The Risk of Weak Online Banking Passwords

[TheContinentalOp]

If you bank online and choose weak or re-used passwords, there’s a decent chance your account could be pilfered by cyberthieves — even if your bank offers multi-factor authentication as part of its login process. This story is about how crooks increasingly are abusing third-party financial aggregation services like Mint, Plaid, Yodlee, YNAB and others to surveil and drain consumer accounts online.

Crooks are constantly probing bank Web sites for customer accounts protected by weak or recycled passwords. Most often, the attacker will use lists of email addresses and passwords stolen en masse from hacked sites and then try those same credentials to see if they permit online access to accounts at a range of banks.

From there, thieves can take the list of successful logins and feed them into apps that rely on application programming interfaces (API)s from one of several personal financial data aggregators which help users track their balances, budgets and spending across multiple banks.

A number of banks that do offer customers multi-factor authentication — such as a one-time code sent via text message or an app — have chosen to allow these aggregators the ability to view balances and recent transactions without requiring that the aggregator service supply that second factor. That’s according to Brian Costello, vice president of data strategy at Yodlee, one of the largest financial aggregator platforms.

https://krebsonsecurity.com/2019/08/the-risk-of-weak-online-banking-passwords/

[eljefe-speaks]

I use LastPass and I would recommend it highly. Not only are my passwords extremely secure, I only have to remember one: the password for LastPass.

[OurTown]

"12345"

[solon]

"12345"

That's the kinda thing an idiot would have on his luggage!

[bacchi]

"12345"

"passw0rd"

[Wrenchturner]

I use LastPass and I would recommend it highly. Not only are my passwords extremely secure, I only have to remember one: the password for LastPass.

Seems to me a password aggregator is the last thing you'd want to use...

[bacchi]

A number of banks that do offer customers multi-factor authentication — such as a one-time code sent via text message or an app — have chosen to allow these aggregators the ability to view balances and recent transactions without requiring that the aggregator service supply that second factor. That’s according to Brian Costello, vice president of data strategy at Yodlee, one of the largest financial aggregator platforms.

Mint can't do transfers, right? So viewing what's in a bank account might make you a bigger target but how would the hackers get around the text MFA? Unless the APIs allow changing the account phone number without requiring the MFA. Possible but that's a huge security hole.

[CptCool]

A number of banks that do offer customers multi-factor authentication — such as a one-time code sent via text message or an app — have chosen to allow these aggregators the ability to view balances and recent transactions without requiring that the aggregator service supply that second factor. That’s according to Brian Costello, vice president of data strategy at Yodlee, one of the largest financial aggregator platforms.

Mint can't do transfers, right? So viewing what's in a bank account might make you a bigger target but how would the hackers get around the text MFA? Unless the APIs allow changing the account phone number without requiring the MFA. Possible but that's a huge security hole.

Ya i don't understand the risk of an API allowing view-only. No edits can be made, it just queries the balance, transactions etc.

[MilesTeg]

The state of online security is... horrific.

Most banks or other institutions which require good security are still stuck in the stone age when it comes to passwords. Heck, a financial site I am forced to use (through employer) still LIMITS password length to 12 characters. This is insane!

Use passphrases, not passwords. see the infamous: https://xkcd.com/936/

Lastpass just makes it one stop shopping for someone to grab your passwords (and everyone else's). Use a locally stored password manager (e.g. keepass). Less convenient but a better way to handle it.

[life_travel]

I looked at the link which suggests using a phrase that contains words BUT unfortunately different sites ask for different configurations ( capital letter , number , special characters a must or not allowed ), etc so in practice it's very hard to make up ONE password ( like common horse battery staple example ) to use for all financial sites .

[TheContinentalOp]

A number of banks that do offer customers multi-factor authentication — such as a one-time code sent via text message or an app — have chosen to allow these aggregators the ability to view balances and recent transactions without requiring that the aggregator service supply that second factor. That’s according to Brian Costello, vice president of data strategy at Yodlee, one of the largest financial aggregator platforms.

Mint can't do transfers, right? So viewing what's in a bank account might make you a bigger target but how would the hackers get around the text MFA? Unless the APIs allow changing the account phone number without requiring the MFA. Possible but that's a huge security hole.

Ya i don't understand the risk of an API allowing view-only. No edits can be made, it just queries the balance, transactions etc.

