Yikes 😬 - eviltoast
  • laxsill@infosec.pub
    link
    fedilink
    arrow-up
    133
    ·
    1 year ago

    Their policy should just be to reset the password immediately and have the user set a new one. This is one hell of a risk.

    • Z4rK@lemmy.world
      link
      fedilink
      English
      arrow-up
      42
      ·
      1 year ago

      I still can’t believe American banks lets you login with just username / password? Surely there is some id check or at least two factors involved?

      • icanwatermyplants@reddthat.com
        link
        fedilink
        arrow-up
        34
        ·
        edit-2
        1 year ago

        Nope, several years ago someone complained that their steam account has better protection then their bank account. We’re now in 2023 and that statement still holds. It’s quite scary really. Bank websites that heavily rely on third party scripts ,“MFA” logins based on something you know and something you know. Account verification question based on code words or security questions based on public information. Worst of all, the ignorance of it all. “We got hacked, here have a identity protection bandage, comes with an automatic subscription after several years”.

        • atrielienz@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          I wanted to use a 2FA device for my banking accounts and no bank that I have spoken to would allow it. I’d had a breach on one account because my information had been leaked from several different places including the federal government and a credit agency and as a result the person used my leaked information to validate their way into my checking account. At that point they let me set up a pass phrase and a couple of other random safeguards. This was all well and good but it didn’t make me feel safer than having that account protected by a physical 2FA device. I was also given more free credit monitoring (which I’ve gotten like 4 or 5 times in the last 10 years or so). Still bugs me to this day.

        • Z4rK@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          No wonder all the finance and budget apps primarily prefers integrating with American banks!

      • laxsill@infosec.pub
        link
        fedilink
        arrow-up
        6
        ·
        1 year ago

        Yeah I’m European end my job in accounting makes me have to work with American banks regularly. So let’s just say my expectations on American banks are quite low.

        • lulztard@reddthat.com
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Wait, American banks don’t go with extra authentication? I couldn’t log in anywhere without SMS or additional apps or whatever. Depending on your bank you might even have to go through three different stages of authentication. Over the pond you just go username / password?

          • Madison420@lemmy.world
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            They do. It’s not as stout as basically anywhere else but 2fa is and has been a thing here for quite some time and specifically as long as I’ve banked Mobile ACC that’s gotta be 5 years+.

            I’m honestly not sure where this whole comment chain is coming from , I guess people don’t just ask and instead assume it’s not offered. I dunno it’s a very weird argument to me since my bank has always had 2fa and alllows third party geolocating 3fa.

      • slackassassin@sh.itjust.works
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        They don’t, and there is, but you would still suggest removing the user name and password from a social media post anyway. Right?

    • XTornado@lemmy.ml
      link
      fedilink
      arrow-up
      12
      ·
      edit-2
      1 year ago

      That would imply they have to test that the credentials are correct though.

      Otherwise I can just put somebody’s user and put some fake password and they would reset it and disconnect the account of that user and annoy him.

    • CJOtheReal@ani.social
      link
      fedilink
      arrow-up
      7
      ·
      1 year ago

      But the username is still public, you can change the password but if your customer is idiotic enough to blast both out into the internet, the password will just get a 1 or ! After the password they used before…

    • Empricorn@feddit.nl
      link
      fedilink
      English
      arrow-up
      52
      ·
      1 year ago

      I get why you’re saying that since it was Xitted at/tagged Bank of America. But it was still a public post from the user’s account. That’s like assuming a company could delete one of your emails or your Facebook post.

      • stolid_agnostic@lemmy.ml
        link
        fedilink
        arrow-up
        7
        ·
        1 year ago

        I never used twitter but I guess the best you can do is make it not appear on your wall but the tweet still exists.

        • Zagorath@aussie.zone
          link
          fedilink
          English
          arrow-up
          13
          ·
          1 year ago

          Tweets from other people don’t ever appear on your wall. They only appear on that user’s profile page, or on the home page of users who follow that user. Or, the third way it can show up is attached to another post that replies to it.

          So ironically, by replying and telling the user to remove their personal information, BoA has actually ensured more people are able to see that user’s personal information.

          • funkless@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            previous big Twitter user here, technically, as the replies are threaded, this would be under BoFA > Tweets and replies > the reply we see above > this tweet attached.

            not literally “on their wall” but still findable without using a search function from the profile.

      • bitsplease@lemmy.ml
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        They also definetely should have advised them to (or just done it themselves) reset their password, because even deleting the tweet isn’t nearly enough at that point (as evidenced by the screen grab lol

  • HornyOnMain [she/her]@hexbear.net
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    ngl, as someone who’s been cryptoscammed reasonably recently, everytime i see one of these posts i feel quite a bit more sympathy for the people who don’t understand how to use the internet who do this shit. i did feel some sympathy before but now it’s combined with the memory of the feeling of panic and then shame i felt in the immediate aftermath, and also understanding how these scammers are so effective.

    • funkless_eck@sh.itjust.works
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      a friend of mine was telling me that their parents got scammed recently out of 200k. They were trying to work out how and why and everyone, including the victims was just like “I dunno… it just kinda happened. Everything looked legit.”

      And I imagine if “buying something on amazon” looks really confusing to you, there’s little difference between that and a scam, because it’s all a mystery you can’t hope to comprehend.

      Now I imagine that experienced or savvy people could smell a rat instantly, but if you truly find online payments way beyond your Ken, I can see how it happens