A major USA bank is storing passwords in cleartext – what to do?

It seems you're not getting serious answers here, so here's my take.

Please report this via the US-CERT at https://www.us-cert.gov/report

This will allow you to report it, eventually from an anonymous email address, without exposing you directly to the bank which might react bad to you. CERT can handle the coordination with the bank, this is what they do.

Really shocked at all the handwavy comments.

> “It’s fine, there are more checks in place to prevent unauthorised transactions”

> “Also, it’s insured”

Well ok, that means the bank is protected, but what about my (sensitive) data such as transaction history?

> “If anyone does anything bad, law enforcement will step in”

Yeah, I totally trust a bank that can’t even properly deal with something as basic as passwords to notice breaches reliably.

> “It would be too expensive to replace legacy systems”

And that’s the consumer’s problem?

I really hope none of you apologists are moving fast and breaking things at any company that is entrusted with people’s personal information or is needed for more critical infrastructure of everyday life than cat pics and funny polls.

In Europe banks also don’t like paying to replace legacy systems to maintain security, but such a failure to protect consumer data and privacy would be in serious breach of legislation and result in significant fines.

As someone who works in finance/banking, I can assure you that this is not uncommon. Almost everyone is engaging in not-so-best practices with password storage if they are using any 3rd party vendors. Only the institutions with the resources to rebuild in-house systems with modern security standards are the exception to this rule. There are only a handful of these. Ultimately, it's not some malicious intent or incompetence, but simply the acknowledgement that the legacy systems will not enjoy PBKDF hash+salt+iterations columns being added 30 years after the fact.

The risk analysis and mitigation discussion for these institutions goes something like this:

1) We cant have good password storage so we will require a 2nd factor and attempt to ensure these systems reside in our most secure network.

2) There is nothing we can do, so we will simply rely on the fact that if someone logs into an account illegally, we send in the men with guns. For some strange reason when a bank calls the FBI things move with a high level of expediency.

There is much more to this than just the technical aspect of "oh my goodness why aren't you hashing your passwords". How much ripping would HN impose on one of these institutions if they attempted a 100% best practices secure password upgrade and then subsequently had a complete IT disaster unfold (I can certainly link articles). For many banks and other financial institutions, going down for even 1 hour is a complete catastrophe. If people can't get their money out right away, they are leaving for the competition and you will likely get dinged by regulators. Bad people will continue to do bad things until the end of time. Killing your business to handle every edge case, even if it seems obvious, is not a good path to go down.

I would also consider this: These banks' IT systems are storing things that many of us would argue are much more valuable than your passwords. A bank's core system also represents the actual monetary value of every customer's account. We are talking about password security in a system domain where there are arguably far more valuable assets to secure. These assets are already implicitly protected by a massive apparatus extending as far as Ohio Class nuclear submarines patrolling the Pacific ocean.

Name and shame. I'll start:

American Express passwords are not case sensitive.

It is possible that they UPPER(...) the password before hashing it and then compare against that when you log in. This explanation would only be a little dumb because it reduces the domain of the password space. It also strains credulity.

> The service rep proceeded to (accurately) describe my own password to me.

Wait, that alone doesn't necessarily indicate that they're storing clear text passwords. I notice you didn't say that they just repeated your password to you-- why do you think they store the whole thing in clear text?

HN readers are apt to demand hardcore passphrases, salting, 2FA, etc. But the reality is that banks have to deal with all kinds of people and situations. Your security as a bank customer hinges on more than just one password, it's also about monitoring patterns of behavior, being aware of what's coming and going from your account, and protection mechanisms like the bank's insurance.

That said, one would think that large institutions have learned their lesson about clear text passwords, perhaps this one hasn't? Is there a law against clear text passwords? How does anyone actually know if a financial institution has sound IT practices, by happenstance incidents like this? Really?

One bank that has astoundingly bad password requirements is Westpac Australia. Usernames are an 8 digit customer ID, and passwords have to be exactly 6 characters long(!) consisting only of numbers and uppercase letters. Try it for yourself, note that the login form only allows you to enter 8 characters for the username and 6 characters for the password:

https://banking.westpac.com.au/

I complained to them about this years ago, they replied explaining they knew what they were doing and it was a balance between security and simplicity...

