What irritates me the most is that, while a lot of sites allow for hardware tokens for MFA, my banks do not. Not a single one of my financial institutions support FIDO or anything like it, opting instead for SMS if they have anything at all. Passwords are usually a maximum length of some small number, and alarmingly, quotes and some other special characters are not allowed. Are they even hashing?
It's insane that my personal blog is more secure than my bank.
I don't think these mass data breaches have anything to do with the security of an individual consumer account.
Something was left open and exposed in the central infrastructure for this to happen, or some kind of supply-chain exploit, or a key administrator account credential was phished.
I agree with you assessment. But if some of my PII was in that breach, which now joins the insane amount of other PII from past breaches, that just makes it that much harder to secure my accounts.
Regardless, I believe my point still stands. I want better options for security; I shouldn't need a better reason than it's where I keep all my money.
IANAL, but as far as I understand, since this month (nov 2025) the DFS (dep of financial services) requires all financial companies to have MFA in force for accessing IT systems (see regulation 500.12).
Not sure how that applies to your situation, but maybe we see some positive movements in this area.
I really like that Vanguard supports Yubikeys too. They are the only ones that support them in my experience, but I have seen some increased support for TOTP in financial institutions lately. Fidelity now allows for TOTP instead of SMS. I have also encountered some credit unions that allow for TOTP instead of SMS. It is definitely weird that investment firms and credit unions are taking the lead here rather than the big banks.
> It's insane that my personal blog is more secure than my bank.
It's insane to imagine that that is true. :)
Seriously though, if banks and their customers were being defrauded by superficially poor password/MFA hygiene, obviously they would fix that. They are not.
Sometime in the 2010s when I was still with BMO, their online banking required you to have a six-digit password. No letters, let alone special characters. And no MFA of course
BMO Investor Line still requires you to have a short password. It explicitly requires, I don't remember the exact number, like, a 6-character password. It cannot be longer. WTF.
Their web app is "screen scraping" a legacy mainframe CICS interface via a virtual 3270 terminal. Almost certainly the case any time you see something like a very short or very limited set of characters permitted in a password.
Very much doubt it, it certainly used to (4 years ago). The old system truncated your password (you used 20 chars, it dropped the last 14) so when the switch happened - suddenly your password didn't work - it was very obvious (unless you used <=6 char passwords).
The communication about the change, and the way the old system worked (without warning nor notification) left a lot to be desired.
When you create an application to open an account it still requires you to create a fixed-length short password that you are then supposed to change or something. It was around half a year ago when I encountered this.
For those looking to quickly understand scope of impact:
> According to Bloomberg and CNN, citing sources, SitusAMC sent data breach notifications to several financial giants, including JPMorgan Chase, Citigroup, and Morgan Stanley. SitusAMC also counts pension funds and state governments as customers, according to its website.
Funnily enough, even though there are (some) regulations that impose penalties if a financial breach was due to negligence, somebody has to actually investigate and prove negligence first. Government agencies may investigate, but they can just choose not to, it depends on whether they feel like investigating or not.
Meaning that when there is a breach, if you don't personally sue them and take on the costs of investigating and proving the root cause of the breach yourself, then it's likely nothing will happen to them at all. And this is only for the institutions actually covered by a regulation.
And assuming an investigation is done, and proof found of negligence, they'll be given a fine or settle for a small amount of their yearly profit. Nobody goes to jail or is personally fined, and the company has a minor dip in earnings. Problem solved!
Have we gotten to the point yet where simple possession or knowledge of personal data is insufficient to prove identity? Seems like we should have been there years ago.
'what you know, what you have, what you are' are used in classic authentication. 'what you know', typically are the knowledge only you should know, like password. 'what you have' are the things only you should have, like key card, MFA,. 'what you are' are some biological identities, like your finger print.
Banks servers ordinary people and most useful way to identify those people are 'what you know'. DOB are the most commonly used.
some banks and other organizations start to give up 'what you know' as most people give up too much personal information over social media and bad guys can easily acquire them. now they transfer 'what you have'. like sending you a message and you have to click the link to prove you are the person who you claimed.
Why should knowledge of personal data be sufficient to prove identity? When I call my bank, they ask, what is your birth date, as if it isn't basically public info.
It never should have been, that's what I'm saying. But for a long time if you could answer a question like "what street did you live on in 1996" or even the classic "what was your mother's maiden name" that could get you a password reset over the phone.
That era has to end if it hasn't already. Just because an unknown voice can answer questions about me doesn't mean it's me. And these days, you might not even be able to trust a voice-print.
All this "personal data" has to be made valueless. Then people will stop stealing it, and if they do, it won't matter.
Explain how that would have worked about 150 years ago? Being a stranger back then was far riskier in a lot of places and they'd have no idea if your identity was fake or not. Moving from these old systems to new digital systems was a slow process and even to today I see old people go into the DMV with out many life records and have issues because many of their state records are in storage on paper in some warehouse and not digitized.
Things of the past are to this day catching up with the future we live in.
What irritates me the most is that, while a lot of sites allow for hardware tokens for MFA, my banks do not. Not a single one of my financial institutions support FIDO or anything like it, opting instead for SMS if they have anything at all. Passwords are usually a maximum length of some small number, and alarmingly, quotes and some other special characters are not allowed. Are they even hashing?
It's insane that my personal blog is more secure than my bank.
I don't think these mass data breaches have anything to do with the security of an individual consumer account.
Something was left open and exposed in the central infrastructure for this to happen, or some kind of supply-chain exploit, or a key administrator account credential was phished.
