If you're over 80 years old and don't do online banking, but are convinced by someone calling "from the FBI" that your account is in danger, Wells Fargo will happily try multiple times to transfer your life's savings to multiple different Bitcoin bank accounts (the first few closed for fraud and funds returned) over more than a week and several visits, then open a new credit card and transfer the maximum cash advance electronically as you read the newly issued password out to someone on the phone in their presence, and never mention there's a danger in doing this or question your decisions, until all your money is gone.
How do I know? If you happen to have been a school teacher for 50 of those years, you keep excellent hand written notes of the events, that make your relatives sick to their stomachs.
Possibly a variant on the old "You need to update your Wells Fargo (or wherever) account information" scam. They blast it out to a zillion people at random, many of whom don't even have accounts at Wells Fargo. That doesn't matter -- many of them do. And of those who do, some will be naive enough to follow the link and hand over their credentials.
The following scenario is unlikely with my regular banking account:
A ransomware victim accidentally transfers 10 million dollars in Bitcoin to my account and the next day the ransomware actors show up armed and dangerous to my house demanding that I transfer it to their bank account
I don't mean to be harsh, but the fact that you're even asking for banking credentials means I want nothing do with your service, and I feel like actually shouting loudly to everyone I know not to use it either.
There have been far too many shady Bitcoin related hacks/frauds/incidents for this to be something that you should even be encouraging. What protection do your customers have if you do get hacked?
Really? Wells Fargo isn't mining my search history using a black-box algorithm to decide without transparency whether to close my account or decline a transaction because I might have become a risk of some sort.
Thirty minutes ago I closed my account with Wells Fargo because of their lack of security. Last month, they called to validate my identity. I called back, they asked for my mother's maiden name.
Me: "Since that information is on Facebook, I use a big random string starting.."
Them: "That's good enough, so what we want to talk about is.."
Then when I went into the local branch, the receptionist wanted to swipe my debit card in their tablet to add me to the line. Forget that, I'm out.
I complained to Wells Fargo last year that they shouldn't be storing user passwords. Their response was to not worry about it because they are the ones responsible for fraud.
A few years ago I discovered that the wells-Fargo website would log you in by typing the correct password and some additional n characters after the password. I reported it to the security group and that still worked until I stopped banking with them a year or so later.
The amazing thing is with Wells Fargo that if you have a RSA SecurID 2FA FOB for access to your bank accounts, and you have a phone number configured for the account, you can use EITHER the 2FA RSA one-time pin, OR SMS verification to log into your bank account web page.
> Giving your online account credentials to access your banking information is complete madness. It's a giant security risk
Is it? My bank requires multi-factor confirmation to set up a new payee for electronic transfers and sends several emails for any transfer. You couldn't actually steal any money just by having online banking credentials.
Given the appalling lack of basic security across many of the Bitcoin services there is no way on earth I would be trusting them with bank account details.
What about your passwords to your real-life bank accounts?
Your bank has ways to make that more secure. If someone logs into your account from a strange IP (e.g. different country from the bank and customer), if someone tries to transfer money online, you might need to enter another password (which they might not have), or it might be based on a fob that generates a code. If you do manage to transfer money to your account, they can now follow the money to find out where you are and arrest you.
BitCoin stealing doesn't have any of these drawbacks, so is probably a much more tempting target.
We had some money fraudulently withdrawn from our Wells Fargo checking account and though we got it back, I had a bunch of questions about bank security. My bank manager arranged a phone call from somebody on the inside to me. I pressed her about their password length restriction saying that as long as they are hashing the password, length doesn't practically matter. The fact that length is limited to a small number of characters makes me think they are storing the clear password in a database. The response was basically don't worry about it because you aren't responsible for fraud.
There was actually a high-profile incident not too long ago with one of the big banks' online banking system. Users could view other people's account information just by incrementing an integer in the URL as I recall. It's not necessarily so much that banks are secure, but hacking them is much riskier than hacking Bitcoin sites, especially for white-hats.
And it's particularly effective because some banks apparently do exactly this. This would be reason to move to a different bank. These banks encourage behaviour that rewards phishing.
> usually takes a few seconds to arrive in the destination account
This also means that whoever takes over your account, can send the money out and cash it in very fast.
This of course would never happen to me or you, but happened to a relative of mine who got a call from "their bank security" and then were directed to install a "security check app" (remote control tool), and change their password in the banking app. The thieves then got off with money that they transferred out in a matter of seconds, with no recourse.
How do I know? If you happen to have been a school teacher for 50 of those years, you keep excellent hand written notes of the events, that make your relatives sick to their stomachs.
reply