Somebody got into my bank account and attempted to steal some money. Luckily, we were able to stop it quickly and the bank had the money back in our account the same day. It was pretty upsetting so I sent a letter to them with a lot of questions about their system and eventually somebody from the inside called me.
One of the questions I asked was why they limit password length. The (low) limit suggests that they were storing the password rather than a hash of it. They wouldn't confirm that was what they were doing, but their ultimate answer to me was stop worrying - you aren't responsible for fraud.
I also asked for a list of all the external IPs that had accessed my account and I couldn't get that for privacy reasons. I'm not sure whose privacy they were worried about, but I guess it wasn't mine. In the end, it was an incredibly unsatisfying exercise.
I changed my bank's online account password lately because it wasn't a good password, and then I forgot my new password. Resetting my password was a fucking joke, anyone who's acquainted with me and can do a few google searches could get into my bank account if they had my card number. It's not just their hardware, their whole security practices are messed up but they don't care because the federal government insures every account up to 100k.
Their website is probably front-ending mainframe CICS screens that have a short password field, saved in plain text, just like when it was developed in the 1980s.
One of the questions I asked was why they limit password length. The (low) limit suggests that they were storing the password rather than a hash of it. They wouldn't confirm that was what they were doing, but their ultimate answer to me was stop worrying - you aren't responsible for fraud.
I also asked for a list of all the external IPs that had accessed my account and I couldn't get that for privacy reasons. I'm not sure whose privacy they were worried about, but I guess it wasn't mine. In the end, it was an incredibly unsatisfying exercise.