1. 20
  1.  

  2. 3

    What’s wrong with a username + password? I used to be able to login this way to my bank account.

    Now, my bank forces my to use a password with one capital, one lowercase, one digit, and some special characters but not other special characters. This means I can’t use my default secure password, but have to use something easy instead. Meanwhile, it forces my to install an app which allows access to my account, which is only protected with a 5-digit PIN… I will never understand security practices.

    1. 3

      By the way you can optionally use a regular password (with as many letters and punctuation and other characters as you want) on iOS and Android. It’s just not the default option because it’s not as convenient as short PIN codes for most people.

      1. 2

        Yes, it’s the actual banking app I’m talking about. It has no other option than using a 5-digit PIN. But of course, using a secure password on your phone would work as well.

      2. 1

        Them asking you to use those particular classes of character are their attempt to get their customers to not just type ‘password’ or ‘letmein’. Giving them the benefit of the doubt, disallowing certain ‘special’ characters may be to reduce confusion between characters or typos.

        If I was being cynical I’d think they were doing something bad in how they deal with that data behind the scenes. I hope that they simply have a paranoia about the plaintext passing through some system where it breaks out of quoting before it gets hashed.

        Ideally they would just assume everyone is using password managers to generate strong passwords, not make this assumption and check their code, but the world isn’t ideal.

        The reason the five digits are okay for the mobile app is because it’s they can tell it’s their app and some stuff about your phone. It’s not bulletproof but it’s another factor. With a desktop browser, they can use a cookie from a previous login combined with the PIN.

        Hopefully you understand a bit more. Happy to go further into this if you’re interested.

        1. 1

          What always bothers me about the phone app requirement (thankfully my bank doesn’t force this one yet – otherwise it won’t be my bank anymore :)), is that in an attempt to introduce the second factor of security they basically devolve it right back to a single-factor auth – the phone itself.

          When using the bank website on my computer, even if said computer had no security whatsoever, I still have to confirm every transaction with an SMS code. Someone who steals my computer and cracks/guesses the disk encryption passwords will still have no access to my money. If I had an app on my phone, someone who guesses (or notices, since I use my phone in public places all the time) my password/pin will have full access to my account – it won’t require a computer-code to confirm transactions. How does the app improve security?

          1. 2

            When you log into the service through the mobile app, the service establishes that it trusts the credentials you give (e.g. email address and password).

            Now the server can give the app a token which can be stored for later use.

            When you go back to use the app, the token is used to authenticate to the server (1) - NOT your PIN or fingerprint or whatever.

            Your PIN or fingerprint are used to allow you to bring up the app. This is simply to make it one step harder for someone sitting next to your unlocked phone to bring up the app. Of course PINs can be shoulder-surfed, fingerprints can be ‘stolen’ while you sleep, etc. - this is just a little extra that, in practice, makes enough difference it’s worth bothering with.

            (1) In practice, this is exchanged for a short-lived access token - have a look into OAuth 2.0 if you want an example of how this can work.

            1. 2

              Oh, I know about the tokens involved. My concern is that the app on the phone is still a single point of authorizing transactions on my bank account, and phones are ridiculously easy to steal. If my laptop gets stolen (and for any reason it’s unlocked at the time) I’m not too worried about my money because any transaction will require a confirmation from another device. A stolen phone would be a gateway to all of my money plus all the other fragile things phones keep – like a limitless creditcard without all the established fraud protection practices (on second thought: some of them probably still apply, but I don’t remember any bank ever question me about a SWIFT transfer).

              Having one-time codes sent to my phone when I do banking on my computer improves my security, since a stolen login+password doesn’t endanger my money. A phone app may be solving some of the issues, but also essentially it creates the same problem that a total lack of 2fa has.

              1. 1

                Phones being stolen isn’t much of a thing here in the UK since the ability to have them disabled easily.

