Bad Ideas In Security: Paste Frustration
-
dandy72 wrote:
Does your password manager not offer an option to simulate keystrokes
Simulating keystrokes is more difficult in an Android app and it is the Android app that they (bank) removed the paste ability from.
I see. As far as I'm concerned...considering the number of Android devices out there that have known exploits that'll never be patched, because OEMs can't be bothered...all banks should block Android altogether. I rarely side with banks, but Android device vendors are downright irresponsible. IMNSHO.
-
Eddy Vluggen wrote:
You better stock up on lawyers then
Exactly why I have not written the article. :sigh: However, did you see the update to my post? I found an article from the National Cyber Security Centre which also has links to Troy Hunt's explanation on why pasting is safe and important and it has a link to a Wired article 2015 which has very interesting info on why pasting should(must) be available in apps.
-
I see. As far as I'm concerned...considering the number of Android devices out there that have known exploits that'll never be patched, because OEMs can't be bothered...all banks should block Android altogether. I rarely side with banks, but Android device vendors are downright irresponsible. IMNSHO.
Ok, I can accept that Android devices are vulnerable. That's fine. But, then, the resolution for the bank is not to disallow pasting...it is to disallow the use of an Android device altogether. In other words, they shouldn't have ever created an Android app in the first place. I would accept that decision more readily than the blocking paste solution. But then that would mean they needed to block the web site from Android Web browsers too. :-D It would be interesting and funny if the bank just came out and said, "Sorry, you can only use our e-banking via Apple devices."
-
Eddy Vluggen wrote:
You better stock up on lawyers then
Exactly why I have not written the article. :sigh: However, did you see the update to my post? I found an article from the National Cyber Security Centre which also has links to Troy Hunt's explanation on why pasting is safe and important and it has a link to a Wired article 2015 which has very interesting info on why pasting should(must) be available in apps.
-
-
lw@zi wrote:
Come to think of it, with Aussies and their compulsive behaviour to shorten up words, you might as well be referred to as Raj.
It's kind of why I said it's likely to be "another Raj". That, and the outsourcing to India. :-)
-
Our large bank recently changed their Android app so you can no longer paste a password. :sigh: This is a MAJOR problem if you're using a password manager. I don't type passwords any more. I contacted them (via their Twitter support) and explained that this is a security fallacy that pasting is dangerous. Also, you can still paste a password when you login on their web site. I wanted to mention that to them but was afraid they'd stop it there too. May Only Prove That The Bank Devs/ Contractors Are Clueless To me this only exposes the fact that the developers or security contractors or whatever actually have NO CLUE about WHAT SAFE PRACTICES are. They could even remove copy functionality separately and I would be ok with that. But how could the paste functionality EVER be an exposure? They are just so clueless. :| EDIT 09/24/2018 Look what I found from the National Cyber Security Centre: Let them paste passwords - NCSC Site[^] And it provides additional links as to why pasting should be allowed. I tweeted this to the bank site. EDIT 2 09/24/2018 Check out this Wired article and the associated quote: https://www.wired.com/2015/07/websites-please-stop-blocking-password-managers-2015/[^]
Wired:
But accounts aren't broken into by repetitive copy and pasting. One hacker told WIRED that disabling paste on a webpage does not stop him from using automated tools to speedily gain access to users’ accounts.
Not being able to past my password or using a password manager will force me to use a password that potentially are unsafe because I need to write them down or they are easy to guess.
-
Eddy Vluggen wrote:
So, if I find the tweet, I'll know the bank by name?
:laugh: :laugh: I hope you find it. :thumbsup: It was a DM (direct message) tweet though so I don't think you can see it in my twitter. Good luck though! :thumbsup:
-
Not being able to past my password or using a password manager will force me to use a password that potentially are unsafe because I need to write them down or they are easy to guess.
-
Ok, I can accept that Android devices are vulnerable. That's fine. But, then, the resolution for the bank is not to disallow pasting...it is to disallow the use of an Android device altogether. In other words, they shouldn't have ever created an Android app in the first place. I would accept that decision more readily than the blocking paste solution. But then that would mean they needed to block the web site from Android Web browsers too. :-D It would be interesting and funny if the bank just came out and said, "Sorry, you can only use our e-banking via Apple devices."