Saturday, February 26, 2005

The password debacle

Lately there has been a lot of media attention directed at the recent T-mobile hacks. I find the whole situation quite laughable. Its one thing for the media to go nuts over Paris Hilton's address book being spread far and wide, and over Fred Durst's little home video that he had stored on his account. Thats just how the media works. If there is celebrity dirt out there, they'll be all over it.

But perhaps the funniest part of this whole thing is how little attention is paid to the root of the problem -- the fact that so many online services have horribly flawed password schemes. Its not that its a single part of the password policy that is riddled with holes, its flawed from beginning to end.

Just a little disclaimer. There are many online services out there that do have good password and security policies. However, it just so happens that the most popular and prevalent online services -- phone, bank, utility, etc -- are the ones that are ripe for the picking.

At account creation time, users are asked to select a password. How often do you see suggestions on good password selection? How often do you see warnings about choosing bad passwords and the ramifications of someone being able to guess that password? Rarely. I mean really, who cares if someone can guess the password to my sidekick?

To make that worse, oftentimes these services have unnecessarily restrictive password requirements. I'm sure many people reading this are thinking "hey, thats a good thing!". Well, the problem here is that they are restrictive in the wrong direction. Here are some restrictions that I've seen:

  • Passwords must be of a fixed length
  • Passwords cannot be longer than, say, 6 characters
  • Passwords must only use letters or numbers. No punctuation or other characters!
  • Passwords must only use numbers

And what if you forget your password? Hell, I actually "forget" all the time. Thats usually because when I sign up for some random online service, I often pick a password that I'll never, ever remember -- `head -n 100 /dev/urandom | strings` and then pick one that is of sufficient length, or something similar. Of course, that only works if the particular service allows me to pick a password that is actually secure, which is unfortunately quite rare. So you forgot your password? Now what? Fortunately, the nice folks at your online service have given you a way to change your password. All you need to do is know the name of your first pet or the name of your favorite sports team and you can retrieve or change your password. Come on, guys. In the age of Google, information such as that might as well be public knowledge.

This whole thing just blows my mind. I can't see how any organization could ever get away with such lax security policies. Policies like these would never fly in any organization worth its salt. It really, really makes me want to pay a personal visit to the CISO of all guilty companies and see what kinda drugs they are on.

Its sad that things have come to this, but part of it is likely due to the fact that the general public has no idea that these policies are riddled with holes and pose a huge risk to their personal and financial well-being.

To hopefully educate someone, here is a little sample of how bad things are right now. The other day on trash day, I found a tri-folded piece of paper in the street. Trash on the street isn't that uncommon and I normally don't go picking it up, but this one had Bank of America's logo on it. So out of curiosity, I picked it up. To my surprise, it was the letter that you get from BoA when you get a new card. It had someone's name on it which immediately freaked me out because I'm the type of person you'll find at odd hours of the day cross-shredding any pieces of mail that even something as simple as my name on them. Some call it OCD but I call it a piece of mind. Anyway, when I took a further look at the paper I saw something familiar. Once again, the bank card number had been imprinted on the paper it had been shipped in:

And with the card security code also imprinted:

And, the irony of it all. They proudly state on the letter that they only include the last 4 digits of your card number "For your protection". Gee, thanks.

I sent email to the security and customer service departments of Sovereign Bank, Citizens Bank and Bank of America because they all seem to suffer from the same problem. I received no response from Sovereign. Citizens actually responded and they said they'll be forwarding my mail to the responsible parties. Bank of America, however, gave me a totally canned and pathetic response:

Date: Thu, 03 Feb 2005 05:32:44 -0800 (PST)
From: Privacy Security 
Subject: Re:  Information Security  (KMM19798778I30L0KM)
To: Jon Hart
X-Mailer: KANA Response 7.6.0.17.4


Dear Jon Hart,

Thank you for your e-mail. I apologize for any inconvenience you have
experienced.

Thank you for your e-mail regarding our privacy policy.
Below is information to assist with your inquiry.

Protecting your privacy, along with your financial assets, is at the
core of our business.  You have chosen to do business with us, and we
recognize our obligation to keep the information you provide to us
secure and confidential.

Our commitment to protect your financial information will continue under
the principles and online guidelines described below.

Keeping your financial information secure is one of our most important
responsibilities.  We value your trust and handle your information with
care.  Our employees access information about you when needed to
maintain your accounts or otherwise meet your needs.  We may also access
information about you when considering a request from you for additional
services or when exercising our rights under any agreement with you.

We safeguard information according to established security standards and
procedures, and we continually assess new technology for protecting
information. Our employees are trained to understand and comply with
these information principles.

You can count on us to keep you informed about how we protect your
privacy and limit the sharing of information you provide to us - whether
it's at a banking center, over the phone or through the Internet.

Please note that since we cannot control information on other Internet
sites, we are not responsible for the content of sites linked from
http://www.bankofamerica.com.

We appreciate the opportunity to assist you online.  Should you have any
further inquiries, please e-mail us again.

Sincerely,
Charles Duecy, Bank of America


It is quite sad that someone who is supposedly responsible for the security of Bank of America didn't even take the time to read my email. Instead, he or his email app automatically saw the word "security" or "privacy" in email and drummed up this canned response. Not surprising -- look at the X-Mailer header! "KANA Response", aka canned response. Unbelievable.

Ok, so big deal. You get your new card and toss out the letter. It has your account number faintly imprinted on the paper. What will that get someone? It could potentially be used to make unauthorized purchases, but then again maybe not. What if I, as an attacker, want to view your account, transfer some funds around and have some fun. Hah, says Bank of America -- "We are committed to protect your financial information". Bzzzt. Wrong. Your online service uses my account number and PIN to authenticate me. In this case, the PIN is just digits. I can crack all passwords from length 4-12 digits in less than an hour. Congrats. Your information security policy just toppled. What say you now?

*sigh*

No comments: