Platform security

[Deleted User]

Some of the platforms to get around non 2 FA have implemented some additional measures.
AJ Bell asks you your user id then the next page 3 letters from a 18 char (I think) password and the answer to your secret question
HL ask you for the user id and DoB then the next page is your password and three numbers out of 6 for your number password
ii user id and password

eskbanker

webnibbler said:
But it seems odd to me that banks are required to implement 2FA while platforms aren't.

The legislative requirement for strong customer authentication stems from the EU Payment Services Directive 2, which, unsurprisingly given its title, applies specifically to payment services providers:

“payment service provider” means any of the following when they carry out payment services—

(a) authorised payment institutions;

(b) small payment institutions;

(c) registered account information service providers;

(d) EEA authorised payment institutions;

(e) EEA registered account information service providers;

(f) electronic money institutions, including branches located in the EEA of such institutions whose head office is outside the EEA, in so far as the payment services provided by those branches are linked to the issuance of electronic money;

(g) credit institutions, including branches located in the EEA;

(h) the Post Office Limited;

(i) the Bank of England, the European Central Bank and the national central banks of EEA States other than the United Kingdom, other than when acting in their capacity as a monetary authority or carrying out other functions of a public nature; and

(j) government departments and local authorities, other than when carrying out functions of a public nature

dunstonh

I'd guess once in an attacker would fairly easily change or add a different bank account to remove cash and then potentially sell ISA investments.

How would they easily change or add a different bank account?

IvanOpinion

csgohan4 said:

you can raise the concern with your platform, but setting up the most random password you can would be pertinent

Not sure what you mean by 'random' but the 3 most important things for a password are length, length and length.  By all means use random characters (upper, lower, numeric, special) but they make little difference to a cracker - it just scans the full ASCII character set.

Prism

IvanOpinion said:

csgohan4 said:

you can raise the concern with your platform, but setting up the most random password you can would be pertinent

Not sure what you mean by 'random' but the 3 most important things for a password are length, length and length.  By all means use random characters (upper, lower, numeric, special) but they make little difference to a cracker - it just scans the full ASCII character set.

If we are talking about an extraction of a database of passwords from the platform itself (which is rare but possible) then the first thing that an attacker would do is to run through a database of all known password and word combinations - 500 million passwords take a few milliseconds. Combinations of upper, lower etc don't help here but random as in not a word does.

If that fails to work then it becomes a factor of length. 8 characters might take a day whereas 10 characters is over 20 years.

Anyway, extraction of a database should be incredibly unlikely, so almost any difficult to guess password should do. And of course never use the same password across companies where a weakness in one website would allow access to the other accounts.

IvanOpinion

Prism said:

IvanOpinion said:

csgohan4 said:

you can raise the concern with your platform, but setting up the most random password you can would be pertinent

Not sure what you mean by 'random' but the 3 most important things for a password are length, length and length.  By all means use random characters (upper, lower, numeric, special) but they make little difference to a cracker - it just scans the full ASCII character set.

If we are talking about an extraction of a database of passwords from the platform itself (which is rare but possible) then the first thing that an attacker would do is to run through a database of all known password and word combinations - 500 million passwords take a few milliseconds. Combinations of upper, lower etc don't help here but random as in not a word does.

If that fails to work then it becomes a factor of length. 8 characters might take a day whereas 10 characters is over 20 years.

Anyway, extraction of a database should be incredibly unlikely, so almost any difficult to guess password should do. And of course never use the same password across companies where a weakness in one website would allow access to the other accounts.

I would have agreed totally what you a couple of year back, but having complex passwords non-memorable passwords is also seen as a security risk - because people are more likely to write them down or store them in a password manager in their browser (usually set to not log out).  We were working on a security project last year and I was actually surprised at the latest NIST guidelines - things that we used to rely on such as forced password resets, security questions, complex hard to remember passwords etc. are no longer considered best practice.  My own advice to our users now is to simply pick 3-4 words and assemble them e.g. 'SnowmanCalculatorAmmonia'

Many of our systems are being converted to 3FA (with some hopefully unnecessary talk of 4FA)

garmeg

Deleted_User said:

Some of the platforms to get around non 2 FA have implemented some additional measures.
AJ Bell asks you your user id then the next page 3 letters from a 18 char (I think) password and the answer to your secret question
HL ask you for the user id and DoB then the next page is your password and three numbers out of 6 for your number password
ii user id and password

Hargreaves also text you a six digit access code to your mobile if you have Active Savings in your account.

webnibbler

Prism said:

The mostly likely modern attack comes in the form of phishing and then your password is irrelevant anyway.

Yes, the common attack vector now is targeting the user. The account holder is the weakest link in the chain and phishing is a lot less hassle than trying to break through layers of MFA. Once the fraudster has fooled the user into handing over their credentials and / or allowing them control of their computer, then no amount of security is going to stop the fraud.

My late father was nearly taken for almost £45k by fraudsters claiming to be from BT and wanting to pay him a 'refund'. Fortunately the bank blocked it before the money left the account. Took several days to convince him that it wasn't real.

tigerspill

IvanOpinion said:

csgohan4 said:

you can raise the concern with your platform, but setting up the most random password you can would be pertinent

Not sure what you mean by 'random' but the 3 most important things for a password are length, length and length.  By all means use random characters (upper, lower, numeric, special) but they make little difference to a cracker - it just scans the full ASCII character set.

This is not the case at all.  Most password cracking uses "dictionaries" to generate password attempts.  Using random characters then makes cracking massively more difficult.  With modern encryption, hacking passwords using sequential character based tries simply takes too long so the "dictionary" (more than just traditional words) approach is used to massively shortcut this.

Prism

tigerspill said:

IvanOpinion said:

csgohan4 said:

you can raise the concern with your platform, but setting up the most random password you can would be pertinent

Not sure what you mean by 'random' but the 3 most important things for a password are length, length and length.  By all means use random characters (upper, lower, numeric, special) but they make little difference to a cracker - it just scans the full ASCII character set.

This is not the case at all.  Most password cracking uses "dictionaries" to generate password attempts.  Using random characters then makes cracking massively more difficult.  With modern encryption, hacking passwords using sequential character based tries simply takes too long so the "dictionary" (more than just traditional words) approach is used to massively shortcut this.

Yup agreed, however its a very rare form of attack. It would require stealing the account database and that I would hope would be very difficult to do from a finance based company. Although its good practice for web based logins using complex passwords not typically recommended for internal company use where you can implement better stuff to protect you.