Perhaps it's a way to social engineer the bank's customer service rep?  The bad guy calls in and is able to confirm and identify the last 5 transactions on the account?

[solon]

I looked at the link which suggests using a phrase that contains words BUT unfortunately different sites ask for different configurations ( capital letter , number , special characters a must or not allowed ), etc so in practice it's very hard to make up ONE password ( like common horse battery staple example ) to use for all financial sites .

No, no, no, no, no! Do NOT use one password for all your financial sites. Use a unique password for every site, financial or not.

Use one good password for your password manager, something like correct horse battery staple.
But individual sites should be something like: O1B*f40yI$#k@gWKg5TCtHAyx&se@OKx, which you store in your password manager.

[bacchi]

A number of banks that do offer customers multi-factor authentication — such as a one-time code sent via text message or an app — have chosen to allow these aggregators the ability to view balances and recent transactions without requiring that the aggregator service supply that second factor. That’s according to Brian Costello, vice president of data strategy at Yodlee, one of the largest financial aggregator platforms.

Mint can't do transfers, right? So viewing what's in a bank account might make you a bigger target but how would the hackers get around the text MFA? Unless the APIs allow changing the account phone number without requiring the MFA. Possible but that's a huge security hole.

Ya i don't understand the risk of an API allowing view-only. No edits can be made, it just queries the balance, transactions etc.

Perhaps it's a way to social engineer the bank's customer service rep?  The bad guy calls in and is able to confirm and identify the last 5 transactions on the account?

Good point. That's entirely possible, especially if the phone number is spoofed.

Hacker: "This is really bacchi. I am not Russkie hacker. Please wire all money to bank in Cyprus."
Naive but helpful customer service rep: "Sure, bacchi. The money is on the way! Have a good day."

[flipboard]

Banks in the USA are indeed hilarious. At least some of them have 2FA-ish things with SMS or email (neither of which is secure).

Meanwhile back home I've never had an account without enforced 2FA via an external card reader (more recently most of them have some form of hardware phone based verification with the use PIN or face/fingerprint ID).

[ketchup]

I looked at the link which suggests using a phrase that contains words BUT unfortunately different sites ask for different configurations ( capital letter , number , special characters a must or not allowed ), etc so in practice it's very hard to make up ONE password ( like common horse battery staple example ) to use for all financial sites .

No, no, no, no, no! Do NOT use one password for all your financial sites. Use a unique password for every site, financial or not.

Use one good password for your password manager, something like correct horse battery staple.
But individual sites should be something like: O1B*f40yI$#k@gWKg5TCtHAyx&se@OKx, which you store in your password manager.

At the very absolute least, if you're not using a password manager, make passwords unique by adding something onto the end of your "base" password.  It's not perfect but it's better than nothing.  I did that at one point.

ThisIsMyPassword#833c for Chase
ThisIsMyPassword#833p for Paypal
ThisIsMyPassword#833eb for eBay
ThisIsMyPassword#833f for Facebook
ThisIsMyPassword#833ms for Microsoft
ThisIsMyPassword#833a for Adobe

etc

You really really do not want exactly the same password everywhere.  That's step one of account security: https://xkcd.com/2176/

[bacchi]

Banks in the USA are indeed hilarious. At least some of them have 2FA-ish things with SMS or email (neither of which is secure).

Meanwhile back home I've never had an account without enforced 2FA via an external card reader (more recently most of them have some form of hardware phone based verification with the use PIN or face/fingerprint ID).

Some brokers have this. A few require it (IB in particular) and some allow use of yubikey.

Actually, it looks like gmail works with yubikey. Nice.

[eljefe-speaks]

I use LastPass and I would recommend it highly. Not only are my passwords extremely secure, I only have to remember one: the password for LastPass.

Seems to me a password aggregator is the last thing you'd want to use...

I do not know much about the technical details, but at a password aggregator's ONE JOB is to protect the passwords, unlike any other site that has your password on file. Plus my LastPass password is long and complicated AF.

[MilesTeg]

I looked at the link which suggests using a phrase that contains words BUT unfortunately different sites ask for different configurations ( capital letter , number , special characters a must or not allowed ), etc so in practice it's very hard to make up ONE password ( like common horse battery staple example ) to use for all financial sites .

