Skip to content

Bit9

← Back to Blog
28 Jul 2011

When Your Financial Institution Hampers Your Own Security Efforts

Chris Lord

A few weeks ago, Harry mentioned the recent PayPal study that showed people behaving badly when it comes to choosing and using passwords. I fancy myself not one of those people. After all, security is my business and I know better. But the reality is my passwords are not diversified enough given the hundreds of separate accounts I have scattered through the Net, and some of those passwords are stale, weak or both. Time to get this mess in order before I, too, fall victim to another security breach with my account information lifted and reused, or my contacts targeted.

I started with some high-value accounts—financial, work, e-commerce, email, social—and a simple plan to make sure all passwords were reasonably strong and diverse.

First up was Digital Federal Credit Union. I changed my password to an analog of DoneCo@chingUmp!res, only to receive an error stating my password “must contain between 6 and 16 characters, include at least one letter and one number, and cannot contain any blank spaces or special characters.” You@reK!dd!ingMe,Right? How could such antiquated password restrictions be in effect at an institution that was once at the forefront of technology back in the halcyon days of DEC?

I fired off an email to customer service complaining about restrictive password requirements. I also suggested that their customers would benefit from two-factor authentication, primarily because it helps address the staleness and reuse problems of password maintenance. Below is the verbatim response I received:

“Chris, PC Branch is an extremely secure way to manage your accounts at DCU. Please go to www.dcu.org and click on Password Requirements which can be found directly under the PC Branch Online Access box. Here, you will find detailed information on how secure your password and PC Branch is. You will also find information on our recent Multi Factor Authentication for PC Branch. DCU cares about keeping your financial information secure and safe.”

There was no response to my specific issues with password restrictions, but the multifactor authentication note was intriguing since this was the first I’d heard of its availability. I’ll save you the bother of a trip to the site by quoting the salient bits from the referenced page:

Enhanced Login Security with Multi Factor Authentication for PC Branch.

DCU cares about keeping your financial information secure and safe. That’s why we’ve added security questions to our network of fraud-protection tools for members…We are using Multi Factor Authentication coupled with a computer registration process. These security processes are industry standard methods for keeping information secure and they are likely familiar to you if you are using another financial institution or brokerage firm…You select and answer three security questions. This will help to confirm your identity when logging in. Your correct answers to these questions will help us verify it’s you…When you register those computers typically you will not need to answer the security questions when you log on. This is because a secure cookie is placed on your computer – if you delete your cookies on a regular basis you will be required to re-register the computer or answer the security questions.

As you may have read a few months ago, that’s single-factor authentication, folks: stuff the user knows (username, password) plus more stuff the user knows (favorite food, favorite movie, name of first pet, etc.). That doesn’t help me when I start reusing passwords. And it doesn’t help me when I stop changing them.

As I worked through my accounts, I continued to encounter similar seemingly arbitrary collections of restrictions. Companies that manage personal or sensitive data on the Internet need to modernize their systems and start taking security more seriously. There is no reason why password should have maximum length restrictions. There is no reason to prevent symbols from being part of a password. Both length and complexity are important ways to prevent attackers from using brute force or dictionary attacks to crack passwords. If your online accounts are restricted in their password complexity, speak up and let the company know your displeasure. And if a company tries to tell you that multiple questions equals multifactor authentication, be alarmed.

Postscript: In a subsequent exchange, I did learn that DCU’s password restrictions were actually imposed by their vendors and outside services and cannot be changed without a more concerted effort. Now that is truly disturbing because it means we have a few polluting the many, and it means it isn’t likely to improve soon.

email

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy this password:

* Type or paste password here:

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.


Our Solutions

Our Products

  • Blog

+1 617-393-7400 US