FNB Decided to Disable Autofill for Passwords, but Then Immediately Changed Its Mind
Picking the bank that will take care of our personal finances is not a choice we make lightly. After all, we often give this organization our life savings, and we want to make sure that they are in safe hands. It's quite a responsibility, and it's sad when you see that some of the people taking it have obvious holes in their understanding of cybersecurity. The customers of First National Bank (FNB) in South Africa know this particular feeling all too well.
FNB blocks autofill
On August 12, South African business news outlet BusinessTech.co.za reported that FNB customers were being greeted by a new notice on the bank's website which said that users would no longer be able to use their browses for saving their banking passwords. The landing page went on to say that auto-filling of login credentials had been blocked for security reasons and that from now on, customers would need to manually enter their passwords every time they want to log in.
FNB unblocks autofill
On August 20, BusinessTech.co.za said that FNB had revisited its decision. Customers are once again allowed to use automated tools to enter their login credentials.
As you might expect, the bank decided to remove the autofill limitations after a number of upset customers wrote in to say how unhappy they were with the new rules. It was definitely the right decision, not just because it put some people in a better mood. In fact, it's fair to say that the block shouldn't have appeared in the first place.
Why blocking autofill is a bad decision?
On the face of it, there are at least two very sound reasons for limiting the automatic filling of usernames and passwords. For one, most of the people who use this functionality extensively rely on their browsers for the management of their login credentials. Unfortunately, the fact that banking and passwords-stealing malware has been scraping login credentials from browsers for years shows that the tools we use to surf the web aren't very effective at protecting this particular type of sensitive data.
Then there's the fact that login information saved with a browser is easily accessible. If you have physical access to a device, seeing the passwords saved with its browser is, in most cases, a matter of a couple of clicks.
These are the arguments FNB used when it initially blocked the automatic filling of passwords. The bank said that most malware families can steal credentials saved with browsers and that this sort of data is also extremely easy to obtain in case a customer's device falls into the wrong hands. On the face of it, these are all valid points, and if you are in charge of the security of many bank customers, you might indeed think that making people enter their login credentials manually is the more secure option. It isn't, though.
For one, if we assume that malware is the biggest threat, then we shouldn't ignore the fact that even the simplest keylogger can record the password while it's being typed on a keyboard. And then we have to consider the possibility that malware might not be the biggest threat at all.
Regardless of whether you're using a browser or a dedicated password management solution like Cyclonis Password Manager, autofill is not just a convenience. It lets you use strong, unique passwords for every single one of your online accounts. A strong password is hard to type and harder to remember, and keeping track of many different strong passwords is downright impossible. With autofill, none of this is necessary.
If you force users to enter their password every time they're trying to access their account, they are going to resort to using a weak password or reusing one that's been saved on another website. The upshot is, for all the risks that come with it, autofill is likely to improve users' security, not harm it. FNB's IT department realized it (albeit with a small delay), and we can only hope that people managing banks all around the world will also figure it out.