📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

Stop refunding victims of online fraud, police chief tells banks

13»

Comments

  • ryan121
    ryan121 Posts: 209 Forumite
    Part of the Furniture 100 Posts
    As Santander are a bank I imagine they use the most secure method of storing a password through salted hashes. Even if someone stole their database of passwords it would just look like a random mix of letters which would be useless to a criminal.

    Usernames and passwords are inherently insecure, it's the two factor authentication that really protects you.
  • magpiecottage
    magpiecottage Posts: 9,241 Forumite
    1,000 Posts Combo Breaker
    I remember the late Sir Denis Thatcher saying it is better to keep your mouth shut and look a fool than to open it and remove all possible doubt.

    Sir Bernard seems to have demonstrated this failing, as a senior Police officer, to recognise that legislation forces banks to reimburse any payment that was not authorised by the customer.
  • JuicyJesus
    JuicyJesus Posts: 3,832 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    magpiecottage wrote: »
    Sir Bernard seems to have demonstrated this failing, as a senior Police officer, to recognise that legislation forces banks to reimburse any payment that was not authorised by the customer.

    And, as it damn well should. There is an excellent reason for banks to refund customers (not all customers who claim fraud without exception and without investigation, obviously...), that reason being that knowing your money is safe from fraudulent activity increases confidence in the banking system. If fraudsters swipe your money, and it isn't your fault, you should and will be compensated. Anything else and you're basically saying that having a bank account is a free for all. It is in the interest of the banks for them to protect their customers from fraud - in the financial sense of it saves them money in the long run, and in the non-financial sense that if people can't entrust their money to the banking system the whole thing collapses.

    Of course I think what Sir Bernard meant is that if someone is grossly negligent (i.e. they give their security details to a third party, or receive a phone call pretending to be their bank and send all their money to a sort code and account number they're given over the phone) then banks shouldn't refund. What I'm wondering is why he thinks that's at all an original thought, because if someone is grossly negligent in that manner then banks don't (usually) refund them anyway - as well they shouldn't.
    urs sinserly,
    ~~joosy jeezus~~
  • jamesd
    jamesd Posts: 26,103 Forumite
    Part of the Furniture 10,000 Posts Name Dropper
    ryan121 wrote: »
    As Santander are a bank I imagine they use the most secure method of storing a password through salted hashes. Even if someone stole their database of passwords it would just look like a random mix of letters which would be useless to a criminal.
    That is not the most secure method and massive data thefts have occurred from systems using that method when those taking the data also took the salt information.

    For non-technical people, a salt is an extra bit of random information that is combined with the password to make it harder to get at by blocking use of big tables that just go from he hashed value to the original one, these are called rainbow tables.
  • ryan121
    ryan121 Posts: 209 Forumite
    Part of the Furniture 100 Posts
    You probably know more than me but from what I understand even if someone were to obtain the database it would be near impossible for them to obtain people's passwords.

    There have been database thefts before as you say but those sites have usually not hashed the passwords for example.

    Even if someone were to steal a bank's database of login information it's likely they would become aware very quickly and force users to reset their password.

    I use lastpass and this is what they say:
    We enter the Username and Master Password into one way functions to create a salted hash. Since the function is one-way, even if someone were to get a hold of the salted hash, they would not obtain the Master Password.
  • grumbler
    grumbler Posts: 58,629 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    edited 27 March 2016 at 12:19AM
    MSE_Lucinda wrote: »
    Read the full story:
    'EE recalls ALL power bars in new safety alert'
    :rotfl:Do MSE ever look back at what they publish?!


    ETA: Will MSE ever grasp a simple fact that quotation marks are normally used in pairs (sets of two)?
    In the article there are 9 opening marks and only 2 closing.
  • jamesd
    jamesd Posts: 26,103 Forumite
    Part of the Furniture 10,000 Posts Name Dropper
    edited 25 March 2016 at 10:23PM
    ryan121 wrote: »
    You probably know more than me
    I used to work as database administrator and one of the roots of a far busier place than MSE and today one of my responsibilities is reviewing some of the security aspects of a widely used piece of database server software. I'm not a security expert but I'm fairly well informed.
    ryan121 wrote: »
    from what I understand even if someone were to obtain the database it would be near impossible for them to obtain people's passwords.
    If that is all they get it's right. But it is not right if they also get the salt.
    ryan121 wrote: »
    There have been database thefts before as you say but those sites have usually not hashed the passwords for example.
    That's one of the easier mistakes and one vulnerable area because of SQL injection attacks which reveal what is stored in the database. At least part of a salt is not stored in at least that database and that means that the salt isn't taken along with the data in this case, so the data is protected still.

    The salt can gets taken as well when someone manages to get access directly to the servers, not just to the database. Different attack success and the SQL injection attacks tend to be easier.
    ryan121 wrote: »
    I use lastpass and this is what they say:
    That is true. Now ask them what happens if someone gets the hashed value, the salt and the method used to combine salt and password. The master password may still be safe because they may store only part of the hash.

    But what about the other passwords where they do have to store the whole password? One possible answer there is to store some of the information on the client computer, not on their system at all. Catch there is that if the user loses that computer they have potentially lost their stored passwords.

    I think that the LastPass people are very capable and have probably protected against likely attacks.
  • Pincher
    Pincher Posts: 6,552 Forumite
    1,000 Posts Combo Breaker
    The criminals are just opportunists. I suppose if they knew you were loaded, it's worth their concentrated effort, but most of the time, it's just a ground floor window left open that they happen to see, and they pounce.


    It's a never ending battle, not "You are guaranteed to be safe if you keep your Anti-virus software up to date." There are a thousand and one other tricks you can fall for.


    They might as well say: "You'll be safe if you read the Money sections, so you know all the tricks." As if nobody can invent new ones.
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 351.5K Banking & Borrowing
  • 253.3K Reduce Debt & Boost Income
  • 453.9K Spending & Discounts
  • 244.5K Work, Benefits & Business
  • 599.8K Mortgages, Homes & Bills
  • 177.2K Life & Family
  • 258.1K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.2K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture