• LCrawford (unregistered)

    So we never did learn why the web site went down every night? I assume they don't block ATM transactions for that same period.

  • Smash (unregistered)

    I am a bit disappointed with this article. Not because there are no WTFs, rather because there are signs of so many layers upon layers of WTFs yet they will probably never see the light of day. We see their glimmer and feel their stench but we don't get to appreciate that feeling of thinking "Oh gods, even in my company people know better than doing this!"

    Also the fact that it isn't explained why the website was down every night.

  • Pjrz (unregistered)

    Worrying, and in the EU this would be highly illegal and subject the bank to a multi-million dollar fine. Does the US have any actual data protection laws?

  • Oliver Jones (google)

    Hmm. Their PCI auditors (payment card industry) must have been subjected to "regulatory cognitive capture."

    "Hey, we're a big bank and you're a lowly auditor. If we do it, it must be right."

    And, hey, at least the web site isn't implemented in classic asp.

  • Zenith (unregistered)

    Share your dislike of Web-postback-on-every-keypress-Forms but what's wrong with classic ASP? And why is it bad relative to 10 layers of JScript and Entity used for most MVC sites that have no features and are barely compatible with anything?

  • (nodebb) in reply to Pjrz

    Does the US have any actual data protection laws?

    They have the very best laws and lawmakers that money can buy.

  • Quite (unregistered) in reply to dkf

    Bit rubbish then

  • AnonymousForThisOne (unregistered)

    Yeah, I once ended up doing crypto in JavaScript for a mortgage servicer website. No actual account details, just an ACH signup page, but the customer was entering bank account & routing info. For "technical reasons" it couldn't be hosted on the main website, and despite my pleas management refused to pay for a separate SSL cert. I figured incomplete protection was better than sending it in cleartext at least...

  • Mr Bits (unregistered)

    There's a clue in the title of today's article as to the name of the bank. You can bet your bottom dollar I'm not going to give them my business.

  • Moschops (unregistered)

    "They lend money deposited by other people to you, either as a car loan, mortgage, or for credit card purchases."

    Off-topic; true, but most of the money they lend isn't money deposited by someone else. It's generated out of nothing at the point of being loaned.

  • D-Coder (unregistered) in reply to Pjrz

    "Does the US have any actual data protection laws?"

    You mean, for big corporations? To protect ordinary people? HAHAHAHAHAHA!!!!

    (wipes coffee off screen)

  • scragar (unregistered) in reply to Moschops

    It's not generated out of nothing, it belongs to someone, the bank is just abusing the fact that they only have to keep X% of the money you deposit on hand to lend the (100-X)% to someone, then because they credit that customer's account with that money they get to repeat the process. As long as the banks total liquidity remains above X% they're complying with the law.

    They're not just creating money out of nothing though, the total amount of money that exists doesn't change, but the amount that's in circulation does(which is what bankers mean when they say it creates money).

  • (nodebb)
    Anyone with even novice skills could have gotten social security, routing and account numbers for every customer of the bank!

    :pendant: Shouldn't the routing number be the same for every customer? It's also not exactly a security problem; the routing number for my bank is displayed at the bottom of every page on their web site.

  • castlerobber (unregistered)

    Twenty-ish years ago, I took about $100 in rolled coins to a branch of the bank where I had an account. They wanted me to write my full name and account number on each and every roll before they would accept the coins. "Are y'all going to recount and rewrap these?" I asked. "No," replied the teller. "So you're going to give these coins to another customer, with MY name and account number on them?" "Yes." "And you don't see any security problems with giving other customers that information? You aren't concerned about shorting some other customer if I counted my change wrong?" "It's bank policy." "Um...no, never mind, I'll find somewhere else."

  • . Shannara (google)

    Literally, the only WTF in the whole article is the website going offline during business hours.

    Everything else is strictly opinion and does not match reality.

  • (nodebb)

    "Rather than fight with the, ahem, highly knowledgeable individuals that thought that this was a good setup - and potentially be blamed for any breaches, Randy chose to jump ship and head for saner pastures."

    TRWTF is that Randy is not incorrect to simply jump ship. We've seen enough of these stories to know how raising security concerns results in being blamed for them.

    This is definitely a WTF, but the reason people are disappointed is because it's not news, which in itself is a WTF.

    I was only disappointed that he didn't sell the account numbers and other data to shady individuals.

  • Brian (unregistered) in reply to Oliver Jones
    Hmm. Their PCI auditors (payment card industry) must have been subjected to "regulatory cognitive capture."

    Actually, PCI auditors don't give a hoot about your security, except for how it concerns payment card data. The rest of your site/application can leak like a sieve, but as long as those PANs are safe, the auditors are happy. (Remember, their job is to protect the credit card companies from liability for stolen card data; they generally don't care about protecting you or your customers.)

    In this scenario, it's likely that Randy's boss paid for his lunch with a debit card, which resulted in the transaction showing up in the bank's records, but that doesn't mean the system in question actually handles the card data directly. Notice he mentioned seeing SSNs and bank account numbers, not card numbers.

  • Donald (unregistered)

    This explains how companies get this bad to begin with. Once the boss is incompetent, the competent people start to see where it is going and jump ship.

  • Shill (unregistered)

    Note that anyone you have ever written a check to has your routing number and account number. Your bank account number is not really supposed to be a secret, not even in the way your Social Security number is supposed to be a secret.

    Maybe these days writing checks is not so common, but thirty years ago no one would have thought twice about writing a check to anybody, no matter how disreputable the receiver.

  • snoofle (unregistered) in reply to Shill

    Then again, 30 years ago the company sending you a bill trusted you to not fold-spindle-mutilate the punch-card bill.

    Times, they are a-different

  • siciac (unregistered) in reply to Pjrz

    Worrying, and in the EU this would be highly illegal and subject the bank to a multi-million dollar fine. Does the US have any actual data protection laws?

    Yes, the US has all those laws.

    Laws are not magic, someone has to realize a law has been broken before any enforcement can be taken.

  • Bruce W (unregistered) in reply to Moschops

    Off-topic; true, but most of the money they lend isn't money deposited by someone else. It's generated out of nothing at the point of being loaned.

    Money loaned is not created out of nothing. Banks' balance sheets must still balance. Bank assets (loans) are offset by liabilities (deposits) and equity. I know of banks that have very little in deposits but have massive equity (stock) to offset the loan portfolio. When a bank's loan portfolio becomes "troubled", regulators often require the bank to either increase deposits or increase equity to rebalance the balance sheet.

  • Jezor (unregistered) in reply to Brian

    On top of that, if your auditors don't allow you to do something, you can always... get new auditors.

  • Anon (unregistered) in reply to Shill
    anyone you have ever written a check to has your routing number and account number

    I recently ordered new cheques from my bank (sadly, I still need these from time-to-time). When I complained to the teller about the price, she warned me not to order them online. She explained there are several disreputable sites, and all they need is your routing and account number to empty your account. I asked what is the difference between me providing the information online, and handing somebody a personal cheque. She said there is no difference.

    So, anybody paying via personal cheque is basically handing over the keys to their bank account? WOW. Bank $Security indeed.

    Somebody please tell me there is more to it.

  • (nodebb) in reply to Anon

    There is more to it. The disreputable companies have been authorized by you to withdraw money from your account when you ordered the checks. It is not a factor of them getting your account number and routing number. You have authorized payment, they can then check the balance and issue a charge. Yes you can dispute this but if the company vanishes there is not much you can do as you did give them an authorization. Now, does this happen often? No. and her making that statement is more of a scare tactic, but not completely false.

  • banking code monkey (unregistered)

    I used to work at a credit card bank and we used a lot of live test accounts. These were credit cards with credit limits of about $10 and fake social security numbers. They were only good for, you guessed it, buying lunch. I doubt that was what was going on here as these accounts were clearly marked as test accounts.

    We also had an extensive test environment that covered 99% of cases, so the live test cards were reserved for spot checks of prod deployments and use cases not covered yet by the test environment like issuing new physical cards.

  • HK-47 (unregistered)

    The fact that his boss’ lunch charge was in test system means their production database is mirrored in their test setup which in turn means all actual transaction data is there including card PAN, PVV, CVV, etc. Even if that is not the most blatant security issue, there is also a potential software licensing issue — if test database is using developer edition of MS SQL then loading production data into it constitutes a breach of the license.

  • Dave (unregistered) in reply to Moschops

    That's a Nazi conspiracy theory, nothing more.

    What banks actually do is a piece of magic called maturity transformation.

    (Possibly the most important concept in our entire civilisation is given a single (not particularly accurate) paragraph on Wikipedia...)

  • Decius (unregistered) in reply to KattMan

    The point about needing "authorization" is moot, if they can falsify the authorization and run with the money.

  • LHPSU (unregistered)

    Please tell me this isn't PNC Bank.

  • Lee Oswald (unregistered) in reply to Moschops

    most of the money they lend isn't money deposited by someone else. It's generated out of nothing at the point of being loaned.<

    You have not understood fractional reserve banking. Congratulations! this qualifies you to work as a programmer in the finance industry.

  • bobcat (unregistered)

    Yeah, the money isn't created out of thin air. But banks do create money. Anyone who thinks money is a zero-sum game - that in order for someone to be rich, someone else has to be poor - has a weak grasp of economics and banking. I once had an argument with a guy who believed that every single dollar in his bank account was tied to an actual physical dollar. Hoo boy.

  • Hasseman (unregistered)

    how money multiplications works and how bank reserves works on loand and so on can be found here : https://en.wikipedia.org/wiki/Money_multiplier.

    Especially on the table at the bottom.

  • Dave (unregistered) in reply to bobcat

    Central banks create money. Or rather, issue currency. That is the only sense in which banks create money. As no less than the Governor of the Bank of England stated explicitly, the claim that commercial banks create money is a Nazi conspiracy theory and is just plain wrong.

  • markm (unregistered) in reply to Moschops

    "most of the money they lend isn't money deposited by someone else. It's generated out of nothing at the point of being loaned" may be a fair description of the federal reserve transactions that create money in the first place, but that's with banks that only loan to other banks. Consumer loans must come out of funds on deposit or the bank's operating capital, with a limit on what percentage of assets can be loaned out (the reserve requirement).

  • DD (unregistered) in reply to Moschops

    I won a lawsuit based on this fact, during the mortgage crisis, when they lost the title paperwork to my house. I argued that if I had known the banks worked that way, I would have never entered into the contract in the first place, constituting fraud.

  • Moschops (unregistered) in reply to Bruce W

    I think you're arguing the same point.

    There is no money. Then Bob Smith has a thousand dollars in his bank account, and the bank has an "asset" in the debt owed to it by Bob Smith. Beforehand, the net balance was zero; afterwards, the net balance is zero. Bob Smith does now have a thousand dollars. Money has been created, out of nothing.

  • Moschops (unregistered) in reply to markm

    Here's what the Bank of England has to say on it:

    " Whenever a bank makes a loan, it simultaneously creates a matching deposit in the borrower’s bank account, thereby creating new money."


    Money is created, out of nothing.

  • Moschops (unregistered) in reply to Lee Oswald

    Hi Lee. You're a passive aggressive tosser. This is typical of programmers. You're probably qualified to work in lots of places, but you're still disliked for your passive aggressive attitude. Please become an adult and engage in useful, adult conversations. You'll note that there is no snide passive aggressive childishness in this response; I've simply told you what you are, without any false bonhomie to hide behind.

    You'll note that I've provided evidence to support my claims. You have not. Maybe my evidence is bad. Maybe I've misinterpreted it. Nonetheless, we are simply operating on different levels; presenting evidence is simply a better way.

  • Moschops (unregistered)

    One last one before I give up on it for good:

    "“Commercial [i.e. high-street] banks create money, in the form of bank deposits, by making new loans. When a bank makes a loan, for example to someone taking out a mortgage to buy a house, it does not typically do so by giving them thousands of pounds worth of banknotes. Instead, it credits their bank account with a bank deposit of the size of the mortgage. At that moment, new money is created."

    This is what the Bank of England states in their paper "Money Creation in the Modern Economy". They say "at that point, new money is created".

    So if that's incorrect, you're up against the Bank of England.


  • Ali Razeghi (google)

    +1 for using a JFK "United States Note" picture printed under Executive Order 11110. This was the last time our nation was sovereign with full access and management to utter it's own credit without oversight, interest payments, or permission from the private Royal Bank of England.

  • Dave (unregistered) in reply to Moschops

    The Governor of the Bank of England has explicitly stated that your interpretation is not only wrong, but also is nothing more than an old anti-Semitic conspiracy theory. It's one step away from the blood libel.

    Before you go any further down the MMT route, you might like to do a bit more research: it's revisionist economics, the same way 'revisionist history' is a euphemism for Holocaust denial. The sole point of it is to justify the Holocaust.

    As the leading proponents of MMT freely admit, the ideas originated with a mustachioed Austrian who ran Germany from 1933 to 1944. Go ask Steve Keen, for one. He is at least honest enough to acknowledge that the man with the toothbrush moustache 'understood MMT' - that's a direct quote, by the way.

  • Dave (unregistered) in reply to Ali Razeghi

    Where do those absurd conspiracy theories come from? Not only is the US as sovereign as any nation on the planet, but the Bank of England is neither 'Royal' nor 'private'.

    Oh, wait, we do actually know the answer there: they originate with the far right, who have always used that kind of nonsense as one of their main justifications for killing 'the jooz'.

  • Decius (unregistered) in reply to Moschops

    The money isn't created when the bank makes the loan- the money is created when the bank is allowed to make the loan.

  • Free Bird (unregistered) in reply to Moschops

    The Bank of England isn't wrong (in this particular case), you just don't understand what they're saying. Nobody's disputing that banks create money. The point is that they don't create it out of thin air, which you claimed they do. When somebody deposits money at a bank they can lend out a multiple of that amount, but they are still limited in the size of the outstanding loans there can be at any time relative to deposits and capital.

  • Ali Razeghi (google) in reply to Dave

    Excuse me Dave but your own answer could be found by simply reciting what steps the US needs to print money. If the President of the US wants to print money, what steps are required? If you can answer that then you can answer your own question.

    The congress votes on it, then the head of the Federal Reserve heads to City of London where the Bank of England is paid interest to for us to print our own money. Of course complicated rebates and such are done but yes, this is how a private Federal Reserve system works. That's why they are private bankers. The opposite would be a National Bank such as one Alexander Hamilton had but for now we're stuck with a unbacked shitty "Federal Reserve Note"

  • That's the joke (unregistered) in reply to dkf

    The original commenter means that if you have enough money you can get them to do whatever you want (i.e. not create regulation that disadvantages you).

Leave a comment on “Bank $Security”

Log In or post as a guest

Replying to comment #:

« Return to Article