On Tue, Aug 14, 2012 at 7:36 PM, Ken Schaefer <k...@adopenstatic.com> wrote: > -----Original Message----- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Subject: Re: For your reading pleasure > >>> AND most bank passwords are case-insensitive, to make things worse. >> >>And won't let you put in spaces or other punctuation, either. >> >>I detect a complete absence of cognition on the part of the designers of >>these systems. >> >>Kurt > > Really?
Yes. > We're the only ones here that read web pages about security best practises, > or attend events or read books? No, but some of those banks have certainly missed the boat - the ones that don't allow long passwords or non-alphnumeric characters in their web passwords for sure, and probably even a few who have covered those bases. >The IT guys at banks never went to Uni, are all ignoramuses and banks have >never hired a security officer or architect ever? Going to Uni != intelligence, nor does having the title of security officer or architect. > By all means, keep up pressure on organisations to lift their game. But I > think it's grossly unfair > to impugn people personally for this issue, and particularly for the offence > you have listed. I don't. If we don't call them on their $#!+, they won't change. Whether it's the IT staff or the executives, someone in the org is mal/mis/non-feasant, and I don't care at which level it happened. > From what I can gather most people on this list work in small environments, > and mostly for non-commercial organisations - the types of places were IT is > relatively simple and there aren't a lot of constraints, interoperability or > legacy systems to work with. And the budgets are far smaller. Larger institutions should plan out their web presence before launch, and it's painfully obvious that some haven't. > In any case, having worked in three different countries to-date, my personal > experience of banking is that: > a) some banks implement additional password systems, to complement whatever > their legacy system is. > This could take the form of an additional logon after your main logon. This > would allow a bank to implement > a new, up-to-date, user authentication system to sit next to their legacy one And some don't. > b) some banks implement 2FA: every bank in Singapore (for example) issues > tokens to customers and also > provides the option for SMS based one-time PINs And some don't. > I strongly believe that IT in banks (at least in the developed world) are > just as, or far more aware, of threats than we are. Sometimes yes, but on the evidence, sometimes no. It's why I left my most recent credit union for a better one, with stronger login security for their web presence. I didn't want their problem to be my problem. I also know that some banks are no better. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin