as you can afford" where with bitcoin addresses you can have countless. So someone could just as easily watch you drive up to the bank and know you bank there. Keep your private addresses private, duh.
Your bank has ways to make that more secure. If someone logs into your account from a strange IP (e.g. different country from the bank and customer), if someone tries to transfer money online, you might need to enter another password (which they might not have), or it might be based on a fob that generates a code. If you do manage to transfer money to your account, they can now follow the money to find out where you are and arrest you.
BitCoin stealing doesn't have any of these drawbacks, so is probably a much more tempting target.
reply