                One profile of phone theft is something like this:

                • Phone is stolen
                • Phone is reset (so your app and its stored data doesn’t exist any more)
                • Phone is re-sold

                Sometimes it looks like this:

                • Phone is stolen
                • Thief makes feeble attempt to guess passcode and is locked out
                • Phone is reset (so your app and its stored data doesn’t exist any more)
                • Phone is re-sold

                Sometimes it looks like this:

                • Phone is stolen
                • Thief makes feeble attempt to guess passcode and is locked out
                • Phone cannot be unlocked or reset
                • Phone is discarded

                Sometimes it looks like this:

                • Phone is stolen
                • Phone cannot be unlocked or reset
                • Thief attempts to sell phone saying ‘locked to Apple ID but easy to unlock’ and hoping someone’s ignorant enough to buy it and try
                • Phone is eventually discarded

                Stolen phones really aren’t a big issue. More of an issue is the relative who knows or guesses your PIN and has ready access to your phone anyway. Kind of a less violent version of this: https://www.xkcd.com/538/

                Banks make decisions about things like this based on risk.

            2. 1

              “The app” means what, precisely?

              I assume the same as what my bank does: I had to install an app on my phone and the app is reasonably well protected against exfiltrating data.

              At this point, the app means that if I confirm a transaction, then the bank can be confident that it was issued by someone who knows my password and confirmed by someone who has physical possession of my phone. What it actually knows is that the app on the phone has access to private keys that’ve been used to authorise many transfers that I, the account owner, haven’t complained about.

              The app protects against two attacks that have been common in the real world:

              Social-engineering a new SIM card from a telco, or hijacking the number vis SS7, won’t get an attacker access to my account, because that app proves its identity using crypto, and the keys are stored on my actual phone.

              Installing the same app on a different phone and then trying to impersonate me by authenticating several times may work, but the bank can tell that it was authorised using a device that hasn’t yet proved very trustworthy. The bank may classify that as high-risk and let the outgoing transfer wait for a few hours or days and see if other accounts also suddenly start transferring money to the same destination.

              This isn’t perfect protection against everything. You describe one attack. But defending against two common attacks is much more than nothing.

            3. 1

              I understand that, but it doesn’t work in practice. A better way would be to perform a test (client-side) that rejects ‘hello’ as a password but accepts my strong password which is a base-64 encoding of a random number. Right now, I’m using a weaker password (something like Hello123!) because my stronger password gets rejected. Additionally, if someone knows my PIN, (s)he can access my account as well. Another bank I use just lets me use my strong password to log in, and that is so much more convenient and secure.

              1. 2

                consider using ascii85 instead of base64

                1. 1

                  Cool! Never heard of it. Unfortunately, you still need to have your generated password to include and exclude exactly the right characters.

                  1. 2

                    Why do websites only allow certain arbitrary “special” characters anyway?

                    1. 3

                      Next time I get a password reset reminder from a certain vendor I will share all the weird steps I have to jump through. Let’s just say that restricting certain characters is just the start.

                      1. 2

                        I remember you going over it on IRC: it would probably make a pretty good lobsters submission.

                        1. 2

                          I was reminded of the insanity the other day when I had to do it again, but forgot to take screenshots.

                2. 1

                  The proof that it works in practice is that it is in use by banks.

                  I’m assuming that you can’t log in to your bank account giving only a PIN.

                  Your bank will also need something to identify you as a customer - email address, username, account number, etc.

                  They likely also store a cookie which holds an encrypted token telling them that you signed in through this browser using your actual password at some point. They don’t have to, but that’s a pretty good measure.

                  They likely also look at your browser’s fingerprint, your location (based on IP), the time of day (most people don’t log in to their bank at 3am), and any other factors they can make use of.

                  If any of these factors looks a bit suspect, it’s normal to drop back to requiring a stronger check.

                  1. 2

                    The proof that it works in practice is that it is in use by banks.

