If you’ve got an online banking account with St. Mary’s Bank, change your password now. Then come back to this article. It’ll still be there. Hopefully your money still is too, but I wouldn’t guarantee it.
Over the past weekend, St. Mary’s Bank, which is actually a credit union based in New Hampshire, migrated to a new online banking system. This wouldn’t be a problem except for the way they migrated accounts. They have changed your password to an easily guessed four-digit one.
“What?” you’re saying. “Nobody can be that stupid!” St. Mary’s Bank is that stupid. Read it for yourself. In case they take it down in a last-minute attempt to pretend they didn’t do it, here’s what they said:
How to access the upgraded Online Banking system on or after November 3
You need your Online Banking User ID and your temporary password (the last four digits of your social security number (SSN) or tax ID number).
That means anyone who wants to break into your account by sheer guessing needs to make 10,000 guesses at most, 5,000 on the average. That’s nothing with a computer. But they didn’t just give you a random 4-digit number, they picked one that’s really easy to find out. However much your Social Security number is supposed to be a secret, you’re handing it all over the place. Comcast has asked for the 4 digits of my SSN to make routine changes to my service. Some employers want your SSN just to apply for a job.
If you didn’t change your original login ID, you’re relatively safe. That’s hard to guess. But St. Mary’s Bank has made it easy to change your ID to something easier to remember, such as your name. If so, it’s child’s play to break into your account. You’re safe only if you change your password before someone else can attack your account.
You’ve changed it already, right? Some people probably won’t log on or change their password for weeks, allowing crooks to attack their accounts at leisure. Users are required to change their password when they log in, but that won’t help if they don’t.
You might want to get your money out of St. Mary’s altogether. Idiocy like this can’t just happen in isolation. It’s not just that the person who recommended using 4-digit passwords is an incompetent idiot; it’s that no one stopped him. No IT person dared to object, or else no one listened. That happens only in a culture which fosters incompetence.
Run while you can.
November 6, 2015: The only response I’ve seen from St. Mary’s Bank is a tweet saying “the 4-digit password is a temporary single-use password. You will be prompted to enter a password of your choosing.” Apparently they think the need to change the password will stymie thieves. It does mean people will be alerted if they try to log in and discover their Social Security number doesn’t work, but that still gives the crooks the time from their break-in to whenever the problem is reported (if ever) to grab people’s money.