Their policy should just be to reset the password immediately and have the user set a new one. This is one hell of a risk.
I still can’t believe American banks lets you login with just username / password? Surely there is some id check or at least two factors involved?
Nope, several years ago someone complained that their steam account has better protection then their bank account. We’re now in 2023 and that statement still holds. It’s quite scary really. Bank websites that heavily rely on third party scripts ,“MFA” logins based on something you know and something you know. Account verification question based on code words or security questions based on public information. Worst of all, the ignorance of it all. “We got hacked, here have a identity protection bandage, comes with an automatic subscription after several years”.
I wanted to use a 2FA device for my banking accounts and no bank that I have spoken to would allow it. I’d had a breach on one account because my information had been leaked from several different places including the federal government and a credit agency and as a result the person used my leaked information to validate their way into my checking account. At that point they let me set up a pass phrase and a couple of other random safeguards. This was all well and good but it didn’t make me feel safer than having that account protected by a physical 2FA device. I was also given more free credit monitoring (which I’ve gotten like 4 or 5 times in the last 10 years or so). Still bugs me to this day.
Yeah I’m European end my job in accounting makes me have to work with American banks regularly. So let’s just say my expectations on American banks are quite low.
Wait, American banks don’t go with extra authentication? I couldn’t log in anywhere without SMS or additional apps or whatever. Depending on your bank you might even have to go through three different stages of authentication. Over the pond you just go username / password?
Hot take: let the bank release tweets like this as a honeypot, and see who tries to log in.
That is one way to get their attention
Qfpdx6vPaF9t5xwvskSNBEjShe7dXJmWwjTeDqm5iesrjfbVpa
Edit: Not for me it doesn’t.
Couldn’t BofA Have deleted the tweet?
I get why you’re saying that since it was Xitted at/tagged Bank of America. But it was still a public post from the user’s account. That’s like assuming a company could delete one of your emails or your Facebook post.
I never used twitter but I guess the best you can do is make it not appear on your wall but the tweet still exists.
Tweets from other people don’t ever appear on your wall. They only appear on that user’s profile page, or on the home page of users who follow that user. Or, the third way it can show up is attached to another post that replies to it.
So ironically, by replying and telling the user to remove their personal information, BoA has actually ensured more people are able to see that user’s personal information.
No, but they could have (and maybe have) block access to their bank account as a precaution.