                    For certain values of ‘works’. For example banks in Germany allow transaction verification at point of sales with only a signature. The bank refunds any money that is fraudulently authorised with this method. I know for a fact that this happens, and it probably amounts to a lot of money. The banks do it anyway because they have a lot of tech-illiterate customers and their business is worth more than the losses.

                    In other words a bank using specific security practices simply means the financial losses from security breaches are outweighed by savings/profits/additional custom from using those practices. For many less ethical banks that may also simply mean that the customer is liable for those losses.

                    If you think your bank security is weak, check the terms of service agreement and see who has to pay if it fails. If it is you, change banks.

                    1. 1

                      I’m assuming that you can’t log in to your bank account giving only a PIN. Your bank will also need something to identify you as a customer - email address, username, account number, etc.

                      No, they don’t, that’s my whole point (which tadzik raises as well). If you open the app and enter my PIN, you’re in my account with full authorization. If someone peeks over my shoulder when I use my phone and steals it, he can unlock my phone and transfer my money. This is the whole point I’m making in my original post. You (rightly) seem to have a hard time believing this, but that’s how it is.

                      Edit: I get your point, btw: You need my phone. But, I’d much rather have a system where you need my phone and to enter my username and password. Now it’s a much weaker system, as I have argued.

                      1. 2

                        There has to be a better way.

                        Access to my BankID requires either an 8-digit PIN or my fingerprint (which one is at the discretion of the entity requesting authorization).

                        My bank requires the PIN, the absence reporting at my kids school is fine with a fingerprint.

                        1. 1

                          My point about needing more than your PIN was on initial sign-in and tying to a device / browser.

                          I know it’s technically much weaker to require only a (shoulder surfable) PIN (for the phone and for the app) than further credentials, but the point I’m making is that in practice it’s a small enough threat that banks eat the risk.

                          They don’t do this lightly. They can’t just absorb the cost of fraud as much as makes sense for them financially. In the UK financial institutions are regulated by (at least) the FCA, who look to ensure that customers are being treated fairly - including not being subject to large fraud risk - and the ICO, who, to give one example, are looking to ensure compliance with regulation around data security - GDPR being relevant here.

                          So you’re absolutely correct about the technical possibilities and I understand why the possibility of (perceived) easy fraud makes you uncomfortable, but these banks with real money to lose and these regulators with consumer-friendly powers agree that the risk is low enough that it’s fine.

                          That said, I’m not saying that the retail banks have your interests as top priority. If your account is accessed due to you having your phone stolen, I’d bet they would at least attempt to hold you responsible. In their own interests, if they allowed everyone to claim phone theft and their money returned, collusion to commit fraud would be rampant pretty quickly.

                  2. 1

                    Why not generate a random conforming password and store it in a password manager?

                    1. 3

                      I want to be able to login from environments where I don’t have a password manager at hand.

                    2. 1

                      That app is probably also protected by history, location or both.

                      When you installed it, it probably generated a private key and got a certificate signed by the server. You’ve authorised a bunch of transactions since then. This means that when you enter your five digits, the bank “knows” that you entered those five digits on a device that’s been used to sign many transactions that weren’t fraud in hindsight.

                      Many of the apps look up your location using GPS, and the bank can trust that because of the way code signing works on android and ios, so very likely, the bank “knows” that you entered your five digits ±50m from some location where you’ve signed many whitehat transactions in the past.

                    3. 1

                      Mhm, how would it realistically know that 1962 could be easily guessed? It corresponds to a random year in the last centurty that - even after thinking about it for a minute - I have no discernible relation. Is only my birth year on that list? The year my parents married or were born? I don’t know. Maybe the whole concept of a PIN is flawed, not certain numbers. /looking at you, banks!

                      1. 1

                        I use the first six digits of a well-known constant for the phone pin. First, everything of critical importance is already protected by other, non-guessable means. Second, a typical thief is unlikely to guess it, and since it has no relation to any personal information like date of birth, even having a bad with an id document and the phone stolen is not a greater risk in this case.

                        But, I’d rather have people who know me well enough to have a way to guess the pin if needed.