Recently tried to login into PC Financial MasterCard online account. And got “your password is too long” error. What? Right! Password length validation on the login form!

I called CS and explained that this is impossible as I use a password manager and it worked just not long ago. They assured me that this was always the case and that I’m an idiot for forgetting my password.

They sent me to password reset procedure page.

The password procedure emails plain text temporary password, which then let’s you pick a new password.

When picking a new password, I tried to enter my old password that was too long, just for the heck of it, to see if it’d go thru.

Lo and behold, the system answered that I “cannot reuse the same password as previous 6 passwords”.

That’s banking-grade security right there.

I can confirm that Scotia Bank, another major Canadian bank, does not support 2FA. This has always bothered me and is especially concerning because Canadian bank accounts can be used to log into Canada's immigration services (CIC). That immigration account is protected only by one more layer of self-selected security questions, after which the intruder potentially has access to a swath of personal data, including passport numbers, and a very detailed personal history section.

In my opinion, Canadian banks are way overdue to switch to 2FA.

I find CBC has a bad habit of writing corporate fluff pieces. They quote an "expert" from SAS making some vague assurance that their security is good. SAS is a vendor to CIBC[1], but the article fails to mention that conflict of interest.

[1] https://www.sas.com/en_ca/events/14/cibc-user-group/home.htm...

This doesn't surprise me. My BMO credit card has a 6 character password limit. Not minimum, limit!

HSBC Canada requires 2FA with a token or their mobile bank app. It also isn't possible to change account contact info, setup new Payees, transfer money to another country, without generating a security code with a token PIN. The contact centre agents are unable to access your account unless you can correctly answer the security questions. This does mean an agent can lock out your account though. It is a pain, but compared with the goofy BMO 6 character passwords, or worse using CIBC at all, it was a welcome change. Legacy systems galore: Scotiabank gave me a debit card once in a branch because I got angry with them and also use mail extensively (though they have a much bigger problem right now), TD Canada Trust and US TD Bank are integrated with mail and fax, and RBC has 3 different domains (not AD) (East, Central and West) and they are completely isolated which can be a nightmare when moving across the country.

Lovely. One can only hope that other would-be hackers don't start poking the rest of the Canadian Bank's archaic systems or we'll soon see the rest of our not-so-fantastic banks on the front page of HN.

For anyone not from Canada, our banks are at least a decade behind the rest of the world in terms of IT - mostly due to strong government protectionism. I was a mortgage broker before changing into IT, and up until the summer of 2015, to submit a mortgage application to Scotiabank, one of big 4, you had to fax it. My buddy who works for Scotia said it wasn't until Q1 2016 before they were able to submit a mortgage application without a fax internally.

As many people in this thread pointed out: lots/most banks suck ta this. Tiny max length passwords, not 2fa, etc, etc...

Are there any Canadian banks which don't suck at this?

undefined

I have an account in BMO that I'm in the process of closing. Besides kicking myself for opening an account in a 6-digit password site, what should I keep in mind regarding my compromised data?

I have to say... I'm not at all surprised about Simplii financial's hacking...

I had a PC Financial bank account... and then PC Financial decided to merge their points program with Shopper Drug Mart for some reason... and then I started getting calls from Simplii financial asking me to verify my identity and let's setup my new online bank account...

"What?" is all I could think...

I had never heard of Simplii financial before... nor was I aware that PC was dissolving/selling their banking arm...

I logged into the account once, transferred all of my money out of that account, and logged out forever...

The reason I say that I am not surprised that Simplii financial was hacked is because it is hardly even a Bank imho... it was an afterthought.

The security of these Canadian banks is very weak IMO. CIBC/Simplii, for example, does not support 2FA, has no sign in or transfer email/SMS alerts and their maximum password length, I believe, is 12 characters.

> Then later Monday morning, Bank of Montreal revealed that it, too, had received a tip that "fraudsters" had stolen data on up to 50,000 of the bank's customers, "and a threat was made to make it public," BMO spokesperson Paul Gammal said.

> In BMO's case, at least, the tipsters were the hackers themselves.

> "We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off," BMO said.

Which "incident"? The theft or the data or being informed they were selling their own ass back to them?

The only fraudsters here are the banks, claiming they are secure.

Will CIBC and BMO be paying higher interest rates for the elevated risk of banking with them?

I was visiting friends in Canada and I asked “is it true that Canadians don’t lock their doors?” And they responded “oh no, Steve right? Yeah we know a guy, he locks his door”. Always polite, trying to make me feel OK for being from a place where everyone locks their door.