SBI Shoken accounts hacked

[Moneymatters]

Not sure if suitable here and apologies for the sensationalist term. Wasn’t sure how best to translate.

https://news.yahoo.co.jp/articles/d2807 ... 065d14232f

6 SBI accounts where illegally accessed and a combined 9,000万 was transferred out to Japan Post and MUFG accounts.

SBI are Compensating(assume refunding) the affected parties and looking to implement two factor authentication. You know. Like 10+ years ago anywhere else.

[RetireJapan]

I saw that story and quickly checked my wife's SBI account -fortunately all was well

[mule96]

I was just thinking to write about that also.

It looks it was more a social hacking (偽造した本人確認書類を利用するなどして、当該銀行口座そのものを不正に開設した...) than a security issue on the SBI side itself. But the cheap double password system on SBI (ログインパスワード、取引パスワード) is something that annoys me since I use them and is not that trustworthy at all. There are better ways now.

After the Seven Eleven disaster, one would have thought that companies had a look about their security. But after news this week around the Docomo Kouza and 5 new firms today, it leaves a very sour taste about digital money.
(And this is not a new story and some people may disagree, but the lack of proper security in the IT-World in some companies is not something new).

[RetireJapan]

I'm not seeing much of an advantage over credit cards from the multitude of 'Pays to be honest

[Kanto]

I'm not seeing much of an advantage over credit cards from the multitude of 'Pays to be honest

Many younger people and foreigners have issues getting their first credit card.

However, I agree. I have the View card that auto recharges Suica, and a Rakuten Card that auto recharges the EDY. No need for phone apps, etc

[adamu]

The biggest benefit of the phone apps is that they allow transfers between users. Makes sorting out paying people back for lunch etc. much easier (providing you're all on the same app of course). Being able to pay utility bills instantly without going to the conbini is probably useful for many people too. Be careful you guys don't start to dismiss technologies just because they don't fit your lifestyle.

a Rakuten Card that auto recharges the EDY. No need for phone apps, etc

Rakuten Pay is nicer than Edy, because it allows you to prioritize spending points first if you want. You can also charge it instantly via the app, or have it deduct directly from the credit card when you spend so no need to charge at all. Of course, there are many places that only accept Edy though. Anyway, off-topic.

SBI Bank have 2 factor auth. I'm guessing SBI securities are running ancient software that was too scary to update with 2FA until something like this pushes them to take action. 2FA has its problems though, the number of lockouts will greatly increase, then you have the risk of fraud + customer support costs when dealing with requests for people to get back into their accounts.

[mule96]

SBI Bank have 2 factor auth. I'm guessing SBI securities are running ancient software that was too scary to update with 2FA until something like this pushes them to take action. 2FA has its problems though, the number of lockouts will greatly increase, then you have the risk of fraud + customer support costs when dealing with requests for people to get back into their accounts.

The SBI Securities website could really use an update. Also that some pages are not working since some time to reduce server load doesn't help in building more trust. But maybe that is the price for using a broker with low fees.

SBI Banks website looks much more like SMBC Trust Bank (who owns 50% of SBI Bank) Website, maybe they use the same IT?

[fools_gold]

It looks it was more a social hacking (偽造した本人確認書類を利用するなどして、当該銀行口座そのものを不正に開設した...) than a security issue on the SBI side itself. But the cheap double password system on SBI (ログインパスワード、取引パスワード) is something that annoys me since I use them and is not that trustworthy at all. There are better ways now.

I wonder how the hackers got into the accounts in the first place...SBI enabled logging in using Yahoo IDs this year. Perhaps they got in through hijacked Yahoo accounts. They don't have a very good reputation when it comes to security. If the hacker has access to the Yahoo account then it's relatively easy to reset things that require email authentication like the 取引パスワード.

[adamu]

SBI Unsecurities