Never, ever use a password on more than one site. Security breaches are so common (more common than is reported) that a very common tactic for 'hackers' is to use credentials from security breaches of one site on other sites.

So if you use the same username/password on amazon as you do for your bank, if amazon is breached (and it probably has been) then 'hackers' will take your amazon credentials and try them on your bank, and then they have you.

You can check if your email/username has been breached on sites through various websites, such as:

https://haveibeenpwned.com/

If you use the same username/password on every site you are almost certainly completely 'pwned' because while you bank might have decent security, most websites don't. For example, MMM was very unwise and ran for a long time without using https, which means that every time you logged in to MMM your credentials were sent in clear text over the internet so those credentials are almost certainly in some database somewhere being tried against other sites.

[MilesTeg]

I use LastPass and I would recommend it highly. Not only are my passwords extremely secure, I only have to remember one: the password for LastPass.

Seems to me a password aggregator is the last thing you'd want to use...

I do not know much about the technical details, but at a password aggregator's ONE JOB is to protect the passwords, unlike any other site that has your password on file. Plus my LastPass password is long and complicated AF.

Lastpass has experienced several major security breaches over the last few years (including some that revealed your credentials just by visiting a website). It's just a bad, bad idea to store your passwords on someone else's computer.

[sherr]

I use LastPass and I would recommend it highly. Not only are my passwords extremely secure, I only have to remember one: the password for LastPass.

Seems to me a password aggregator is the last thing you'd want to use...

I do not know much about the technical details, but at a password aggregator's ONE JOB is to protect the passwords, unlike any other site that has your password on file. Plus my LastPass password is long and complicated AF.

Wrench's point is that it also makes it a highly desirable target. If hackers can break into LastPass (and they have some type of security vulnerability that makes your passwords retrievable without your master password) then they can gain access to *all* of your accounts.

It's a fair criticism, but it's also the least-bad of a lot of bad options. I personally use keepass as mentioned above which only lives on my computer and is not online like LastPass. You still run the risk that someone will hack your computer and steal the database and then hack that, but that's obviously not very likely as they'd have to be targeting you in particular and not a company with millions of users' passwords.

[Wrenchturner]

If you could isolate your password manager from any networking, it could be safer.  But at that point you might as well write them down and put the paper somewhere hidden.

I guess the idea of a password manager is that most weaknesses occur during login with a browser, not elsewhere.

But yes, storing all your passwords in one place seems like a bad idea, and you're still entrusting a third party with your security anyway.

[MilesTeg]

If you could isolate your password manager from any networking, it could be safer.  But at that point you might as well write them down and put the paper somewhere hidden.

I guess the idea of a password manager is that most weaknesses occur during login with a browser, not elsewhere.

But yes, storing all your passwords in one place seems like a bad idea, and you're still entrusting a third party with your security anyway.

Despite a lot of flack about it, writing down your critical passwords is a lot safer than storing them on someone else's computer. Unless you are in an environment where you have to actually worry about in-person theft (corporate, bad actors in the household, etc.).

No one is going to break into your home to try to find your passwords, hah.

[bacchi]

If you could isolate your password manager from any networking, it could be safer.  But at that point you might as well write them down and put the paper somewhere hidden.

I guess the idea of a password manager is that most weaknesses occur during login with a browser, not elsewhere.

But yes, storing all your passwords in one place seems like a bad idea, and you're still entrusting a third party with your security anyway.

Despite a lot of flack about it, writing down your critical passwords is a lot safer than storing them on someone else's computer. Unless you are in an environment where you have to actually worry about in-person theft (corporate, bad actors in the household, etc.).

No one is going to break into your home to try to find your passwords, hah.

It's just very inconvenient to type "lr$B\@b=~CkC3qu!bY7" from a sheet of paper.

[Zamboni]

No, no, no, no, no! Do NOT use one password for all your financial sites. Use a unique password for every site, financial or not.

Use one good password for your password manager, something like correct horse battery staple.
But individual sites should be something like: O1B*f40yI$#k@gWKg5TCtHAyx&se@OKx, which you store in your password manager.

At the very absolute least, if you're not using a password manager, make passwords unique by adding something onto the end of your "base" password.  It's not perfect but it's better than nothing.  I did that at one point.