You should report to proper authorities about the severity of the issue. Reach out to their security or technical higher up department of the bank.

In your case, they may or may not be storing the password in cleartext. They might be using the two way encryption instead of one-way hash. Passwords should be hashed (with salt) and it is irreversible.

For a financial institution, revealing your password by a customer service rep is a big red flag. I would reach out to concerned authorities and do a proper disclosure.

Wow. Did they repeat your password or some hint you typed in a long time ago?

FWIW I have seen two companies that store passwords properly in a one way hash with salt but store statistics on every password like number of case changes and count of numbers and total length. I personally think that practice is infinitely stupid but can explain why they can say it has 3 numbers in it. One major marketing firm I did work for did that until we showed them why it was so dangerous. They were just trying to make users life easier but that wasn’t a smart trade off.

Personally I would like to know which bank. I have accounts at a number of major US banks and if one I use is doing this I’ll move everything out of them immediately.

Edit: to answer your question I’d hand the info to a major investigative news source and let them dig more. The FTC and banking regulators I don’t think will get involved unless there was damage.

Genuinely curious, why not name the bank here?

It certainly isn't going to be news to the bank itself, so there aren't responsible disclosure concerns here.

And since the top advice here is to leave the bank, wouldn't the best thing you can do be to alert the public, so others can protect themselves as well?

Why not reach out to someone like Brian Krebs? He has a pretty large reach and can potentially make people take notice.

Try @briankrebs on Twitter.

Can you explain what you mean with "describe my own password to me".

As other point out: maybe they store some things about your password like "has four digits, starts with an S".

This does not mean they store your password in plain text.

Everybody here starts shaming and naming but be very careful with that. Before you know it you shame a company while there is nothing going on.

My bank just changed from a 6-number password (literally no option for more or less characters nor anything but digits) to rational passwords this month. I don't know how my WoW account 10 years ago needed an authenticator but the people managing my retirement savings didn't light a fire under asses to get that done.

Legislation should have and likely still should be put in place.

Hashing passwords has been ingrained into our brains as it's an easy way to reduce risk. That said, sometimes sensitive information needs to be stored in a retrievable format (subscription credit card processing comes to mind). Every data decision that's made has an element of risk involved while accomplishing an end goal. With the right processes in place (encryption, limiting access (auditing that access), decryption authorization), the risk can be reduced to an acceptable level.

I don't think we have enough knowledge of the risk and processes in place at this bank to say if it's an issue.

Banking security is a joke.

My bank calls me to talk to me and insists I give them my date of birth and address to ‘verify’ myself.

Meaning anyone can call me, pretend to be my bank, I am supposed to give them this info, and then they have what they need to verify themself as me.

Banks are dumb.

Wells Fargo used to require that a new password be sufficiently different from an old password. e.g. if my password was "Madison111$" I could change it to "Madison222$" except that when I did so I would be prompted to change it again the next time I logged in. Since I always iterated on a version of my password this was an issue. The reason was explained to me when I finally called and asked why I was being required to change my password every single time I logged in. So, I changed Madison to Matthew and was good to go.

Not sure how they were doing that if they weren't storing the password in plaintext.

Something similar happened to me once. An e-commerce platform gave my wife my plaintext password. It was my "low security" password, the same one I used in dozens of sites. That's when I started using a password manager so now every site gets a different random password.

It never ceases to amaze me what the state of online banking is around the world.

Here we have something called BankID which comes in two flavors, one that is a physical token that generates TOPT used to log in, either in a combination with a password or a PIN on the token device itself, referred to as BankID. And the other, much slicker solution, called BankID on Mobile, which runs as SIM-application on your phone where you digitally sign the login request using a PIN. The user can also verify the request visually on both the computer and phone using a unique keyword.

