• laxsill@infosec.pub
    link
    fedilink
    arrow-up
    130
    ·
    1 year ago

    Their policy should just be to reset the password immediately and have the user set a new one. This is one hell of a risk.

    • Z4rK@lemmy.world
      link
      fedilink
      English
      arrow-up
      42
      ·
      1 year ago

      I still can’t believe American banks lets you login with just username / password? Surely there is some id check or at least two factors involved?

      • icanwatermyplants@reddthat.com
        link
        fedilink
        arrow-up
        33
        ·
        edit-2
        1 year ago

        Nope, several years ago someone complained that their steam account has better protection then their bank account. We’re now in 2023 and that statement still holds. It’s quite scary really. Bank websites that heavily rely on third party scripts ,“MFA” logins based on something you know and something you know. Account verification question based on code words or security questions based on public information. Worst of all, the ignorance of it all. “We got hacked, here have a identity protection bandage, comes with an automatic subscription after several years”.

      • laxsill@infosec.pub
        link
        fedilink
        arrow-up
        6
        ·
        1 year ago

        Yeah I’m European end my job in accounting makes me have to work with American banks regularly. So let’s just say my expectations on American banks are quite low.

        • lulztard@reddthat.com
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Wait, American banks don’t go with extra authentication? I couldn’t log in anywhere without SMS or additional apps or whatever. Depending on your bank you might even have to go through three different stages of authentication. Over the pond you just go username / password?

          • Madison420@lemmy.world
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            They do. It’s not as stout as basically anywhere else but 2fa is and has been a thing here for quite some time and specifically as long as I’ve banked Mobile ACC that’s gotta be 5 years+.

            I’m honestly not sure where this whole comment chain is coming from , I guess people don’t just ask and instead assume it’s not offered. I dunno it’s a very weird argument to me since my bank has always had 2fa and alllows third party geolocating 3fa.

      • slackassassin@sh.itjust.works
        link
        fedilink
        arrow-up
        5
        ·
        1 year ago

        They don’t, and there is, but you would still suggest removing the user name and password from a social media post anyway. Right?

    • XTornado@lemmy.ml
      link
      fedilink
      arrow-up
      11
      ·
      edit-2
      1 year ago

      That would imply they have to test that the credentials are correct though.

      Otherwise I can just put somebody’s user and put some fake password and they would reset it and disconnect the account of that user and annoy him.

    • CJOtheReal@ani.social
      link
      fedilink
      arrow-up
      7
      ·
      1 year ago

      But the username is still public, you can change the password but if your customer is idiotic enough to blast both out into the internet, the password will just get a 1 or ! After the password they used before…