ThisIsMyPassword#833c for Chase
ThisIsMyPassword#833p for Paypal
ThisIsMyPassword#833eb for eBay
ThisIsMyPassword#833f for Facebook
ThisIsMyPassword#833ms for Microsoft
ThisIsMyPassword#833a for Adobe

etc

You really really do not want exactly the same password everywhere.  That's step one of account security: https://xkcd.com/2176/
[/quote]

This is the best suggestion I have ever seen, because it is something I can do AND REMEMBER IN MY HEAD! I don't like password managers for the reason others have cited. I do have a few different username/password combinations, but your suggestion will make that even better. Thanks, @ketchup!

[Wrenchturner]

If you could isolate your password manager from any networking, it could be safer.  But at that point you might as well write them down and put the paper somewhere hidden.

I guess the idea of a password manager is that most weaknesses occur during login with a browser, not elsewhere.

But yes, storing all your passwords in one place seems like a bad idea, and you're still entrusting a third party with your security anyway.

Despite a lot of flack about it, writing down your critical passwords is a lot safer than storing them on someone else's computer. Unless you are in an environment where you have to actually worry about in-person theft (corporate, bad actors in the household, etc.).

No one is going to break into your home to try to find your passwords, hah.

It's just very inconvenient to type "lr$B\@b=~CkC3qu!bY7" from a sheet of paper.

Is it really necessary to craft a password like that?  Seems like protection against brute force attempts, but most login systems only offer a few attempts anyway.

[MilesTeg]

If you could isolate your password manager from any networking, it could be safer.  But at that point you might as well write them down and put the paper somewhere hidden.

I guess the idea of a password manager is that most weaknesses occur during login with a browser, not elsewhere.

But yes, storing all your passwords in one place seems like a bad idea, and you're still entrusting a third party with your security anyway.

Despite a lot of flack about it, writing down your critical passwords is a lot safer than storing them on someone else's computer. Unless you are in an environment where you have to actually worry about in-person theft (corporate, bad actors in the household, etc.).

No one is going to break into your home to try to find your passwords, hah.

It's just very inconvenient to type "lr$B\@b=~CkC3qu!bY7" from a sheet of paper.

What I do is have passphrases per site + a standard appended/memorized chunk of gobbly-gook to satisfy password requirements. Similar, but inverted from what others have mentioned

MySuperAwesomePasswordPhraseForWebsiteA!aB1
MyOtherPasswordPhraseForWebsiteB!aB1

(no, that's not my gobbly-gook, hah)

Not perfect, but I don't have to rely on a password manager, my passwords are still decently entropy-full and not substantially similar between sites, and I work around dumb password requirements without having to memorize different chunks of gobbly-gook per site.

This could be written down (just the unique passphrase parts) and be easy to type (as the written down part would be a reminder more than something to type from). Also in the event someone does get a hold of your written down passwords, they don't have everything.

Unfortunately, some sites do dumb things like have max password lengths that are absurdly short, don't allow special characters, and other annoying things so it's not 100%

[life_travel]

Ok to make it clear I don't use the SAME password for every site !
For non important sites without any financial details it's simple password /s
For banks I use different password and some of them limit you to 8 digits so ... Yes it's not ideal but apart from writing them all done , I need a better system but I don't want to use last pass or anything like that .
We also travel a lot so I need to know my logins by heart and I'm afraid if I save them on the phone / computer the items will be stolen and passwords accessed.
I think the best way is to create a longer base one ( where allowed ) and then add unique ending .

[eljefe-speaks]

I use LastPass and I would recommend it highly. Not only are my passwords extremely secure, I only have to remember one: the password for LastPass.

Seems to me a password aggregator is the last thing you'd want to use...

I do not know much about the technical details, but at a password aggregator's ONE JOB is to protect the passwords, unlike any other site that has your password on file. Plus my LastPass password is long and complicated AF.

Lastpass has experienced several major security breaches over the last few years (including some that revealed your credentials just by visiting a website). It's just a bad, bad idea to store your passwords on someone else's computer.

MT, I am a total layman as regards computer security (except for having read a book that goes into the history and general functionality of RSA security). But a quick trip to Wikipedia showed minor breaches that lastpass very quickly identified and patched up. I do understand that a lot of data could be stolen in a very short time and a new vulnerability could be discovered at any moment. 

So I was wondering if you had a reference for your claim about recent major security breaches. Wiki isn't fully reliable for this info, I realize.

