FNB backs down on password decision after backlash

First National Bank has suspended its decision to require users to type in their usernames and passwords manually for online banking rather than using their browser or password manager to automatically fill in the fields.

The move follows a backlash from tech-savvy consumers and security experts who warned that the decision to disallow password managers went against information security best practice. The decision drew fire from well-known infosec expert Troy Hunt and others. FNB appears to be particularly concerned about users installing browser extensions designed specifically to circumvent the ban on the auto-filling of passwords.

TechCentral tested the online banking service after the statement was e-mailed and can confirm that password managers (the publication used Dashlane in its test) can again be used to auto-fill the username and password fields on the bank’s website.

In a statement in response to a column by Alistair Fairweather, published earlier on Tuesday on TechCentral, head of digital banking Giuseppe Virgillito said FNB “recognises the valuable feedback from our customers regarding the measures to prevent auto-filling of banking passwords”.

Fairweather wrote of FNB’s decision: “By essentially forbidding me to paste my own password into my own browser, FNB has forced me to make a ridiculous choice: either stop using Internet banking (not happening) or change my password to something I can actually remember and type out (in other words something much less secure). And never mind the fact that my password manager is a password-protected, military-grade encrypted vault, which is arguably more secure than most of FNB’s own servers.”

‘Considerable risk’

Virgillito said the decision to prevent the auto-filling of passwords was done with customer security in mind. He said the bank found that “a number of our customers save their banking passwords to their browsers. This places customers with stolen or unattended devices at considerable risk. As a consequence, we strongly discourage customers from storing their banking passwords in their browsers.”

He said decisions regarding security must protect all its customers, “in particular the vulnerable”.

Virgillito said: “FNB recognises the value of password managers. While we do not discourage customers from using a password manager, customers need to be aware that should their device be stolen or accessed without their permission, a user who gains access to their cloud storage or passwords saved on the device will be able to log into their banking and perform transactions. The security and privacy of our customers’ banking and login information is of paramount importance to us.

“We note with concern the recommendation to install unauthorised software and browser extensions by some users in a bid to circumvent the auto-filling of passwords. The use of this type of software for your banking is strongly discouraged as it places the user at a high risk of introducing malicious software onto their device.

“Alternatively, it also places users at an increased risk of phishing. As a consequence hereof, we have decided to revisit the decision to prevent auto-filling of passwords at this time.”  — © 2019 NewsCentral Media