Regions Bank Online Password Reset page.

If you use Regions you and have for years you know this picture was one of their earlier password reset forms. 

They setup a "Personal Question" reset many years ago after this enter your Username, Card number and your PIN thing was used by so many scammers. 

Guess what, it's 3-21-2016 and Regions has put back online the old easy to scam password reset. 

Guess I'll be calling the 800 number to reset or visit my local branch. 

I'm offering this as a public informational post. 
Be sure you check the SSL Certificate every time you visit the site. 
Be sure you know your browser is up to date.
Be careful when you offer enough information that anyone can take advantage of your account. 

Last, be sure to always select methods that ask questions that only you would know and that are not related to login names or any usage of access to your account at the branch or online. 

Here's a screenshot of the login password reset page. 

Why _Regions _Bank _Has _The _Worst _Password _Recovery _Process _Online

Let me explain why this is a very poor regarding your security. 

First, it's your responsibility to make sure the site you are at is really Regions. If you remember that old JavaScript that would layover your address line a fake address then you know what I am talking about. If not, in short, a hacker setup a clone of your address line and made it look like you were on the banks page. The only real way to have not had that happen is you need to have your address line spaced differently than the default browsers default location. IE was the easier of all the browsers to mask the address line with a fake line. 

So now you need to click the SSL Certificate symbol in the address line and make sure it shows you the correct information. But this also has been known to be hacked. 

So far, confirming the site is really the site can be spoofed. Let's drop into the questions to see if we can counter the scam site. 

  • Enter your Username: 

Well this just setup the perfect scam, we know your username is only used online. 

  • Enter your Card Number:

If we are at a scam site the card number could be recovered, you might think it's useless but it doesn't take much to figure out your zip code based on your BIN number that's in your card numer. Expiration date could be an issue but that depends on how your card will be used. But that's not important now, what is important is your account online.

  • Enter your Pin

Your pin is associated with your account and used at ATM's and debt purchases. It is a BIO question due to the fact it is your pin but the issue is the pin has real no security behind it, you can repeat numbers and it's limited to 4 digits which. But again, this isn't the main security issue. 

The main issue is your account password if you were spoofed into a phishing site could actually collect your valid information then wait a day, week, month or even a year to reset your password, login, transfer money and be off. 

You might see an email from Regions notifying you that a password change had taken place and with all the other junk mail you get from the bank when you opt-out you might just delete it without reading it. 

Here's the tip I suggested more than a decade ago. 

Send me a Text, you have Account Alerts. Send me a PIN number to validate from my phone that I have actually requested a password reset. 

If Google, Yahoo, Hotmail, Facebook, Twitter, MurrayW can send your phone a message giving you either a temporary password or a pin to enter then reset you would think the banking community would do the say. 

Sadly it appears Regions has traded logic once again for phishing thought processes. 

Please review how we do our banking. 

Other suggestions were by Device connection, IP, Location etc. You might not know this but your Google login will email your GMail if you sign in from a different device that you have never used. It's often not noticed but I do, and I know if I told 1,000 people to always check the notice 100 would. 

Protect your people as you would protect yourself. Don't allow your password reset to be the Number One in Phishing Sites Favorites.

In case you just don't get it; this type of password reset gives the phishing scammer everything they need to change your password online without access to your email account.

How it works. The Phishing site setups the same password reset page online. 
They send out random emails saying anything from You Won to Your Account requires your attention and password change. It doesn't matter what is sent, the goal of the phisher is to trick you into visiting their custom page that looks like the password reset page. 

For those that are tricked, you would enter your information then the fake site would redirect you to the correct site. The damage is done, you sent the scammer the information they were after and you might not even know it. If that's the case, you are relaxed just as they want it so you will never suspect when they change your password and login in to your account. Remember, your notification email address can also be changed. 

Key to password reset success is to allow the users to setup the method they wish with custom questions, pin or temporary password to phone numbers or email addresses. It has to be a mix or it just doesn't work. 

 

All the Best, 
Murray W.

 

 

 

 

Reviewing Regions Bank new but old password reset. No longer do they allow your questions to be answered. It's Card Number Username and Pin. All things that can be used directly to hijack your account by phishing scams. Over a decade of mistakes and still going strong!