[flipboard]

Some brokers have this. A few require it (IB in particular) and some allow use of yubikey.

Actually, it looks like gmail works with yubikey. Nice.

IB unfortunately isn't as safe as it looks - it can be bypassed with SMS (it's super hidden, through a roundabout way - but it's possible).

[JLee]

I use LastPass and I would recommend it highly. Not only are my passwords extremely secure, I only have to remember one: the password for LastPass.

Seems to me a password aggregator is the last thing you'd want to use...

I do not know much about the technical details, but at a password aggregator's ONE JOB is to protect the passwords, unlike any other site that has your password on file. Plus my LastPass password is long and complicated AF.

Lastpass has experienced several major security breaches over the last few years (including some that revealed your credentials just by visiting a website). It's just a bad, bad idea to store your passwords on someone else's computer.

MT, I am a total layman as regards computer security (except for having read a book that goes into the history and general functionality of RSA security). But a quick trip to Wikipedia showed minor breaches that lastpass very quickly identified and patched up. I do understand that a lot of data could be stolen in a very short time and a new vulnerability could be discovered at any moment. 

So I was wondering if you had a reference for your claim about recent major security breaches. Wiki isn't fully reliable for this info, I realize.

I would also like to have this information.

https://www.lastpass.com/security/what-if-lastpass-gets-hacked

[obstinate]

I've started using Google Passwords (passwords.google.com), which is a service similar to LastPass. Like LastPass, Google has had very few if any security breaches of its server software. Moreover, they pay good money to penetration testers for any bugs they might find, so folks have an incentive to report bugs and security problems directly to Google, rather than selling them to the black market.

I no longer think up my own passwords. Instead, whenever I create a new account, I have Google magic me up a new secure password. This password is then available via my Android phone or via Chrome autocomplete. I don't even know my password to most sites now. One thing I know for sure is that any leak affecting one of these sites will not affect my security on any other.

Now if someone ever steals my Google password and my phone (my second factor), and either deduces my device PIN or also steals my index finger, I will be semi-fucked. But in such a situation I imagine I will be ruing the loss of my index finger and also very aware of the security risk I face.

Another important variable to maintain your online security is not to link your identities on multiple sites. For example, you don't want people to know you're interested in early retirement (i.e. you are rich) and also to know your email address, or to be able to otherwise link your identity to real life. You especially don't want people to know if you hold Bitcoins or other irreversibly-transferable digital assets. Having that information out there makes you a bigger target.

[ketchup]

I've started using Google Passwords (passwords.google.com), which is a service similar to LastPass. Like LastPass, Google has had very few if any security breaches of its server software. Moreover, they pay good money to penetration testers for any bugs they might find, so folks have an incentive to report bugs and security problems directly to Google, rather than selling them to the black market.

I no longer think up my own passwords. Instead, whenever I create a new account, I have Google magic me up a new secure password. This password is then available via my Android phone or via Chrome autocomplete. I don't even know my password to most sites now. One thing I know for sure is that any leak affecting one of these sites will not affect my security on any other.

Now if someone ever steals my Google password and my phone (my second factor), and either deduces my device PIN or also steals my index finger, I will be semi-fucked. But in such a situation I imagine I will be ruing the loss of my index finger and also very aware of the security risk I face.

Another important variable to maintain your online security is not to link your identities on multiple sites. For example, you don't want people to know you're interested in early retirement (i.e. you are rich) and also to know your email address, or to be able to otherwise link your identity to real life. You especially don't want people to know if you hold Bitcoins or other irreversibly-transferable digital assets. Having that information out there makes you a bigger target.

FYI, SIM-swap attacks have become super common.

[obstinate]

I'm aware. I don't have SMS authentication enabled. Google's security system doesn't even know my phone number. However, a physical Android device where you are logged in can serve as a second factor for Google accounts. An iPhone can as well if you are logged in to GMail. This channel is not vulnerable to SIM swapping, since it is not connected to phone number in any way.

FWIW, if you go this route, it's critically important that you print out recovery keys so you can regain access to your account if your phone is lost. I have two copies of my recovery keys printed out and secreted in various places in my apartment. The new house has a fire resistant safe, and I plan to put one of the copies in there.

[nereo]

This thread is a bit timely, as my workplace just required us to take an digital security course (as end users are the most vulnerable portion of any network).

tl;dr - using a good password manager like 1password is considered the 'least bad option'.  Setting up two-factor authenticiation (while annoying) also provides much better protection.