One killer feature with BankID is that you can use it to log in to any service that has BankID, like your insurance company, looking at your tax return, other banks, etc. This is perhaps the biggest issue with it since the system can get overloaded when there's a country wide rollouts of tax returns and such. This has become much better lately since they've started to roll out things like tax returns as soon as they're ready instead of doing bulk releases.

Move your money to a different bank.

Now that banks aren't paying useful interest rates they are mostly only tolerable for security and convenient access to your money. If they can't do those two then... what exactly are they for? Likely nothing.

Since it seems this is PNC, I am one of those who now needs to find a new bank. Any recommendations? I used PNC for my checking/credit but already use an american express high yield savings.

I was thinking maybe Capital One?

Fidelity's passwords map to characters on the phone keymap, e.g. the characters "j,k,l,J,K,L,5" can all be represented by the number 5 on the phone. Holy entropy, Batman!

Does anyone know if PCI rules call for non reversible storage of passwords (hashing)?

I looked quickly online but the only reference I could find was that "passwords are protected by strong cryptography in transit and at rest", which seems to allow wiggle room to store passwords in reversible but encrypted format.

There is not much you can do, I’ve tried to inform banks of security issues in the past and all that happens is you get a form letter saying thanks for writing we are doing that on purpose for reasons we can’t explain to you and we’re not interested in outside help. Synchrony and Citibank, I’m looking at you.

What does the password give access to? Full online banking (e.g. being able to do transactions?). Does login not require any further authentication beyond the password?

If the authentication still requires using some kind of good 2FA then it's less serious to have the password in plaintext. Still bad of course.

If this is for some other service that doesn't let you do any transactions then it's not as serious either (still bad and embarrassing, but not that serious)

Even with properly hashed passwords etc I'd be worried if my bank allowed login with only a username/password and no further security. I didn't think even that was a thing in 2020.

Santander in the UK does this too. You can tell because they only ask for 3 characters out of your password whenever you log in. What's ironic is that whoever did that propably thought they were being super clever.

I once did an API integration with a very popular well known brokerage. When we asked for a test account for their API... well they didn't have a test environment, so they just gave us a real account with 10k dollars in it with instructions to be careful. The test account was something like "apitest11" and the password was like "11apitest". Did that money mysteriously get stolen? Yup! (Not by me definitely, but that account must have been shared with 15 or so people, with a trivial password if it had been an outsider)

When I went to TSB (UK) open an account for my partner and she was asked to type her password on their computer she asked when she can change the password, are they any limitations, like wait 3 days before changing password. The assistant responded "why would you ever want to change your password? you can type any password you want now, just please type your password". This was so weird we didnt use the account for a few days, changed the password, waited a few days again and after that deposited money.

That's still better than the SSA. Every employer must use SSA to submit W-3 to report employee wages. They only accept case-insensitive passwords up to 8 alpha-numeric characters.

A popular bot protection system provided by a third party used by a number of US banks would accidentally disclose plaintext usernames and passwords to the bot protection software.

I'm not sure how the bot protection software was deployed but looking at marketing materials I suspect the data was sent to the third party as part of a SAAS service.

We believe this was accidental because a later version of the software stopped doing it. I'm not sure if there was a notification by the third party to users about this flaw.

Same surprise for me when I got back my password from AMEX over phone.

The law is not behind or antiquated in this case. Bank cybersecurity has been regulated for quite some time now, and failing to adequately secure your digital assets is a compliance violation no different than failing to catch obvious fraud.

It's very likely that your bank is based and regulated by New York State, even if it isn't physically based there. Contact the NY State attorney general's office, they should take you seriously.

There's a similar issue with Wells Fargo. I think it has to do with banks they acquired (in my case Wachovia). My passwords are not case sensitive.

You definitely need to tell somebody that they should be encrypting their passwords using something like Format Preserving Encryption. FPE https://www.tokenex.com/blog/format-preserving-encryption-an...

This is doubly bad because not only is your password in plaintext, it also means that anybody who works for the bank is able to view said password.

Don't get me wrong, plaintext stored in a DB is bad enough, if the DB gets compromised, but apparently they don't even need that as they have an interface that customer service can use to view your password.

How secure do you think that system is?

