Banks

You know how banks really, really want to avoid their customers falling victim to phishing scams? And how they put a heap of effort into education to warn folks about the hallmarks of phishing scams? And how banks are the shining beacons of light when it comes to demonstrating security best practices? Ok, that final one might be a bit of a stretch, but the fact remains that people have high expectations of how banks should communicate to ensure that they themselves don't come across as phishers: Just a good old phish. see that there is no slash after .com.au? Very convincing but banks will never send texts like these. Cc @troyhunt @NAB pic.twitter.com/hCW5ADLo0O — Sebastian...

Allow me to be controversial for a moment: arbitrary password restrictions on banks such as short max lengths and disallowed characters don't matter. Also, allow me to argue with myself for a moment: banks shouldn't have these restrictions in place anyway. I want to put forward cases for both arguments here because seeing both sides is important. I want to help shed some light on why this practice happens and argue pragmatically both for and against. But firstly, let's just establish what's happening: People are Upset About Arbitrary RestrictionsThis is actually one of those long-in-draft blog posts I finally decided to finish after seeing this tweet earlier on in the week: My bank tells me that their exactly-5-digit password policy...

There was a bit of discussion down here recently about how the National Australia Bank (NAB) has requested their SSL stats be withheld from showing up in the SSL Labs test that which has become so popular in recent times. It’s a great way of identifying what’s good and what bad about an SSL implementation and indeed, it appears that NAB has pulled their stats: Which, of course, looks enormously suspicious. You don’t pull your stats when you have a good result and even if you do, Qualys who runs the service is only checking for publicly accessible information anyway, they’re simply bundling it up into a single test that’s...

The phone rings from a concealed number and you pick up: Hello? Silence. More silence. Eventually a foreign voice enters: Hi, this is your bank, we need you to verify some details. This is the point where you should be disclosing absolutely nothing, at least nothing that is not known already which is probably just your phone number and perhaps your name if they’ve greeted you with it. No, I’m not revealing my address or my account numbers or my password because frankly, I don’t trust you. Don’t get me wrong – it’s not because of your foreign accent – but it’s because it’s part of...