As I understand it, good password managers use different security keys for their users, and even they cannot access your passwords if you get locked out (so don't forget your master password, and store your secondary backup key in a safe place). Whatever program you use should also alert you whenever there's been a known data breach, as hackers can use the personal information gleaned from a site you might not think of as very important (e.g. the library... "what are they going to do, cancel the books I have on hold?!") to re-set passwords from more important sites like your bank account.  This is also why 2-factor authentication is important, as they need not just your information, but also direct access to your phone (something physical)

No system is perfect, and most breaches occur due to end-users' sloppiness.  Yes, stealing the password file kept next to your computer is one of the #1 ways accounts get hacked. Savvy burglars know to check.  It's even more common at work - our IT guy walked around the building and found the passwords for about 1/4 of our staff just by doing nothing more that popping in to say 'hi, what are you working on today?'.

[TVRodriguez]

"12345"

That's the kinda thing an idiot would have on his luggage!

That's amazing!  I've got the same combination on my luggage!

[bacchi]

IB unfortunately isn't as safe as it looks - it can be bypassed with SMS (it's super hidden, through a roundabout way - but it's possible).

Hmm, interesting. Logging in is done through the phone app, which requires a pin. The IB Key phone app registration does use SMS.

I see that the IBK app allows adding a new phone number when signing up...but does it allow a new IBK authentication when one already exists? I.e., if I install IBK on a 2nd phone, can I add that number and authenticate IBK for it?

"Only ONE phone/device can be active at a time for use with your username."

It looks like recovery wouldn't work either, at least not in a straightforward way.

Sniffing tower->phone SMS on IBK recovery? Spoofing SMS from customer service? Number porting?

[bacchi]

Now if someone ever steals my Google password and my phone (my second factor), and either deduces my device PIN or also steals my index finger, I will be semi-fucked. But in such a situation I imagine I will be ruing the loss of my index finger and also very aware of the security risk I face.

I worked at a secure complex that had a "mantrap" -- the first door required a badge and pin but the 2nd door required a fingerprint. We fooled the reader with a good photocopy.

Try it with a photocopy or another phone and a pic. Maybe that doesn't work anymore. It was ~10 years ago.

[MilesTeg]

No system is perfect, and most breaches occur due to end-users' sloppiness.  Yes, stealing the password file kept next to your computer is one of the #1 ways accounts get hacked. Savvy burglars know to check.  It's even more common at work - our IT guy walked around the building and found the passwords for about 1/4 of our staff just by doing nothing more that popping in to say 'hi, what are you working on today?'.

Ridiculous. Burglars breaking into your home to steal your passwords is no where near the #1 way accounts get hacked. Burglars break in to steal your computer so they can pawn it, not your passwords. lol

The top ways accounts get hacked (not necessarily in this order) are:

* social engineering
* phishing
* malware (keyloggers, etc.)
* data breaches/insider leaks

Those methods easily yield thousands or millions of accounts in the time it would take to break into just one house, and can be done without exposing the criminal to any real danger of being caught.

[nereo]

No system is perfect, and most breaches occur due to end-users' sloppiness.  Yes, stealing the password file kept next to your computer is one of the #1 ways accounts get hacked. Savvy burglars know to check.  It's even more common at work - our IT guy walked around the building and found the passwords for about 1/4 of our staff just by doing nothing more that popping in to say 'hi, what are you working on today?'.

Ridiculous. Burglars breaking into your home to steal your passwords is no where near the #1 way accounts get hacked. Burglars break in to steal your computer so they can pawn it, not your passwords. lol

The top ways accounts get hacked (not necessarily in this order) are:

* social engineering
* phishing
* malware (keyloggers, etc.)
* data breaches/insider leaks

Those methods easily yield thousands or millions of accounts in the time it would take to break into just one house, and can be done without exposing the criminal to any real danger of being caught.

I think you misunderstood what I said.  I'm not implying that people break into your house with the sole intent of searching for your computer passwords, but that theft of passwords is common when thieves have access to your desk.
That's not coming from me, but from the security assessment seminar we just concluded. 
It's also not an apples-to-oranges comparison.  Massive data breaches affect millions, and there's only so much you can do (e.g. set up 2-factor authentication).  But if someone is trying to access your particular machine or your particular account its often done in decidedly low tech ways (i.e. looking around your comptuer to see if you were careless enough to leave your passwords and your computer together).

