Bernard Sheppard on Nostr: Today, in #infosec fail of the day, I bring you more (aka Tangerine) - part owned by ...
Today, in #infosec fail of the day, I bring you more (aka Tangerine) - part owned by Commonwealth Bank - who are reducing their security by allowing anyone who has any of the hundreds of thousands, if not millions of emails combined with mobile numbers out there in breach lists, who happens to get control of an email inbox that contains communications from more (or a phone) the ability to instantly take over the account.
How, you ask?
Easy: they've done away with passwords and 2FA, and gone to 0FA. If you have the email or the mobile, you're in. Just like that.
You don't need the password, or the account number. Just the email and the mobile.
For example the email with the mobile bill.
Because they send the confirmation code to both the email and the mobile.
Sure, you need to know both, but that's the easy part.
Text below, and image attached.
Dear Bernard,
We’re excited to share that we are making some improvements to the way you access the Self Care Portal by simplifying the login process.
We know you're not a fan of complicated stuff, and neither are we. We’ve listened to your feedback and have recognised that the current Portal login process is a hassle: We ask you to remember your account number and password as well as you email – that’s far from being simple. So, let's make things simple!
From Friday 12 April 2024, you’ll be able to log in to the Self Care Portal by only entering your email and mobile number. We’ll then send a one-time verification code to your mobile and email – this is our way of double-checking it’s really you (a similar verification process already happens when you speak with our team over the phone).
How, you ask?
Easy: they've done away with passwords and 2FA, and gone to 0FA. If you have the email or the mobile, you're in. Just like that.
You don't need the password, or the account number. Just the email and the mobile.
For example the email with the mobile bill.
Because they send the confirmation code to both the email and the mobile.
Sure, you need to know both, but that's the easy part.
Text below, and image attached.
Dear Bernard,
We’re excited to share that we are making some improvements to the way you access the Self Care Portal by simplifying the login process.
We know you're not a fan of complicated stuff, and neither are we. We’ve listened to your feedback and have recognised that the current Portal login process is a hassle: We ask you to remember your account number and password as well as you email – that’s far from being simple. So, let's make things simple!
From Friday 12 April 2024, you’ll be able to log in to the Self Care Portal by only entering your email and mobile number. We’ll then send a one-time verification code to your mobile and email – this is our way of double-checking it’s really you (a similar verification process already happens when you speak with our team over the phone).