I agree with you assessment. But if some of my PII was in that breach, which now joins the insane amount of other PII from past breaches, that just makes it that much harder to secure my accounts.
Regardless, I believe my point still stands. I want better options for security; I shouldn't need a better reason than it's where I keep all my money.
IANAL, but as far as I understand, since this month (nov 2025) the DFS (dep of financial services) requires all financial companies to have MFA in force for accessing IT systems (see regulation 500.12). Not sure how that applies to your situation, but maybe we see some positive movements in this area.
Email/SMS based MFA will count, but shouldn't.
(Or at least, a better option should be required to be available.)
Vanguard, Bank of America, and a tiny handful of others do support hardware tokens. But yea you're right that most don't.
Not that it would help in this specific case I guess.
>Are they even hashing?
I wonder that with one of my banks, the password is case insensitive. Of course they could lower case it before the hashing but I suspect they don't.
> the password is case insensitive
Yikes, that’s scary. Legitimately would make me think about leaving that bank
Vanguard supports Yubikey.
I really like that Vanguard supports Yubikeys too. They are the only ones that support them in my experience, but I have seen some increased support for TOTP in financial institutions lately. Fidelity now allows for TOTP instead of SMS. I have also encountered some credit unions that allow for TOTP instead of SMS. It is definitely weird that investment firms and credit unions are taking the lead here rather than the big banks.
> It's insane that my personal blog is more secure than my bank.
It's insane to imagine that that is true. :)
Seriously though, if banks and their customers were being defrauded by superficially poor password/MFA hygiene, obviously they would fix that. They are not.
Sometime in the 2010s when I was still with BMO, their online banking required you to have a six-digit password. No letters, let alone special characters. And no MFA of course
BMO Investor Line still requires you to have a short password. It explicitly requires, I don't remember the exact number, like, a 6-character password. It cannot be longer. WTF.
Oh, it was worse than that at BMO (or still is?). Used to be it could be longer but only the first 6 mattered…
The 6 characters designed to be mapped to 6 numbers for a telephone banking PIN.
So aA-cC would all be treated the same (and be a 0 for telephone banking), dD-fF would be 1, etc.
So in reality; there were only a million different passwords.
I thought this stopped ~10 years ago. Or did it?
Their web app is "screen scraping" a legacy mainframe CICS interface via a virtual 3270 terminal. Almost certainly the case any time you see something like a very short or very limited set of characters permitted in a password.
Very much doubt it, it certainly used to (4 years ago). The old system truncated your password (you used 20 chars, it dropped the last 14) so when the switch happened - suddenly your password didn't work - it was very obvious (unless you used <=6 char passwords).
The communication about the change, and the way the old system worked (without warning nor notification) left a lot to be desired.
When you create an application to open an account it still requires you to create a fixed-length short password that you are then supposed to change or something. It was around half a year ago when I encountered this.
For those looking to quickly understand scope of impact:
> According to Bloomberg and CNN, citing sources, SitusAMC sent data breach notifications to several financial giants, including JPMorgan Chase, Citigroup, and Morgan Stanley. SitusAMC also counts pension funds and state governments as customers, according to its website.
Funnily enough, even though there are (some) regulations that impose penalties if a financial breach was due to negligence, somebody has to actually investigate and prove negligence first. Government agencies may investigate, but they can just choose not to, it depends on whether they feel like investigating or not.
Meaning that when there is a breach, if you don't personally sue them and take on the costs of investigating and proving the root cause of the breach yourself, then it's likely nothing will happen to them at all. And this is only for the institutions actually covered by a regulation.
And assuming an investigation is done, and proof found of negligence, they'll be given a fine or settle for a small amount of their yearly profit. Nobody goes to jail or is personally fined, and the company has a minor dip in earnings. Problem solved!
Class action exists to remedy this issue
Is the consensus that banks are generally poor at IT security or that banks are generally more often targeted for hacks?
Yawn. Another day another breach.
Have we gotten to the point yet where simple possession or knowledge of personal data is insufficient to prove identity? Seems like we should have been there years ago.
'what you know, what you have, what you are' are used in classic authentication. 'what you know', typically are the knowledge only you should know, like password. 'what you have' are the things only you should have, like key card, MFA,. 'what you are' are some biological identities, like your finger print.
Banks servers ordinary people and most useful way to identify those people are 'what you know'. DOB are the most commonly used.
some banks and other organizations start to give up 'what you know' as most people give up too much personal information over social media and bad guys can easily acquire them. now they transfer 'what you have'. like sending you a message and you have to click the link to prove you are the person who you claimed.
Why should knowledge of personal data be sufficient to prove identity? When I call my bank, they ask, what is your birth date, as if it isn't basically public info.
It never should have been, that's what I'm saying. But for a long time if you could answer a question like "what street did you live on in 1996" or even the classic "what was your mother's maiden name" that could get you a password reset over the phone.
That era has to end if it hasn't already. Just because an unknown voice can answer questions about me doesn't mean it's me. And these days, you might not even be able to trust a voice-print.
All this "personal data" has to be made valueless. Then people will stop stealing it, and if they do, it won't matter.
>It never should have been
Explain how that would have worked about 150 years ago? Being a stranger back then was far riskier in a lot of places and they'd have no idea if your identity was fake or not. Moving from these old systems to new digital systems was a slow process and even to today I see old people go into the DMV with out many life records and have issues because many of their state records are in storage on paper in some warehouse and not digitized.
Things of the past are to this day catching up with the future we live in.
Oh I misread