Their policy should just be to reset the password immediately and have the user set a new one. This is one hell of a risk.
That would imply they have to test that the credentials are correct though.
Otherwise I can just put somebody’s user and put some fake password and they would reset it and disconnect the account of that user and annoy him.
But the username is still public, you can change the password but if your customer is idiotic enough to blast both out into the internet, the password will just get a 1 or ! After the password they used before…
I still can’t believe American banks lets you login with just username / password? Surely there is some id check or at least two factors involved?
Nope, several years ago someone complained that their steam account has better protection then their bank account. We’re now in 2023 and that statement still holds. It’s quite scary really. Bank websites that heavily rely on third party scripts ,“MFA” logins based on something you know and something you know. Account verification question based on code words or security questions based on public information. Worst of all, the ignorance of it all. “We got hacked, here have a identity protection bandage, comes with an automatic subscription after several years”.
That is one way to get their attention
Hot take: let the bank release tweets like this as a honeypot, and see who tries to log in.
Couldn’t BofA Have deleted the tweet?
I get why you’re saying that since it was Xitted at/tagged Bank of America. But it was still a public post from the user’s account. That’s like assuming a company could delete one of your emails or your Facebook post.
I never used twitter but I guess the best you can do is make it not appear on your wall but the tweet still exists.
Tweets from other people don’t ever appear on your wall. They only appear on that user’s profile page, or on the home page of users who follow that user. Or, the third way it can show up is attached to another post that replies to it.
So ironically, by replying and telling the user to remove their personal information, BoA has actually ensured more people are able to see that user’s personal information.
No, but they could have (and maybe have) block access to their bank account as a precaution.
They also definetely should have advised them to (or just done it themselves) reset their password, because even deleting the tweet isn’t nearly enough at that point (as evidenced by the screen grab lol
ngl, as someone who’s been cryptoscammed reasonably recently, everytime i see one of these posts i feel quite a bit more sympathy for the people who don’t understand how to use the internet who do this shit. i did feel some sympathy before but now it’s combined with the memory of the feeling of panic and then shame i felt in the immediate aftermath, and also understanding how these scammers are so effective.
