|
Mycroft Holmes wrote: security idiots people who will listen to the latest gossip, read what is shoved under their nose and get the developers to implement the policies they think up. If there is nothing to change they will think up something to do, a team has to justify his existence.
That's a great explanation and exactly what I thought.
Mycroft Holmes wrote: You cannot blame the developers for such idiocy,
Very good point and I guess I was really thinking of the security team...not the devs.
Over all it is just craziness. Making things unusable so the security team can feel like they're doing something important.
|
|
|
|
|
As much as I denigrate them for some of their blunders I would not have their job for quids. Trying to keep in front of the bastards attempting to hack the banks must be a nightmare.
Never underestimate the power of human stupidity
RAH
|
|
|
|
|
Mycroft Holmes wrote: Trying to keep in front of the bastards attempting to hack the banks must be a nightmare.
Yeah, I can agree with that. But, it seems like they'd focus on creating the smallest exposed footprint and work on that instead of things like the paste feature.
I can't actually imagine the security people explaining how the paste feature could be dangerous.
Security guy: So, yes, we must remove the user's ability to paste into the pwd field because it is extremely dangerous. It's huge security hole.
Bank's IT Manager: Can you give me 2 examples of how pasting into that field would be dangerous?
Security guy: Well, they could paste special extended characters, maybe?
Bank IT Manager: Shouldn't the back-end handle that?
Security guy: well, they could paste um...errrr...well, pasting is just bad that's all. Andy why would any legitimate user want to paste? I think only crackers paste.
|
|
|
|
|
I know of a certain national bank that only allows letters and numbers. No punctuation or special characters. I swear they actually WANT their customers to have their accounts ripped off.
|
|
|
|
|
Dave Kreskowiak wrote: I swear they actually WANT their customers to have their accounts ripped off.
It really does feel that way in some of these cases, because the logic they use is so bad.
I also know that many only allow your password to be only 16 chars in length (or shorter) even though password length is the one thing that actually strengthens passwords. It's crazy.
|
|
|
|
|
I know some than only use a PIN
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
Nelek wrote: I know some than only use a PIN
And that is a perfect additional example of the contrast you find. Some sites remove functionality that is completely safe, other sites just open the door for the thieves.
|
|
|
|
|
I completely understand your frustration. I also hate websites (mostly banks) that disable pasting on their websites and just for gigs, they'll need me to type certain things like account numbers, BSB code, etc. twice.
I use Don't F*** With Paste[^] extension on Chrome and tell them straight off. I'll copy, paste, cut, do whatever the hell I want on my computer. I will treat any entity that assumes an intellectual high-ground (while knowing next to nothing about security in reality) with great disdain, and will override their "security rules" with extreme prejudice.
I'd have rambled on a bit more if this was the soapbox, but the kid sister is watching so I'll go play merry-go-round instead.
|
|
|
|
|
Rajesh R Subramanian wrote: I will treat any entity that assumes an intellectual high-ground (while knowing next to nothing about security in reality) with great disdain, and will override their "security rules" with extreme prejudice.
I think disabling paste in password boxes are a great idea when it comes to securing customers, their data and money. Please tell me what you think of me now (give your best shot!).
BTW, thanks for that extension.
"It is easy to decipher extraterrestrial signals after deciphering Javascript and VB6 themselves.", ISanti[ ^]
|
|
|
|
|
|
Raj is (or was?) a nice guy.
Come to think of it, with Aussies and their compulsive behaviour to shorten up words, you might as well be referred to as Raj.
"It is easy to decipher extraterrestrial signals after deciphering Javascript and VB6 themselves.", ISanti[ ^]
|
|
|
|
|
lw@zi wrote: Come to think of it, with Aussies and their compulsive behaviour to shorten up words, you might as well be referred to as Raj.
It's kind of why I said it's likely to be "another Raj". That, and the outsourcing to India.
|
|
|
|
|
Thanks! It is very refreshing to hear from others who really loathe these bad policies too.
|
|
|
|
|
Does your password manager not offer an option to simulate keystrokes to enter your password, rather than blindly relying on the clipboard?
(I have no idea - I don't use a password manager - at least nothing that'll try to type in anything for me out of "convenience")
|
|
|
|
|
dandy72 wrote: Does your password manager not offer an option to simulate keystrokes
Simulating keystrokes is more difficult in an Android app and it is the Android app that they (bank) removed the paste ability from.
|
|
|
|
|
I see.
As far as I'm concerned...considering the number of Android devices out there that have known exploits that'll never be patched, because OEMs can't be bothered...all banks should block Android altogether.
I rarely side with banks, but Android device vendors are downright irresponsible. IMNSHO.
|
|
|
|
|
Ok, I can accept that Android devices are vulnerable. That's fine.
But, then, the resolution for the bank is not to disallow pasting...it is to disallow the use of an Android device altogether. In other words, they shouldn't have ever created an Android app in the first place. I would accept that decision more readily than the blocking paste solution.
But then that would mean they needed to block the web site from Android Web browsers too.
It would be interesting and funny if the bank just came out and said, "Sorry, you can only use our e-banking via Apple devices."
|
|
|
|
|
|
raddevus wrote:
I contacted them (via their Twitter support) and explained that this is a security fallacy that pasting is dangerous. Write a piece for the local newspaper, based on facts, explaining how the bank either does not take security seriously, or is run by incompetents.
And be sure to name the bank by name
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
|
If you get the paper to publish your letter...
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
You better stock up on lawyers then
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
Eddy Vluggen wrote: You better stock up on lawyers then
Exactly why I have not written the article.
However, did you see the update to my post?
I found an article from the National Cyber Security Centre which also has links to Troy Hunt's explanation on why pasting is safe and important and it has a link to a Wired article 2015 which has very interesting info on why pasting should(must) be available in apps.
|
|
|
|
|
So, if I find the tweet, I'll know the bank by name?
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|