Use a generated unique password for every site, preferably with a password manager. Along with the absolutely most important thing you can possible do for banking security, which is to check your statements/transactions promptly every 30 days. Beyond that it's not really your worry, besides having to possibly attend to helping them clean up any messes.

It is possible that this is intended and that they will prompt you to enter a new password on login.

Ask yourself these questions:

Are you sure it was your password? Did they generate a password for you? Did they verify that you are the account owner by asking you to enter the "hotline-pin"?

A friend of mine wrote a newsletter on this topic last year - banks are full of anti-patterns!

https://whyisthisinteresting.substack.com/p/why-is-this-inte...

My bank uses 2FA or biometric via their android app to approve all payments and adding of new beneficiaries on their online banking platform.

But it is a pain when I switch phones and need to get the old one deactivated and the new one authorized.

Some people have noted that they might store part of your password, but they could also be using some sort of master key to encrypt their passwords. Meaning they can also decrypt them and provide a UI for their help desk.

Still awful, but not as awful.

You should give them 7 days and tell them you have a responsibility to let the community know what bank it is. You should communicate this clearly to the bank and then let us know.

Nearly all of them do unfortunately. They will only change this after getting hit with massive fines from a data breach.

What you should do: Never reuse a password when working with financial institutions older than 5 years old.

I got locked out of my account (forgot my password) with said bank and they had no way of telling me my password. Had to wait for them to send me a OTP mailer so that I could login and create a new password.

I was going to say vote with your money and leave but then it occurred to me where do you go, is there any public list of banks or institutions that have passed some kind of security audit?

They have to no? If you want to link some other bank accounts you have to give them the associated credentials that they pretty much have to store in clear (or encrypted at rest whatever).

Just do a Tell HN: Bank of Foogistan stores passwords in plain text.

Don’t agonize about it so much it’s not like you’re going to hurt the banks feelings.

No one will notice or care anyway and banks deserve what they get if they do this.

And if the bank does pay attention they’ll just fix it and move on. Don’t know why you feel this is such a big deal.

Who would you tell that would even care? I can’t imagine the police jumping into their car with sirens screaming. “I wish to report a terrible crime”.

1) Inform the bank 2) Inform the FDIC 3) After a reasonable amount of time inform the public

(Throwaway for obvious reasons)

Proud of my bank in India (State Bank of India) which is crazy over security. Secure password requirements for login. Another completely different password for managing my banking profile and adding bank transfer beneficiaries. OTP for each money transfer related activities I do from the bank.

Was it a password or secret question like "mother's maiden name"?

can you tell us the name of this bank so we can avoid business with them ?!

perhaps it is encrypted, rather than hashed.

Move your money. Support your local/regional banks.

Name and shame

name and shame.

Of the bank is in Europe also, it's a GDPR breach

The password is probably encrypted using a two-way hash. It's not as secure as a one-way has, but you can't see passwords by running a SQL query.

If this is really happening this is a serious issue that needs to be fixed ASAP and everyone alerted..

but.. something doesn't look right here..

OP is a throwaway account created today, which I can understand for this type of thing.. but...

they withheld the bank name in the title/desc.. okay again a responsible thing to do.. but...

when asked what the bank name was in the comments they were not shy at naming it..

Something just doesn't feel right. Why the sudden change of heart?

For everyone's sake I hope I'm right, that this is just FUD.. to the OP if you really are serious I'm sorry, and please do report this ASAP.

Is there actual damage? At the end of day, as a customer，all I care is my money is available (not stolen) and I can access it when I need it. Why should I care about implementation details ?

Do you really think the only thing the bank does to log people on is to check the username and password? Banks are way more sophisticated than this and it goes well beyond merely string-matching credentials; there's all sorts of other environment, behavioral and heuristic patterns used to establish legitimacy. Even if you rose this issue with the bank, they'll hardly change their modes of operation, and you certainly won't ever see a bank telling you how they do it, but those "hidden security features" make a significant contribution to the bank's security posture; ie: https://twitter.com/mbna/status/1016270694299127809?s=20