[Raenia]

No system is perfect, and most breaches occur due to end-users' sloppiness.  Yes, stealing the password file kept next to your computer is one of the #1 ways accounts get hacked. Savvy burglars know to check.  It's even more common at work - our IT guy walked around the building and found the passwords for about 1/4 of our staff just by doing nothing more that popping in to say 'hi, what are you working on today?'.

Ridiculous. Burglars breaking into your home to steal your passwords is no where near the #1 way accounts get hacked. Burglars break in to steal your computer so they can pawn it, not your passwords. lol

The top ways accounts get hacked (not necessarily in this order) are:

* social engineering
* phishing
* malware (keyloggers, etc.)
* data breaches/insider leaks

Those methods easily yield thousands or millions of accounts in the time it would take to break into just one house, and can be done without exposing the criminal to any real danger of being caught.

I think you misunderstood what I said.  I'm not implying that people break into your house with the sole intent of searching for your computer passwords, but that theft of passwords is common when thieves have access to your desk.
That's not coming from me, but from the security assessment seminar we just concluded. 
It's also not an apples-to-oranges comparison.  Massive data breaches affect millions, and there's only so much you can do (e.g. set up 2-factor authentication).  But if someone is trying to access your particular machine or your particular account its often done in decidedly low tech ways (i.e. looking around your comptuer to see if you were careless enough to leave your passwords and your computer together).

I think this sort of problem is much more prevalent in a work or school environment.  My DH works in IT at a university, and people writing down their passwords is a big problem.  But that's not nearly the same thing as having your personal passwords written down at home.  I think it's important to keep passwords somewhere offline, in case of a problem.  Of course, we keep that password list locked in our safe, not sitting out on the desk...

[PDXTabs]

I use LastPass and I would recommend it highly. Not only are my passwords extremely secure, I only have to remember one: the password for LastPass.

Seems to me a password aggregator is the last thing you'd want to use...

Why? LastPass doesn't know your passwords. LastPass just stores an encrypted blob. You need the master password in your head to decrypt the blob.

I second LastPass as a good solution. Every site I use has a strong unique password.

[nereo]

I think this sort of problem is much more prevalent in a work or school environment.  My DH works in IT at a university, and people writing down their passwords is a big problem.  But that's not nearly the same thing as having your personal passwords written down at home.  I think it's important to keep passwords somewhere offline, in case of a problem.  Of course, we keep that password list locked in our safe, not sitting out on the desk...

I agree - it's most prevalent at work/school where there's a lot of people coming and going around your desk.  But people over-estimate how private their home environment may be.  It's not people in black ski-masks repelling through your ceiling in the middle of the night who might steal your password sheet - it's maintenance workers, nannies, neighbors at a party, friends of your kids, relatives, etc. 
The point made in our course was that nowadays it takes about 5 seconds for someone to pull out their cellphone and snap a photo of your password sheet left next to your computer.  Then they can access your accounts elsewhere whenever they want (assuming you haven't set up 2-factor authentication).

point is, the end user is a big weak link in internet security, and leaving your passwords unprotected is a dumb idea (stored in a safe is a much better idea). It's just an obvious security hole to plug, and one that a shocking number of people continue to use.

[flipboard]

Hmm, interesting. Logging in is done through the phone app, which requires a pin. The IB Key phone app registration does use SMS.
[...]
Sniffing tower->phone SMS on IBK recovery? Spoofing SMS from customer service? Number porting?

SMS being used for registering new devices is indeed the problem.

And the weakness is that it's fairly easy to "steal" a phone number, in other words if an attacker knows your phone number they can pretty much intercept your messages:
https://en.wikipedia.org/wiki/SIM_swap_scam

I've never heard of this happening to IB customers, but it has been done to steal people's bitcoin (IB is probably less lucrative since it's harder to get cash out of an IB account into your anonymous bank account):
https://www.zdnet.com/article/wave-of-sim-swapping-attacks-hit-us-cryptocurrency-users/

For higher net-worth customers (> 500k) IB do offer a digital security card, but that doesn't seem significantly more secure since it can still be MITM'd. I wish they'd just go for proven tech like Fido U2F (what modern Yubikeys support).